diff options
48 files changed, 115 insertions, 88 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 96fb7ff0cc..47037a3dd6 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,7 +2,7 @@ Anyone is welcome to contribute to GnuTLS. You can either take up tasks from our [planned list](https://gitlab.com/gnutls/gnutls/milestones), -or suprise us with enhancement we didn't plan for. In all cases be prepared +or surprise us with enhancement we didn't plan for. In all cases be prepared to defend and justify your enhancements, and get through few rounds of changes. @@ -92,7 +92,7 @@ E.g. ```gnutls_x509_crt_get_dn```, refers to the X.509 certificate parsing part of gnutls. Some of the used prefixes are the following. * ```gnutls_x509_crt_``` for the X.509 certificate part - * ```gnutls_session_``` for the TLS session part (but this may be omited) + * ```gnutls_session_``` for the TLS session part (but this may be omitted) * ```gnutls_handshake_``` for the TLS handshake part * ```gnutls_record_``` for the TLS record protocol part * ```gnutls_alert_``` for the TLS alert protocol part @@ -176,7 +176,7 @@ in a way that may break existing applications which use the API in a reasonable way. If the existing function allows flags, then a new flag should be introduced to enable the new behavior. -When it is necessary, or desireable to enable the new features by default +When it is necessary, or desirable to enable the new features by default (e.g., TLS1.3 introduction), the "next" releases should be used (and introduced if necessary), to allow the modification to be tested for an extended amount of time (see the [Release policy](RELEASES.md)). diff --git a/SECURITY.md b/SECURITY.md index b8d055c282..26d3e8457b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -15,7 +15,7 @@ issues are handled with the normal release process. # Committing a fix -The fix when is made available, preferrably within 1 month of the report, +The fix when is made available, preferably within 1 month of the report, is pushed to the repository using a detailed message on all supported branches which are affected. The commit message must refer to the bug report addressed (e.g., our issue tracker or some external issue tracker). @@ -30,7 +30,7 @@ and other relevant parties to the problem. # Releasing Currently our releases are time-based, thus there are no special releases -targetting security fixes. At release time the NEWS entries must reflect +targeting security fixes. At release time the NEWS entries must reflect the issues addressed (also referring to the relevant issue trackers), and security-related entries get assigned a GNUTLS-SA (gnutls security advisory number). The assignment is done at release time at the web repository, in diff --git a/configure.ac b/configure.ac index e50e242a73..5ab834ad62 100644 --- a/configure.ac +++ b/configure.ac @@ -1176,7 +1176,6 @@ AC_SUBST(LIBGNUTLS_CFLAGS) AM_CONDITIONAL(NEEDS_LIBRT, test "$gnutls_needs_librt" = "yes") -AC_DEFINE([GNUTLS_COMPAT_H], 1, [Make sure we don't use old features in code.]) AC_DEFINE([GNUTLS_INTERNAL_BUILD], 1, [We allow temporarily usage of deprecated functions - until they are removed.]) AC_DEFINE([fread_file], [_gnutls_fread_file], [static lib rename]) diff --git a/devel/import-ecc-from-nettle.sh b/devel/import-ecc-from-nettle.sh index da121786dd..2ce6285d39 100755 --- a/devel/import-ecc-from-nettle.sh +++ b/devel/import-ecc-from-nettle.sh @@ -202,7 +202,13 @@ for f in $IMPORTS; do ;; */ecc-random.c ) sed \ - -e 's/"nettle-internal\.h"/"nettle-alloca.h"/' \ + -e '/^#include "nettle-internal\.h"/ { i\ +#include "nettle-alloca.h"\ +\ +void gnutls_ecc_scalar_random(struct ecc_scalar *, void *, nettle_random_func *); +; d +}' \ + -e 's/ecc_scalar_random/gnutls_ecc_scalar_random/' \ -e 's/^ & (mpn_sub_n/ \& (int)(mpn_sub_n/' \ $dst > $dst-t && mv $dst-t $dst ;; diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index cea30cf465..3f2856f804 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -484,7 +484,7 @@ this functionality completely in 3.6.0. @cindex Raw public-keys There are situations in which a rather large certificate / certificate chain is undesirable or impractical. -An example could be a resource contrained sensor network in which you do want to use authentication of and +An example could be a resource constrained sensor network in which you do want to use authentication of and encryption between your devices but where your devices lack loads of memory or processing power. Furthermore, there are situations in which you don't want to or can't rely on a PKIX. TLS is, next to a PKIX environment, also commonly used with self-signed certificates in smaller deployments where the self-signed certificates diff --git a/doc/cha-config.texi b/doc/cha-config.texi index f094407900..c0f7048fc2 100644 --- a/doc/cha-config.texi +++ b/doc/cha-config.texi @@ -14,7 +14,7 @@ the environment variable @code{GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID} is set to 1, where it would cause the library to exit on unknown options. The location of the default configuration file is @code{/etc/gnutls/config}, -but its actual location may be overriden during compile time or at run-time +but its actual location may be overridden during compile time or at run-time using the @code{GNUTLS_SYSTEM_PRIORITY_FILE} environment variable. The file used can be queried using @funcref{gnutls_get_system_config_file}. diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index ab82f14aad..eb5764b554 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -1269,7 +1269,7 @@ with access to priority strings for overriding the default behavior, on configuration files, or other UI. Following such a principle, makes the GnuTLS library as the default settings provider. That is necessary and a good practice, because TLS protocol hardening and -phasing out of legacy algorithms, is easier to co-ordinate when happens +phasing out of legacy algorithms, is easier to coordinate when happens in a single library. @showfuncC{gnutls_set_default_priority,gnutls_set_default_priority_append,gnutls_priority_set_direct} diff --git a/doc/cha-tokens.texi b/doc/cha-tokens.texi index ab7a5fbf32..1ae054045f 100644 --- a/doc/cha-tokens.texi +++ b/doc/cha-tokens.texi @@ -620,7 +620,7 @@ can access TPM URLs. The registered keys (that are stored in the TPM) can be listed using one of the following functions. Those keys are unfortunately only identified by their UUID and have no label or other human friendly identifier. -Keys can be deleted from permament storage using @funcref{gnutls_tpm_privkey_delete}. +Keys can be deleted from permanent storage using @funcref{gnutls_tpm_privkey_delete}. @showfuncC{gnutls_tpm_get_registered,gnutls_tpm_key_list_deinit,gnutls_tpm_key_list_get_url} diff --git a/doc/examples/tlsproxy/README.md b/doc/examples/tlsproxy/README.md index a34a18c55c..3c7a17fe63 100644 --- a/doc/examples/tlsproxy/README.md +++ b/doc/examples/tlsproxy/README.md @@ -31,7 +31,7 @@ Usage: A TLS client or server proxy Options: - -c, --connect ADDRRESS Connect to ADDRESS + -c, --connect ADDRESS Connect to ADDRESS -l, --listen ADDRESS Listen on ADDRESS -K, --key FILE Use FILE as private key -C, --cert FILE Use FILE as public key @@ -50,4 +50,4 @@ Options: License ======= -MIT
\ No newline at end of file +MIT diff --git a/lib/algorithms/ecc.c b/lib/algorithms/ecc.c index 14351b87ad..917f83a624 100644 --- a/lib/algorithms/ecc.c +++ b/lib/algorithms/ecc.c @@ -123,7 +123,7 @@ gnutls_ecc_curve_entry_st ecc_curves[] = { * exchange (CryptoPro-XchA = CryptoPro-A and CryptoPro-XchB = * CryptoPro-C). * - * Then TC26 (Standard comitee working on cryptographic standards) has + * Then TC26 (Standard comittee working on cryptographic standards) has * defined one 256-bit curve (TC26-256-A) and three 512-bit curves * (TC26-512-A, -B, -C). * diff --git a/lib/auth/ecdhe.c b/lib/auth/ecdhe.c index 883f6cd046..9f53b1b053 100644 --- a/lib/auth/ecdhe.c +++ b/lib/auth/ecdhe.c @@ -23,7 +23,7 @@ /* This file contains common stuff in Ephemeral Diffie-Hellman (DHE) * and Anonymous DH key exchange(DHA). These are used in the handshake - * procedure of the certificate and anoymous authentication. + * procedure of the certificate and anonymous authentication. */ #include "gnutls_int.h" diff --git a/lib/cert-session.c b/lib/cert-session.c index db04a25e5d..97f31597d5 100644 --- a/lib/cert-session.c +++ b/lib/cert-session.c @@ -415,6 +415,7 @@ _gnutls_ocsp_verify_mandatory_stapling(gnutls_session_t session, if (feature == 5 /* TLS ID for status request */) { /* We sent a status request, the certificate mandates a reply, but we did not get any. */ + *ocsp_status |= GNUTLS_CERT_INVALID; *ocsp_status |= GNUTLS_CERT_MISSING_OCSP_STATUS; break; } diff --git a/lib/dtls.c b/lib/dtls.c index f0ded635c0..002c7145ef 100644 --- a/lib/dtls.c +++ b/lib/dtls.c @@ -553,7 +553,7 @@ unsigned _gnutls_record_overhead(const version_entry_st *ver, * This function will return the set size in bytes of the overhead * due to TLS (or DTLS) per record. * - * Note that this function may provide inacurate values when TLS + * Note that this function may provide inaccurate values when TLS * extensions that modify the record format are negotiated. In these * cases a more accurate value can be obtained using gnutls_record_overhead_size() * after a completed handshake. diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c index 8d4595821a..8f22462fae 100644 --- a/lib/ext/session_ticket.c +++ b/lib/ext/session_ticket.c @@ -441,11 +441,11 @@ session_ticket_send_params(gnutls_session_t session, if (ret >= 0) priv = epriv; - /* no previous data. Just advertize it */ + /* no previous data. Just advertise it */ if (ret < 0) return GNUTLS_E_INT_RET_0; - /* previous data had session tickets disabled. Don't advertize. Ignore. */ + /* previous data had session tickets disabled. Don't advertise. Ignore. */ if (session->internals.flags & GNUTLS_NO_TICKETS) return 0; diff --git a/lib/ext/supported_versions.c b/lib/ext/supported_versions.c index 69193b60a3..157a0a77ee 100644 --- a/lib/ext/supported_versions.c +++ b/lib/ext/supported_versions.c @@ -71,7 +71,7 @@ supported_versions_recv_params(gnutls_session_t session, /* do not parse this extension when we haven't TLS1.3 * enabled. That is because we cannot handle earlier protocol - * negotiotation (such as SSL3.0) with this */ + * negotiation (such as SSL3.0) with this */ if (vers && !vers->tls13_sem) return 0; diff --git a/lib/fips.c b/lib/fips.c index acdd2ec23e..f8b10f7502 100644 --- a/lib/fips.c +++ b/lib/fips.c @@ -491,8 +491,17 @@ unsigned gnutls_fips140_mode_enabled(void) #ifdef ENABLE_FIPS140 unsigned ret = _gnutls_fips_mode_enabled(); - if (ret > GNUTLS_FIPS140_DISABLED) + if (ret > GNUTLS_FIPS140_DISABLED) { + /* If the previous run of selftests has failed, return as if + * the FIPS mode is disabled. We could use HAVE_LIB_ERROR, if + * we can assume that all the selftests run atomically from + * the ELF constructor. + */ + if (_gnutls_get_lib_state() == LIB_STATE_ERROR) + return 0; + return ret; + } #endif return 0; } diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 4db7a2534d..bb6c197138 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -533,7 +533,7 @@ struct gnutls_key_st { uint8_t ap_rms[MAX_HASH_SIZE]; /* resumption_master_secret */ } tls13; /* tls1.3 */ - /* Folow the SSL3.0 and TLS1.2 key exchanges */ + /* Follow the SSL3.0 and TLS1.2 key exchanges */ struct { /* For ECDH KX */ struct { diff --git a/lib/handshake.c b/lib/handshake.c index 8d58fa48e7..cb215b223c 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -2164,7 +2164,7 @@ static int send_client_hello(gnutls_session_t session, int again) } if (session->internals.priorities->min_record_version != 0) { - /* Advertize the lowest supported (SSL 3.0) record packet + /* Advertise the lowest supported (SSL 3.0) record packet * version in record packets during the handshake. * That is to avoid confusing implementations * that do not support TLS 1.2 and don't know diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h index 386ae3e49f..23444d9b59 100644 --- a/lib/includes/gnutls/abstract.h +++ b/lib/includes/gnutls/abstract.h @@ -21,8 +21,8 @@ * */ -#ifndef __GNUTLS_ABSTRACT_H -#define __GNUTLS_ABSTRACT_H +#ifndef GNUTLS_ABSTRACT_H +#define GNUTLS_ABSTRACT_H #include <gnutls/gnutls.h> #include <gnutls/x509.h> @@ -774,4 +774,5 @@ gnutls_pubkey_print(gnutls_pubkey_t pubkey, } #endif /* *INDENT-ON* */ -#endif + +#endif /* GNUTLS_ABSTRACT_H */ diff --git a/lib/includes/gnutls/compat.h b/lib/includes/gnutls/compat.h index b2ebcb4075..2779ca9f3a 100644 --- a/lib/includes/gnutls/compat.h +++ b/lib/includes/gnutls/compat.h @@ -22,8 +22,8 @@ /* Typedefs for more compatibility with older GnuTLS. */ -#ifndef _GNUTLS_COMPAT_H -#define _GNUTLS_COMPAT_H +#ifndef GNUTLS_COMPAT_H +#define GNUTLS_COMPAT_H /* *INDENT-OFF* */ #ifdef __cplusplus @@ -243,4 +243,4 @@ int gnutls_priority_compression_list(gnutls_priority_t pcache, #endif /* *INDENT-ON* */ -#endif /* _GNUTLS_COMPAT_H */ +#endif /* GNUTLS_COMPAT_H */ diff --git a/lib/includes/gnutls/crypto.h b/lib/includes/gnutls/crypto.h index c878d7dfac..fe046a4239 100644 --- a/lib/includes/gnutls/crypto.h +++ b/lib/includes/gnutls/crypto.h @@ -297,4 +297,5 @@ int gnutls_decode_gost_rs_value(const gnutls_datum_t * sig_value, gnutls_datum_t } #endif /* *INDENT-ON* */ -#endif + +#endif /* GNUTLS_CRYPTO_H */ diff --git a/lib/includes/gnutls/dtls.h b/lib/includes/gnutls/dtls.h index 7e7133e6ae..972ec0a34c 100644 --- a/lib/includes/gnutls/dtls.h +++ b/lib/includes/gnutls/dtls.h @@ -89,4 +89,5 @@ unsigned int gnutls_record_get_discarded(gnutls_session_t session); } #endif /* *INDENT-ON* */ -#endif /* GNUTLS_DTLS_H */ + +#endif /* GNUTLS_DTLS_H */ diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index d02854b40a..c45dd542c7 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -33,9 +33,8 @@ * The low level cipher functionality is in gnutls/crypto.h. */ - -#ifndef GNUTLS_H -#define GNUTLS_H +#ifndef GNUTLS_GNUTLS_H +#define GNUTLS_GNUTLS_H /* Get ssize_t. */ #include <sys/types.h> @@ -3495,4 +3494,4 @@ void gnutls_fips140_set_mode(gnutls_fips_mode_t mode, unsigned flags); #include <gnutls/compat.h> -#endif /* GNUTLS_H */ +#endif /* GNUTLS_GNUTLS_H */ diff --git a/lib/includes/gnutls/gnutlsxx.h b/lib/includes/gnutls/gnutlsxx.h index 6140550789..eeefb798a3 100644 --- a/lib/includes/gnutls/gnutlsxx.h +++ b/lib/includes/gnutls/gnutlsxx.h @@ -20,8 +20,8 @@ * */ -#ifndef GNUTLSXX_H -#define GNUTLSXX_H +#ifndef GNUTLS_GNUTLSXX_H +#define GNUTLS_GNUTLSXX_H #include <exception> #include <vector> @@ -428,4 +428,4 @@ namespace gnutls { } /* namespace */ -#endif /* GNUTLSXX_H */ +#endif /* GNUTLS_GNUTLSXX_H */ diff --git a/lib/includes/gnutls/ocsp.h b/lib/includes/gnutls/ocsp.h index ca085b5880..87806cfd70 100644 --- a/lib/includes/gnutls/ocsp.h +++ b/lib/includes/gnutls/ocsp.h @@ -285,4 +285,5 @@ gnutls_ocsp_resp_list_import2(gnutls_ocsp_resp_t **ocsps, } #endif /* *INDENT-ON* */ -#endif /* GNUTLS_OCSP_H */ + +#endif /* GNUTLS_OCSP_H */ diff --git a/lib/includes/gnutls/openpgp.h b/lib/includes/gnutls/openpgp.h index 01d01fdada..632ffb1dc0 100644 --- a/lib/includes/gnutls/openpgp.h +++ b/lib/includes/gnutls/openpgp.h @@ -377,4 +377,5 @@ int gnutls_certificate_set_openpgp_keyring_file } #endif /* *INDENT-ON* */ -#endif /* GNUTLS_OPENPGP_H */ + +#endif /* GNUTLS_OPENPGP_H */ diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index 0c3d22be94..351ddd1cd8 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -21,8 +21,8 @@ * */ -#ifndef __GNUTLS_PKCS11_H -#define __GNUTLS_PKCS11_H +#ifndef GNUTLS_PKCS11_H +#define GNUTLS_PKCS11_H #include <stdarg.h> #include <gnutls/gnutls.h> @@ -510,4 +510,5 @@ gnutls_pkcs11_copy_attached_extension(const char *token_url, } #endif /* *INDENT-ON* */ -#endif + +#endif /* GNUTLS_PKCS11_H */ diff --git a/lib/includes/gnutls/pkcs12.h b/lib/includes/gnutls/pkcs12.h index 66308c9d88..e613fe12f5 100644 --- a/lib/includes/gnutls/pkcs12.h +++ b/lib/includes/gnutls/pkcs12.h @@ -145,4 +145,5 @@ int gnutls_pkcs12_bag_set_friendly_name(gnutls_pkcs12_bag_t bag, } #endif /* *INDENT-ON* */ -#endif /* GNUTLS_PKCS12_H */ + +#endif /* GNUTLS_PKCS12_H */ diff --git a/lib/includes/gnutls/pkcs7.h b/lib/includes/gnutls/pkcs7.h index 58ea4aaf81..528427b484 100644 --- a/lib/includes/gnutls/pkcs7.h +++ b/lib/includes/gnutls/pkcs7.h @@ -153,4 +153,5 @@ int gnutls_pkcs7_print_signature_info(gnutls_pkcs7_signature_info_st * info, } #endif /* *INDENT-ON* */ -#endif /* GNUTLS_PKCS7_H */ + +#endif /* GNUTLS_PKCS7_H */ diff --git a/lib/includes/gnutls/self-test.h b/lib/includes/gnutls/self-test.h index 8771749bf0..aacbe94ca6 100644 --- a/lib/includes/gnutls/self-test.h +++ b/lib/includes/gnutls/self-test.h @@ -20,8 +20,8 @@ * */ -#ifndef __GNUTLS_SELF_H -#define __GNUTLS_SELF_H +#ifndef GNUTLS_SELF_TEST_H +#define GNUTLS_SELF_TEST_H #include <gnutls/gnutls.h> @@ -35,4 +35,4 @@ int gnutls_mac_self_test(unsigned flags, gnutls_mac_algorithm_t mac); int gnutls_digest_self_test(unsigned flags, gnutls_digest_algorithm_t digest); int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk); -#endif +#endif /* GNUTLS_SELF_TEST_H */ diff --git a/lib/includes/gnutls/socket.h b/lib/includes/gnutls/socket.h index 03c5cef7b7..64eb19f896 100644 --- a/lib/includes/gnutls/socket.h +++ b/lib/includes/gnutls/socket.h @@ -48,4 +48,5 @@ void gnutls_transport_set_fastopen(gnutls_session_t session, } #endif /* *INDENT-ON* */ -#endif /* GNUTLS_SOCKET_H */ + +#endif /* GNUTLS_SOCKET_H */ diff --git a/lib/includes/gnutls/system-keys.h b/lib/includes/gnutls/system-keys.h index 68b8a20b4a..a0aa056dfa 100644 --- a/lib/includes/gnutls/system-keys.h +++ b/lib/includes/gnutls/system-keys.h @@ -20,8 +20,8 @@ * */ -#ifndef __GNUTLS_SYSTEM_KEYS_H -#define __GNUTLS_SYSTEM_KEYS_H +#ifndef GNUTLS_SYSTEM_KEYS_H +#define GNUTLS_SYSTEM_KEYS_H #include <gnutls/gnutls.h> #include <gnutls/x509.h> @@ -60,4 +60,5 @@ int gnutls_system_key_add_x509(gnutls_x509_crt_t crt, gnutls_x509_privkey_t priv } #endif /* *INDENT-ON* */ -#endif + +#endif /* GNUTLS_SYSTEM_KEYS_H */ diff --git a/lib/includes/gnutls/tpm.h b/lib/includes/gnutls/tpm.h index 82503c648e..b5da3e994f 100644 --- a/lib/includes/gnutls/tpm.h +++ b/lib/includes/gnutls/tpm.h @@ -20,8 +20,8 @@ * */ -#ifndef __GNUTLS_TPM_H -#define __GNUTLS_TPM_H +#ifndef GNUTLS_TPM_H +#define GNUTLS_TPM_H #include <gnutls/gnutls.h> #include <gnutls/x509.h> @@ -76,4 +76,5 @@ int gnutls_tpm_privkey_delete(const char *url, const char *srk_password); } #endif /* *INDENT-ON* */ -#endif + +#endif /* GNUTLS_TPM_H */ diff --git a/lib/includes/gnutls/urls.h b/lib/includes/gnutls/urls.h index 6f67c251b4..f4fd5a7915 100644 --- a/lib/includes/gnutls/urls.h +++ b/lib/includes/gnutls/urls.h @@ -20,8 +20,8 @@ * */ -#ifndef __GNUTLS_URLS_H -#define __GNUTLS_URLS_H +#ifndef GNUTLS_URLS_H +#define GNUTLS_URLS_H #include <gnutls/gnutls.h> #include <gnutls/x509.h> @@ -74,4 +74,5 @@ int gnutls_register_custom_url(const gnutls_custom_url_st *st); } #endif /* *INDENT-ON* */ -#endif + +#endif /* GNUTLS_URLS_H */ diff --git a/lib/includes/gnutls/x509-ext.h b/lib/includes/gnutls/x509-ext.h index 170d02a48b..b288c31a19 100644 --- a/lib/includes/gnutls/x509-ext.h +++ b/lib/includes/gnutls/x509-ext.h @@ -204,4 +204,5 @@ int gnutls_x509_tlsfeatures_add(gnutls_x509_tlsfeatures_t f, unsigned int featur } #endif /* *INDENT-ON* */ -#endif /* GNUTLS_X509_H */ + +#endif /* GNUTLS_X509_EXT_H */ diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index bcb687ce27..444c9f0494 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -1731,4 +1731,5 @@ gnutls_x509_ext_print(gnutls_x509_ext_st *exts, unsigned int exts_size, } #endif /* *INDENT-ON* */ -#endif /* GNUTLS_X509_H */ + +#endif /* GNUTLS_X509_H */ diff --git a/lib/session.c b/lib/session.c index 71bcb40515..b9a23e8d02 100644 --- a/lib/session.c +++ b/lib/session.c @@ -100,7 +100,7 @@ gnutls_session_get_data(gnutls_session_t session, * is received by the client. To ensure that such a ticket has been received use * gnutls_session_get_flags() and check for flag %GNUTLS_SFLAGS_SESSION_TICKET; * if this flag is not set, this function will wait for a new ticket within - * an estimated rountrip, and if not received will return dummy data which + * an estimated roundtrip, and if not received will return dummy data which * cannot lead to resumption. * * To get notified when new tickets are received by the server diff --git a/lib/x509/key_encode.c b/lib/x509/key_encode.c index 18668c8ad2..3e9e0466bc 100644 --- a/lib/x509/key_encode.c +++ b/lib/x509/key_encode.c @@ -562,7 +562,7 @@ _gnutls_x509_write_gost_params(const gnutls_pk_params_st * params, /* For compatibility per R 1323565.1.023—2018 provide digest OID only * for GOST-2001 keys or GOST-2012 keys with CryptoPro curves. Do not - * set this optional paramter for TC26 curves */ + * set this optional parameter for TC26 curves */ if (params->algo == GNUTLS_PK_GOST_01) oid = HASH_OID_GOST_R_3411_94_CRYPTOPRO_PARAMS; else if (params->algo == GNUTLS_PK_GOST_12_256 && diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c index dba2fd4b9f..b93527ee54 100644 --- a/lib/x509/name_constraints.c +++ b/lib/x509/name_constraints.c @@ -178,7 +178,7 @@ int _gnutls_extract_name_constraints(ASN1_TYPE c2, const char *vstr, /*- * _gnutls_name_constraints_node_free: - * @node: name constriants node + * @node: name constraints node * * Deallocate a list of name constraints nodes starting at the given node. -*/ diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c index 274ac14248..d64862df43 100644 --- a/lib/x509/pkcs7-crypt.c +++ b/lib/x509/pkcs7-crypt.c @@ -237,7 +237,7 @@ int _gnutls_pkcs_flags_to_schema(unsigned int flags) * This function will return a human readable description of the * PKCS12 or PBES2 schema. * - * Returns: a constrant string or %NULL on error. + * Returns: a constraint string or %NULL on error. * * Since: 3.4.0 */ @@ -255,7 +255,7 @@ const char *gnutls_pkcs_schema_get_name(unsigned int schema) * This function will return the object identifier of the * PKCS12 or PBES2 schema. * - * Returns: a constrant string or %NULL on error. + * Returns: a constraint string or %NULL on error. * * Since: 3.4.0 */ diff --git a/src/certtool-args.def b/src/certtool-args.def index 645dc563cc..242a01871a 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -1080,7 +1080,7 @@ encryption_key #honor_crq_ext = 2.5.29.17 #honor_crq_ext = 2.5.29.15 -# Path length contraint. Sets the maximum number of +# Path length constraint. Sets the maximum number of # certificates that can be used to certify this certificate. # (i.e. the certificate chain length) #path_len = -1 diff --git a/src/certtool.c b/src/certtool.c index 6bdfe376b1..6c1f04656b 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -3027,7 +3027,8 @@ void generate_pkcs12(common_info_st * cinfo) app_exit(1); } - result = gnutls_pkcs12_bag_encrypt(bag, pass, flags); + if (!(flags & GNUTLS_PKCS_PLAIN) || cinfo->empty_password) + result = gnutls_pkcs12_bag_encrypt(bag, pass, flags); if (result < 0) { fprintf(stderr, "bag_encrypt: %s\n", gnutls_strerror(result)); diff --git a/src/cli-args.def b/src/cli-args.def index 56ae77b077..ac04591325 100644 --- a/src/cli-args.def +++ b/src/cli-args.def @@ -393,7 +393,7 @@ flag = { name = recordsize; arg-type = number; arg-range = "0->4096"; - descrip = "The maximum record size to advertize"; + descrip = "The maximum record size to advertise"; doc = ""; }; diff --git a/src/common.c b/src/common.c index 753481741b..9b0d385ca3 100644 --- a/src/common.c +++ b/src/common.c @@ -282,8 +282,11 @@ int cert_verify(gnutls_session_t session, const char *hostname, const char *purp gnutls_free(out.data); - if (status) + if (status) { + if (!(status & GNUTLS_CERT_INVALID)) + abort(); return 0; + } return 1; } @@ -1138,6 +1141,15 @@ pin_callback(void *user, int attempt, const char *token_url, getenv_copy(password, sizeof(password), "GNUTLS_PIN"); } + if (password[0] == 0 && info != NULL && info->password != NULL && info->ask_pass == 0) { + if (strlen(info->password) < sizeof(password)) { + strcpy(password, info->password); + } else { + memcpy(password, info->password, sizeof(password) - 1); + password[sizeof(password) - 1] = '\0'; + } + } + if (password[0] == 0 && (info == NULL || info->batch == 0 || info->ask_pass != 0)) { if (token_label && token_label[0] != 0) { fprintf(stderr, "Token '%s' with URL '%s' ", token_label, token_url); diff --git a/src/list.h b/src/list.h index 967eb193e2..1b3c9e4635 100644 --- a/src/list.h +++ b/src/list.h @@ -40,7 +40,7 @@ slow because these operations search all the way through the list. - queues: whats the difference between a queue and a list? + queues: what's the difference between a queue and a list? very little really. The system implemented here is a doubly linked list with previous diff --git a/src/tests.c b/src/tests.c index c7f2662efe..76b896b8fd 100644 --- a/src/tests.c +++ b/src/tests.c @@ -1209,7 +1209,7 @@ test_code_t test_tls1_6_fallback(gnutls_session_t session) return TEST_SUCCEED; } -/* Advertize both TLS 1.0 and SSL 3.0. If the connection fails, +/* Advertise both TLS 1.0 and SSL 3.0. If the connection fails, * but the previous SSL 3.0 test succeeded then disable TLS 1.0. */ test_code_t test_tls_disable0(gnutls_session_t session) @@ -1426,7 +1426,7 @@ void _gnutls_rsa_pms_set_version(gnutls_session_t session, test_code_t test_rsa_pms_version_check(gnutls_session_t session) { int ret; - /* here we use an arbitary version in the RSA PMS + /* here we use an arbitrary version in the RSA PMS * to see whether to server will check this version. * * A normal server would abort this handshake. diff --git a/tests/cert-tests/data/gost-cert-nogost.pem b/tests/cert-tests/data/gost-cert-nogost.pem index cd9459f9fb..d393374493 100644 --- a/tests/cert-tests/data/gost-cert-nogost.pem +++ b/tests/cert-tests/data/gost-cert-nogost.pem @@ -6,17 +6,8 @@ X.509 Certificate Information: Not Before: Fri Aug 17 06:47:36 UTC 2012 Not After: Sat Aug 17 06:47:36 UTC 2013 Subject: CN=SuperTerm0000001,OU=SuperPlat Terminals,O=SuperPlat,L=Moscow,ST=Russia,C=RU +error importing public key: The curve is unsupported Subject Public Key Algorithm: GOST R 34.10-2001 - Algorithm Security Level: High (256 bits) - Curve: CryptoPro-A - Digest: GOSTR341194 - ParamSet: CryptoPro-A - X: - e0:35:f2:a8:40:cf:ea:25:63:b5:c1:eb:fa:fd:1d:7f - 45:d6:2a:31:96:56:35:75:25:19:f6:62:69:db:da:eb - Y: - 57:41:b2:c1:e2:1f:7b:d0:13:c8:dd:eb:9f:ba:cb:42 - a3:63:c7:0b:f4:e9:24:d7:dd:e9:34:8d:12:18:67:d8 Extensions: Basic Constraints (not critical): Certificate Authority (CA): FALSE @@ -38,11 +29,6 @@ Other Information: Fingerprint: sha1:621f34c4fdd7e93f9b8f18224ba0bcd1c63a4771 sha256:ac6ecf4e7a876edf3e61f538d6061353c2015bfbdf60370492f7404d7f09e13a - Public Key ID: - sha1:43757042dae9e9f5fa92cc2d2cbf4950f28a7bd0 - sha256:cee4a59e7803bafb101af8e39e5355d7895e3b85e7616fe624d48f2c51e8bdbf - Public Key PIN: - pin-sha256:zuSlnngDuvsQGvjjnlNV14leO4XnYW/mJNSPLFHovb8= -----BEGIN CERTIFICATE----- MIICXjCCAgugAwIBAgICAR8wCgYGKoUDAgIDBQAwdDELMAkGA1UEBhMCUlUxDzAN diff --git a/tests/logfile-option.sh b/tests/logfile-option.sh index 1eb7a492f7..8cd8f9b53f 100755 --- a/tests/logfile-option.sh +++ b/tests/logfile-option.sh @@ -96,7 +96,7 @@ kill ${PID} wait if ! test -f ${TMPFILE1};then - echo "Logfile shoule be created!" + echo "Logfile should be created!" exit 1 fi if test -s ${TMPFILE2};then @@ -150,7 +150,7 @@ kill ${PID} wait if ! test -f ${TMPFILE1};then - echo "Logfile shoule be created!" + echo "Logfile should be created!" exit 1 fi if test -s ${TMPFILE2};then |