diff options
59 files changed, 258 insertions, 166 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0ba9f7eb52..6a7652ddeb 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -261,8 +261,9 @@ MinGW32.DLLs: echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register - ./bootstrap - export CC="ccache i686-w64-mingw32-gcc" - - dash ./configure --disable-gcc-warnings --host=i686-w64-mingw32 --target=i686-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-nls --disable-guile --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc && - mingw32-make -j$(nproc) && mingw32-make -C tests check -j$(nproc) + - dash ./configure --disable-gcc-warnings --host=i686-w64-mingw32 --target=i686-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-nls --disable-guile --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc + - mingw32-make -j$(nproc) + - mingw32-make -C tests check -j$(nproc) # Combine generated apps and DLLs. #libwinpthread is required by libgcc #libffi is required by libp11-kit @@ -299,8 +300,9 @@ MinGW64.DLLs: echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register - ./bootstrap - export CC="ccache x86_64-w64-mingw32-gcc" - - dash ./configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc && - mingw64-make -j$(nproc) && mingw64-make -C tests check -j$(nproc) + - dash ./configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc + - mingw64-make -j$(nproc) + - mingw64-make -C tests check -j$(nproc) # Combine generated apps and DLLs. #libwinpthread is required by libgcc #libffi is required by libp11-kit @@ -337,9 +339,10 @@ MinGW64: - export CC="ccache x86_64-w64-mingw32-gcc" - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc && echo ':DOSWin:M::MZ::/usr/bin/wine64:' > /proc/sys/fs/binfmt_misc/register && - mkdir -p build && cd build && - ../configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file ../cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-full-test-suite --disable-non-suiteb-curves --disable-doc && - mingw64-make -j$(nproc) && mingw64-make -C tests check -j$(nproc) + mkdir -p build && cd build + - dash ../configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file ../cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-full-test-suite --disable-non-suiteb-curves --disable-doc + - mingw64-make -j$(nproc) + - mingw64-make -C tests check -j$(nproc) - cd .. tags: - shared @@ -363,9 +366,10 @@ MinGW32: - export CC="ccache i686-w64-mingw32-gcc" - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc && echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register && - mkdir -p build && cd build && - dash ../configure --disable-gcc-warnings --host=i686-w64-mingw32 --target=i686-w64-mingw32 --cache-file ../cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-full-test-suite --disable-non-suiteb-curves --disable-doc && - mingw32-make -j$(nproc) && mingw32-make -C tests check -j$(nproc) + mkdir -p build && cd build + - dash ../configure --disable-gcc-warnings --host=i686-w64-mingw32 --target=i686-w64-mingw32 --cache-file ../cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-full-test-suite --disable-non-suiteb-curves --disable-doc + - mingw32-make -j$(nproc) + - mingw32-make -C tests check -j$(nproc) - cd .. tags: - shared @@ -446,9 +450,10 @@ Debian.x86_64: image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_BUILD script: - ./bootstrap - - mkdir -p build && cd build && - dash ../configure --disable-gcc-warnings --cache-file ../cache/config.cache --disable-doc --disable-guile --disable-full-test-suite LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' && - make -j$(nproc) && make check -j$(nproc) + - mkdir -p build && cd build + - dash ../configure --disable-gcc-warnings --cache-file ../cache/config.cache --disable-doc --disable-guile --disable-full-test-suite LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' + - make -j$(nproc) + - make check -j$(nproc) - cd .. tags: - shared diff --git a/doc/announce.txt b/doc/announce.txt index 1037861599..2bae0f6a3a 100644 --- a/doc/announce.txt +++ b/doc/announce.txt @@ -41,7 +41,7 @@ explicitly enabled, since they reduce the overall security level. draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10. That is currently provided as technology preview and is not enabled by default, since there are no assigned ciphersuite points by IETF and there -is no guarrantee of compatibility between draft versions. The ciphersuite +is no guarantee of compatibility between draft versions. The ciphersuite priority string to enable it is "+CHACHA20-POLY1305". ** libgnutls: Added support for encrypt-then-authenticate in CBC diff --git a/doc/certtool.cfg b/doc/certtool.cfg index 4a3021b28c..c5f2ddc778 100644 --- a/doc/certtool.cfg +++ b/doc/certtool.cfg @@ -138,7 +138,7 @@ encryption_key # and store them in the real certificate. #honor_crq_extensions -# Path length contraint. Sets the maximum number of +# Path length constraint. Sets the maximum number of # certificates that can be used to certify this certificate. # (i.e. the certificate chain length) #path_len = -1 @@ -192,5 +192,5 @@ encryption_key # TLS feature extensions (RFC 7633) -# If the status_request TLS exension is set, OCSP stapling becomes mandatory +# If the status_request TLS extension is set, OCSP stapling becomes mandatory #tls_feature = 5 diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index 8695415a9a..4a0c25eff1 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -449,7 +449,7 @@ indicates that the CA is allowed to sign certificates for email users. @item GNUTLS_KP_OCSP_SIGNING @tab 1.3.6.1.5.5.7.3.9 @tab The certificate is to be used for signing OCSP responses. When in a CA certificate, it -indicates that the CA is allowed to sign certificates which sign OCSP reponses. +indicates that the CA is allowed to sign certificates which sign OCSP responses. @item GNUTLS_KP_ANY @tab 2.5.29.37.0 @tab diff --git a/doc/cha-crypto.texi b/doc/cha-crypto.texi index ab5f9ac15f..a133ccd158 100644 --- a/doc/cha-crypto.texi +++ b/doc/cha-crypto.texi @@ -82,7 +82,7 @@ should be imported using their PKCS#11 URL with If any of the smart card operations require PIN, that should be provided either by setting the global PIN function -(@funcref{gnutls_pkcs11_set_pin_function}), or better with the targetted to +(@funcref{gnutls_pkcs11_set_pin_function}), or better with the targeted to structures functions such as @funcref{gnutls_privkey_set_pin_function}. diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 028d1ab778..393283e0c9 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -286,7 +286,7 @@ operation. As well as any calls needed for memory allocation to work. Note however, that GnuTLS depends on libc for the system calls, and there is no guarantee that libc will call the expected system call. For that it is recommended to test your -program in all the targetted platforms when filters like seccomp are in place. +program in all the targeted platforms when filters like seccomp are in place. An example with a seccomp filter from GnuTLS' test suite is at: @url{http://gitlab.com/gnutls/gnutls/blob/master/tests/seccomp.c}. @@ -1205,7 +1205,7 @@ A session can be deinitialized with the @funcref{gnutls_deinit} function. Although @funcref{gnutls_record_send} is sufficient to transmit data to the peer, when many small chunks of data are to be transmitted it is inefficient and wastes bandwidth due to the TLS record -overhead. In that case it is preferrable to combine the small chunks +overhead. In that case it is preferable to combine the small chunks before transmission. The following functions provide that functionality. @showfuncdesc{gnutls_record_cork} @@ -1355,7 +1355,7 @@ using this option to build a priority string gives detailed control into the resulting settings, however with new revisions of the TLS protocol new priority items are routinely added, and such strings are not forward compatible with new protocols. As such, we -advice against using that option for applications targetting multiple versions +advice against using that option for applications targeting multiple versions of the GnuTLS library, and recommend using the defaults (see above) or adjusting the defaults via @funcref{gnutls_set_default_priority_append}. diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi index 50601bb69f..ebdf998aa3 100644 --- a/doc/cha-internals.texi +++ b/doc/cha-internals.texi @@ -561,7 +561,7 @@ second is shared for the @code{GNUTLS_RND_KEY} and @code{GNUTLS_RND_RANDOM} levels. For the rest of this section we refer to the first as the nonce generator and the second as the key generator. -The nonce generator will reseed after outputing a fixed amount of bytes +The nonce generator will reseed after outputting a fixed amount of bytes (typically few megabytes), or after few hours of operation without reaching the limit has passed. It is being re-seed using the key generator to obtain a new key for the CHACHA cipher, which is mixed diff --git a/doc/cha-tokens.texi b/doc/cha-tokens.texi index 529829bf29..409b360815 100644 --- a/doc/cha-tokens.texi +++ b/doc/cha-tokens.texi @@ -50,7 +50,7 @@ to sign an X.509 certificate with a key that resides in a token the following st used. @example -#inlude <gnutls/abstract.h> +#include <gnutls/abstract.h> void sign_cert( gnutls_x509_crt_t to_be_signed) @{ @@ -346,7 +346,7 @@ flag. @showfuncdesc{gnutls_pkcs11_add_provider} -In that case, the application will only have access to the modules explictly +In that case, the application will only have access to the modules explicitly loaded. If the @code{GNUTLS_PKCS11_FLAG_MANUAL} flag is specified and no calls to @funcref{gnutls_pkcs11_add_provider} are made, then the PKCS #11 functionality is effectively disabled. diff --git a/doc/reference/Makefile.am b/doc/reference/Makefile.am index 8cd1430b32..f10c8ed3ca 100644 --- a/doc/reference/Makefile.am +++ b/doc/reference/Makefile.am @@ -64,7 +64,7 @@ HTML_IMAGES= # e.g. content_files=running.xml building.xml changes-2.0.xml content_files= -# Files where gtk-doc abbrevations (#GtkWidget) are expanded +# Files where gtk-doc abbreviations (#GtkWidget) are expanded # e.g. expand_content_files=running.xml expand_content_files= diff --git a/doc/scripts/gdoc b/doc/scripts/gdoc index 25aa1beebb..3214b9c317 100755 --- a/doc/scripts/gdoc +++ b/doc/scripts/gdoc @@ -95,7 +95,7 @@ # * my_function # **/ # -# If the Description: header tag is ommitted, then there must be a blank line +# If the Description: header tag is omitted, then there must be a blank line # after the last parameter specification. # e.g. # /** @@ -310,7 +310,7 @@ sub dump_section { # parameterlist => @list of parameters # parameters => %parameter descriptions # sectionlist => @list of sections -# sections => %descriont descriptions +# sections => %section descriptions # sub just_highlight { @@ -1015,7 +1015,7 @@ foreach $file (@ARGV) { $contents .= $1."\n"; } } else { - # i dont know - bad line? ignore. + # i don't know - bad line? ignore. #print STDERR "warning: $lineno: Bad line: $_"; } } elsif ($state == 3) { # scanning for function { (end of prototype) diff --git a/lib/accelerated/cryptodev.c b/lib/accelerated/cryptodev.c index 5897cc2ace..8d00cfdc2a 100644 --- a/lib/accelerated/cryptodev.c +++ b/lib/accelerated/cryptodev.c @@ -251,7 +251,7 @@ int _gnutls_cryptodev_init(void) return GNUTLS_E_CRYPTODEV_IOCTL_ERROR; } - /* Set close-on-exec (not really neede here) */ + /* Set close-on-exec (not really needed here) */ if (fcntl(cfd, F_SETFD, 1) == -1) { gnutls_assert(); return GNUTLS_E_CRYPTODEV_IOCTL_ERROR; diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c index c2203c7ed3..d5d0943242 100644 --- a/lib/auth/rsa.c +++ b/lib/auth/rsa.c @@ -92,7 +92,7 @@ int check_key_usage_for_enc(gnutls_session_t session, unsigned key_usage) * server. Therefore the correct cert type needs to be retrieved to be * used for the _gnutls_get_auth_info_pcert call. If this * function is to be called on the server side in the future, extra - * checks need to be build in order to retrieve te correct + * checks need to be build in order to retrieve the correct * certificate type. */ int @@ -213,12 +213,12 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, session->key.key.size); /* After this point, any conditional on failure that cause differences * in execution may create a timing or cache access pattern side - * channel that can be used as an oracle, so tread very carefully */ + * channel that can be used as an oracle, so treat very carefully */ /* Error handling logic: * In case decryption fails then don't inform the peer. Just use the * random key previously generated. (in order to avoid attack against - * pkcs-1 formating). + * pkcs-1 formatting). * * If we get version mismatches no error is returned either. We * proceed normally. This is to defend against the attack described diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c index 644f2e8b29..791fcd8bb7 100644 --- a/lib/auth/rsa_psk.c +++ b/lib/auth/rsa_psk.c @@ -334,7 +334,7 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) { /* In case decryption fails then don't inform * the peer. Just use a random key. (in order to avoid - * attack against pkcs-1 formating). + * attack against pkcs-1 formatting). */ gnutls_assert(); _gnutls_debug_log diff --git a/lib/cipher-cbc.c b/lib/cipher-cbc.c index 741119223b..2f387c523c 100644 --- a/lib/cipher-cbc.c +++ b/lib/cipher-cbc.c @@ -90,7 +90,7 @@ int cbc_mac_verify(gnutls_session_t session, record_parameters_st *params, pad = data[data_size - 1]; /* pad */ - /* Check the pading bytes (TLS 1.x). + /* Check the padding bytes (TLS 1.x). * Note that we access all 256 bytes of ciphertext for padding check * because there is a timing channel in that memory access (in certain CPUs). */ diff --git a/lib/ext/client_cert_type.c b/lib/ext/client_cert_type.c index 534c407b3a..0fbd4e9e4a 100644 --- a/lib/ext/client_cert_type.c +++ b/lib/ext/client_cert_type.c @@ -91,7 +91,7 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session, gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); } - /* The server picked one of the offered cert types iff he supports + /* The server picked one of the offered cert types if he supports * at least one of them and decided to do a client certificate * request. If both parties play by the rules then we may only * receive a cert type that we offered, i.e. one that we support. diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c index c42bd1646b..116cea8d7d 100644 --- a/lib/ext/pre_shared_key.c +++ b/lib/ext/pre_shared_key.c @@ -541,7 +541,7 @@ static int server_recv_params(gnutls_session_t session, psk.ob_ticket_age == 0 && psk.identity.size > 0 && psk.identity.size <= MAX_USERNAME_SIZE) { /* _gnutls_psk_pwd_find_entry() expects 0-terminated identities */ - char identity_str[psk.identity.size + 1]; + char identity_str[MAX_USERNAME_SIZE + 1]; prf = pskcred->binder_algo; diff --git a/lib/ext/server_cert_type.c b/lib/ext/server_cert_type.c index 35c6d751db..b290b7b06e 100644 --- a/lib/ext/server_cert_type.c +++ b/lib/ext/server_cert_type.c @@ -91,7 +91,7 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); } - /* The server picked one of the offered cert types iff he supports + /* The server picked one of the offered cert types if he supports * at least one of them. If both parties play by the rules then we * may only receive a cert type that we offered, i.e. one that we * support. Because the world isn't as beautiful as it may seem, diff --git a/lib/extras/hex.h b/lib/extras/hex.h index e2ce3ff28a..15d4e64932 100644 --- a/lib/extras/hex.h +++ b/lib/extras/hex.h @@ -7,7 +7,7 @@ /** * hex_decode - Unpack a hex string. - * @str: the hexidecimal string + * @str: the hexadecimal string * @slen: the length of @str * @buf: the buffer to write the data into * @bufsize: the length of @buf diff --git a/lib/global.h b/lib/global.h index c1aa7863b5..97b0b27281 100644 --- a/lib/global.h +++ b/lib/global.h @@ -33,7 +33,7 @@ extern ASN1_TYPE _gnutls_gnutls_asn; /* removed const from node_asn* to * prevent warnings, since libtasn1 doesn't - * use the const keywork in its functions. + * use the const keyword in its functions. */ #define _gnutls_get_gnutls_asn() ((ASN1_TYPE) _gnutls_gnutls_asn) #define _gnutls_get_pkix() ((ASN1_TYPE) _gnutls_pkix1_asn) diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 8baa8815e7..a0c47efa0f 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -1101,7 +1101,7 @@ typedef struct { bool invalid_connection; /* true or FALSE - if this session is valid */ - bool may_not_read; /* if it's 0 then we can read/write, otherwise it's forbiden to read/write + bool may_not_read; /* if it's 0 then we can read/write, otherwise it's forbidden to read/write */ bool may_not_write; bool read_eof; /* non-zero if we have received a closure alert. */ @@ -1263,7 +1263,7 @@ typedef struct { */ bool ignore_rdn_sequence; - /* This is used to set an arbitary version in the RSA + /* This is used to set an arbitrary version in the RSA * PMS secret. Can be used by clients to test whether the * server checks that version. (** only used in gnutls-cli-debug) */ diff --git a/lib/handshake.c b/lib/handshake.c index d83a51c9bb..70b4486266 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -1626,7 +1626,7 @@ _gnutls_recv_handshake(gnutls_session_t session, default: gnutls_assert(); /* we shouldn't actually arrive here in any case . - * unexpected messages should be catched after _gnutls_handshake_io_recv_int() + * unexpected messages should be caught after _gnutls_handshake_io_recv_int() */ ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET; goto cleanup; diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h index 223fb2ed1f..0aa1018555 100644 --- a/lib/includes/gnutls/abstract.h +++ b/lib/includes/gnutls/abstract.h @@ -122,7 +122,7 @@ typedef void (*gnutls_privkey_deinit_func) (gnutls_privkey_t key, */ #define GNUTLS_PRIVKEY_INFO_HAVE_SIGN_ALGO (1<<2) /* Should return the number of bits of the public key algorithm (required for RSA-PSS) - * It is the value that should be retuned by gnutls_pubkey_get_pk_algorithm() */ + * It is the value that should be returned by gnutls_pubkey_get_pk_algorithm() */ #define GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS (1<<3) /* returns information on the public key associated with userdata */ diff --git a/lib/includes/gnutls/compat.h b/lib/includes/gnutls/compat.h index 732b9dbeb4..f81d25b47a 100644 --- a/lib/includes/gnutls/compat.h +++ b/lib/includes/gnutls/compat.h @@ -50,7 +50,7 @@ extern "C" { /* gnutls_connection_end_t was made redundant in 2.99.0 */ typedef unsigned int gnutls_connection_end_t _GNUTLS_GCC_ATTR_DEPRECATED; -/* Stuff deprected in 2.x */ +/* Stuff deprecated in 2.x */ typedef gnutls_cipher_algorithm_t gnutls_cipher_algorithm _GNUTLS_GCC_ATTR_DEPRECATED; typedef gnutls_kx_algorithm_t gnutls_kx_algorithm diff --git a/lib/mbuffers.c b/lib/mbuffers.c index 2e4c62a295..24395e6496 100644 --- a/lib/mbuffers.c +++ b/lib/mbuffers.c @@ -324,7 +324,7 @@ _mbuffer_append_data(mbuffer_st * bufel, void *newdata, #ifdef ENABLE_ALIGN16 # define ALIGN_SIZE 16 -/* Allocate a 16-byte alligned buffer segment. The segment is not initially "owned" by +/* Allocate a 16-byte aligned buffer segment. The segment is not initially "owned" by * any buffer. * * maximum_size: Amount of data that this segment can contain. diff --git a/lib/nettle/gost/ecc-internal.h b/lib/nettle/gost/ecc-internal.h index 16d6828772..21bd98cfdc 100644 --- a/lib/nettle/gost/ecc-internal.h +++ b/lib/nettle/gost/ecc-internal.h @@ -127,7 +127,7 @@ struct ecc_curve { /* The prime p. */ struct ecc_modulo p; - /* Group order. FIXME: Currently, many fucntions rely on q.size == + /* Group order. FIXME: Currently, many functions rely on q.size == p.size. This has to change for radix-51 implementation of curve25519 mod p arithmetic. */ struct ecc_modulo q; @@ -202,7 +202,7 @@ gost_hash (const struct ecc_modulo *m, /* Converts a point P in jacobian coordinates into a point R in affine coordinates. If op == 1, produce x coordinate only. If op == 2, - produce the x coordiante only, and in also it modulo q. FIXME: For + produce the x coordinate only, and in also it modulo q. FIXME: For the public interface, have separate for the three cases, and use this flag argument only for the internal ecc->h_to_a function. */ void diff --git a/lib/nettle/int/dsa-keygen-fips186.c b/lib/nettle/int/dsa-keygen-fips186.c index 30ba004e0f..69f7f8ceba 100644 --- a/lib/nettle/int/dsa-keygen-fips186.c +++ b/lib/nettle/int/dsa-keygen-fips186.c @@ -421,7 +421,7 @@ _dsa_generate_dss_pqg(struct dsa_params *params, if (_gnutls_fips_mode_enabled() != 0) { cert->seed_length = 2 * (q_bits / 8) + 1; - FIPS_RULE(cert->seed_length != seed_size, 0, "unsupported DSA seed length (is %d, shoudl be %d)\n", seed_size, cert->seed_length); + FIPS_RULE(cert->seed_length != seed_size, 0, "unsupported DSA seed length (is %d, should be %d)\n", seed_size, cert->seed_length); } else { cert->seed_length = seed_size; } diff --git a/lib/nettle/int/rsa-keygen-fips186.c b/lib/nettle/int/rsa-keygen-fips186.c index a76e5eaa00..438101ef1d 100644 --- a/lib/nettle/int/rsa-keygen-fips186.c +++ b/lib/nettle/int/rsa-keygen-fips186.c @@ -358,7 +358,7 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub, goto cleanup; } - /* Done! Almost, we must compute the auxillary private values. */ + /* Done! Almost, we must compute the auxiliary private values. */ /* a = d % (p-1) */ mpz_fdiv_r(key->a, key->d, p1); diff --git a/lib/pcert.c b/lib/pcert.c index 816a748b05..23eadf12d0 100644 --- a/lib/pcert.c +++ b/lib/pcert.c @@ -387,7 +387,7 @@ int gnutls_pcert_import_rawpk(gnutls_pcert_st* pcert, /* A pcert struct holds a raw copy of the certificate data. * Therefore we convert our gnutls_pubkey_t to its raw DER * representation and copy it into our pcert. It is this raw data - * that will be transfered to the peer via a Certificate msg. + * that will be transferred to the peer via a Certificate msg. * According to the spec (RFC7250) a DER representation must be used. */ ret = gnutls_pubkey_export2(pubkey, GNUTLS_X509_FMT_DER, &pcert->cert); @@ -452,7 +452,7 @@ int gnutls_pcert_import_rawpk_raw(gnutls_pcert_st* pcert, pcert->pubkey->key_usage = key_usage; /* A pcert struct holds a raw copy of the certificate data. - * It is this raw data that will be transfered to the peer via a + * It is this raw data that will be transferred to the peer via a * Certificate message. According to the spec (RFC7250) a DER * representation must be used. Therefore we check the format and * convert if necessary. diff --git a/lib/pkcs11.c b/lib/pkcs11.c index c974565830..39e2799b1e 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -1291,7 +1291,7 @@ void gnutls_pkcs11_obj_deinit(gnutls_pkcs11_obj_t obj) * replaced by the actual size of parameters) * * This function will export the PKCS11 object data. It is normal for - * data to be inaccesible and in that case %GNUTLS_E_INVALID_REQUEST + * data to be inaccessible and in that case %GNUTLS_E_INVALID_REQUEST * will be returned. * * If the buffer provided is not long enough to hold the output, then @@ -1329,7 +1329,7 @@ gnutls_pkcs11_obj_export(gnutls_pkcs11_obj_t obj, * @out: will contain the object data * * This function will export the PKCS11 object data. It is normal for - * data to be inaccesible and in that case %GNUTLS_E_INVALID_REQUEST + * data to be inaccessible and in that case %GNUTLS_E_INVALID_REQUEST * will be returned. * * The output buffer is allocated using gnutls_malloc(). @@ -1352,7 +1352,7 @@ gnutls_pkcs11_obj_export2(gnutls_pkcs11_obj_t obj, gnutls_datum_t * out) * @fmt: The format of the exported data * * This function will export the PKCS11 object data. It is normal for - * data to be inaccesible and in that case %GNUTLS_E_INVALID_REQUEST + * data to be inaccessible and in that case %GNUTLS_E_INVALID_REQUEST * will be returned. * * The output buffer is allocated using gnutls_malloc(). @@ -4252,7 +4252,7 @@ find_cert_cb(struct ck_function_list *module, struct pkcs11_session_info *sinfo, * * This function will return the issuer of a given certificate, if it * is stored in the token. By default only marked as trusted issuers - * are retuned. If any issuer should be returned specify + * are returned. If any issuer should be returned specify * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY in @flags. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a @@ -4355,7 +4355,7 @@ int gnutls_pkcs11_get_raw_issuer(const char *url, gnutls_x509_crt_t cert, * * This function will return the certificate with the given DN, if it * is stored in the token. By default only marked as trusted issuers - * are retuned. If any issuer should be returned specify + * are returned. If any issuer should be returned specify * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY in @flags. * * The name of the function includes issuer because it can @@ -4440,7 +4440,7 @@ int gnutls_pkcs11_get_raw_issuer_by_dn (const char *url, const gnutls_datum_t *d * * This function will return the certificate with the given DN and @spki, if it * is stored in the token. By default only marked as trusted issuers - * are retuned. If any issuer should be returned specify + * are returned. If any issuer should be returned specify * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY in @flags. * * The name of the function includes issuer because it can diff --git a/lib/record.c b/lib/record.c index 73c484ed56..2dc997d09b 100644 --- a/lib/record.c +++ b/lib/record.c @@ -872,7 +872,7 @@ record_add_to_buffers(gnutls_session_t session, goto cleanup; } else { /* if the alert is FATAL or WARNING - * return the apropriate message + * return the appropriate message */ gnutls_assert(); ret = GNUTLS_E_WARNING_ALERT_RECEIVED; diff --git a/lib/str-idna.c b/lib/str-idna.c index 8a1dce980a..30a09407c0 100644 --- a/lib/str-idna.c +++ b/lib/str-idna.c @@ -73,7 +73,7 @@ int gnutls_idna_map(const char *input, unsigned ilen, gnutls_datum_t *out, unsig /* IDN2_NONTRANSITIONAL automatically converts to lowercase * IDN2_NFC_INPUT converts to NFC before toASCII conversion * - * Since IDN2_NONTRANSITIONAL implicitely does NFC conversion, we don't need + * Since IDN2_NONTRANSITIONAL implicitly does NFC conversion, we don't need * the additional IDN2_NFC_INPUT. But just for the unlikely case that the linked * library is not matching the headers when building and it doesn't support TR46, * we provide IDN2_NFC_INPUT. */ @@ -223,7 +223,7 @@ _gnutls_buffer_pop_datum(gnutls_buffer_st * str, gnutls_datum_t * data, str->data += req_size; str->length -= req_size; - /* if string becomes empty start from begining */ + /* if string becomes empty start from beginning */ if (str->length == 0) { str->data = str->allocd; } diff --git a/lib/tls-sig.c b/lib/tls-sig.c index 87016172e2..75f88e5fbd 100644 --- a/lib/tls-sig.c +++ b/lib/tls-sig.c @@ -547,7 +547,7 @@ _gnutls_handshake_verify_crt_vrfy(gnutls_session_t session, } /* the same as _gnutls_handshake_sign_crt_vrfy except that it is made for TLS 1.2. - * Returns the used signature algorihm, or a negative error code. + * Returns the used signature algorithm, or a negative error code. */ static int _gnutls_handshake_sign_crt_vrfy12(gnutls_session_t session, @@ -668,7 +668,7 @@ _gnutls_handshake_sign_crt_vrfy3(gnutls_session_t session, * For TLS1.x, x<2 returns negative for failure and zero or unspecified for success. * For TLS1.2 returns the signature algorithm used on success, or a negative error code; * - * Returns the used signature algorihm, or a negative error code. + * Returns the used signature algorithm, or a negative error code. */ int _gnutls_handshake_sign_crt_vrfy(gnutls_session_t session, diff --git a/lib/x509/attributes.c b/lib/x509/attributes.c index 4d116be4ec..9c83ca8414 100644 --- a/lib/x509/attributes.c +++ b/lib/x509/attributes.c @@ -110,7 +110,7 @@ _x509_parse_attribute(ASN1_TYPE asn1_struct, goto cleanup; } - /* Move to the attibute type and values + /* Move to the attribute type and values */ /* Read the OID */ diff --git a/lib/x509/dn.c b/lib/x509/dn.c index 828bd9059d..033531970d 100644 --- a/lib/x509/dn.c +++ b/lib/x509/dn.c @@ -74,7 +74,7 @@ static int append_elements(ASN1_TYPE asn1_struct, const char *asn1_rdn_name, gnu goto cleanup; } - do { /* Move to the attibute type and values + do { /* Move to the attribute type and values */ k2++; @@ -359,7 +359,7 @@ _gnutls_x509_parse_dn_oid(ASN1_TYPE asn1_struct, k2 = 0; - do { /* Move to the attibute type and values + do { /* Move to the attribute type and values */ k2++; @@ -519,7 +519,7 @@ _gnutls_x509_get_dn_oid(ASN1_TYPE asn1_struct, k2 = 0; - do { /* Move to the attibute type and values + do { /* Move to the attribute type and values */ k2++; diff --git a/lib/x509/ip-in-cidr.h b/lib/x509/ip-in-cidr.h index 86fd8e50e4..8bb5dd48ae 100644 --- a/lib/x509/ip-in-cidr.h +++ b/lib/x509/ip-in-cidr.h @@ -30,7 +30,7 @@ * The @ip version must match the @cidr version (v4/v6), * (this is not checked). * - * Returns: 1 if @ip lies withing @cidr, 0 otherwise + * Returns: 1 if @ip lies within @cidr, 0 otherwise -*/ static unsigned ip_in_cidr(const gnutls_datum_t *ip, const gnutls_datum_t *cidr) { diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c index 20a64690a3..bb914420f1 100644 --- a/lib/x509/mpi.c +++ b/lib/x509/mpi.c @@ -378,7 +378,7 @@ _gnutls_x509_write_sign_params(ASN1_TYPE dst, const char *dst_name, } /* this function reads a (small) unsigned integer - * from asn1 structs. Combines the read and the convertion + * from asn1 structs. Combines the read and the conversion * steps. */ int diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c index c4d78026fe..a2cca38450 100644 --- a/lib/x509/name_constraints.c +++ b/lib/x509/name_constraints.c @@ -242,7 +242,7 @@ static name_constraints_node_st* name_constraints_node_new(unsigned type, * @_nc_excluded: Corresponding excluded name constraints list * * This function finds the intersection of @_nc and @_nc2. The result is placed in @_nc, - * the original @_nc is deallocated. @_nc2 is not chenged. If necessary, a universal + * the original @_nc is deallocated. @_nc2 is not changed. If necessary, a universal * excluded name constraint node of the right type is added to the list provided * in @_nc_excluded. * diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c index db54b3ea22..a52c4aa428 100644 --- a/lib/x509/ocsp.c +++ b/lib/x509/ocsp.c @@ -2575,7 +2575,7 @@ time_t _gnutls_ocsp_get_validity(gnutls_ocsp_resp_t resp) now = gnutls_time(0); if (ntime == -1) { - /* This is a problematic case, and there is no concensus on how + /* This is a problematic case, and there is no consensus on how * to treat these responses. It doesn't contain the time after which * the response is invalid, thus it is an OCSP response effectively * valid forever defeating the purpose of OCSP. We set here the same diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c index 1f5b4bdf88..447eb8e2c9 100644 --- a/lib/x509/pkcs12.c +++ b/lib/x509/pkcs12.c @@ -827,7 +827,7 @@ int gnutls_pkcs12_set_bag(gnutls_pkcs12_t pkcs12, gnutls_pkcs12_bag_t bag) asn1_delete_structure(&safe_cont); - /* Step 5. Reencode and copy the AuthenticatedSafe into the pkcs12 + /* Step 5. Re-encode and copy the AuthenticatedSafe into the pkcs12 * structure. */ result = diff --git a/lib/x509/time.c b/lib/x509/time.c index 4d2b789268..2632a795a9 100644 --- a/lib/x509/time.c +++ b/lib/x509/time.c @@ -35,7 +35,7 @@ #include <common.h> /* TIME functions - * Convertions between generalized or UTC time to time_t + * Conversions between generalized or UTC time to time_t * */ @@ -69,7 +69,7 @@ static const int MONTHDAYS[] = { /* ** Given a struct tm representing a calendar time in UTC, convert it to ** seconds since epoch. Returns (time_t) -1 if the time is not - ** convertable. Note that this function does not canonicalize the provided + ** convertible. Note that this function does not canonicalize the provided ** struct tm, nor does it allow out of range values or years before 1970. */ static time_t mktime_utc(const struct fake_tm *tm) diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 7f640f1a13..5969b36146 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -1203,7 +1203,7 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, /* This macro is introduced to detect a verification output * which indicates an unknown signer, or a signer which uses * an insecure algorithm (e.g., sha1), something that indicates - * a superceded signer */ + * a superseded signer */ #define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM)) #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND)) diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c index 6c7cf99012..f4a580bb05 100644 --- a/lib/x509/verify-high2.c +++ b/lib/x509/verify-high2.c @@ -45,10 +45,6 @@ # endif #endif -#ifdef _WIN32 -# include <tchar.h> -#endif - /* Convenience functions for verify-high functionality */ @@ -390,14 +386,12 @@ int load_dir_certs(const char *dirname, unsigned int tl_flags, unsigned int tl_vflags, unsigned type, unsigned crl) { + DIR *dirp; + struct dirent *d; int ret; int r = 0; char path[GNUTLS_PATH_MAX]; -#if !defined(_WIN32) || !defined(_UNICODE) - DIR *dirp; - struct dirent *d; - dirp = opendir(dirname); if (dirp != NULL) { do { @@ -428,47 +422,7 @@ int load_dir_certs(const char *dirname, while (d != NULL); closedir(dirp); } -#else /* _WIN32 */ - _TDIR *dirp; - struct _tdirent *d; - gnutls_datum_t utf16 = {NULL, 0}; - - r = _gnutls_utf8_to_ucs2(dirname, strlen(dirname), &utf16); - if (r < 0) - return gnutls_assert_val(r); - dirp = _topendir((_TCHAR*)utf16.data); - gnutls_free(utf16.data); - if (dirp != NULL) { - do { - d = _treaddir(dirp); - if (d != NULL -#ifdef _DIRENT_HAVE_D_TYPE - && (d->d_type == DT_REG || d->d_type == DT_LNK || d->d_type == DT_UNKNOWN) -#endif - ) { - snprintf(path, sizeof(path), "%s/%S", - dirname, d->d_name); - - if (crl != 0) { - ret = - gnutls_x509_trust_list_add_trust_file - (list, NULL, path, type, tl_flags, - tl_vflags); - } else { - ret = - gnutls_x509_trust_list_add_trust_file - (list, path, NULL, type, tl_flags, - tl_vflags); - } - if (ret >= 0) - r += ret; - } - } - while (d != NULL); - _tclosedir(dirp); - } -#endif /* _WIN32 */ return r; } diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 58acf42b86..d4eafd4fdd 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -593,7 +593,7 @@ static int _gnutls_x509_verify_data(gnutls_sign_algorithm_t sign, * trusted CAs. * * Returns only 0 or 1. If 1 it means that the certificate - * was successfuly verified. + * was successfully verified. * * 'flags': an OR of the gnutls_certificate_verify_flags enumeration. * diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c index 58c3263d1e..8213c6e427 100644 --- a/lib/x509/x509_ext.c +++ b/lib/x509/x509_ext.c @@ -453,7 +453,7 @@ int gnutls_x509_ext_import_name_constraints(const gnutls_datum_t * ext, * * This function will convert the provided name constraints type to a * DER-encoded PKIX NameConstraints (2.5.29.30) extension. The output data in - * @ext will be allocated usin gnutls_malloc(). + * @ext will be allocated using gnutls_malloc(). * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. * @@ -3136,7 +3136,7 @@ int gnutls_x509_ext_import_key_purposes(const gnutls_datum_t * ext, * * This function will convert the key purposes type to a * DER-encoded PKIX ExtKeyUsageSyntax (2.5.29.37) extension. The output data in - * @ext will be allocated usin gnutls_malloc(). + * @ext will be allocated using gnutls_malloc(). * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. * diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index bbd59d1547..c1bacc7b2a 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -313,7 +313,7 @@ _gnutls_x509_ext_extract_number(uint8_t * number, size_t * nr_size, uint8_t * extnValue, int extnValueLen); int -_gnutls_x509_ext_gen_number(const uint8_t * nuber, size_t nr_size, +_gnutls_x509_ext_gen_number(const uint8_t * number, size_t nr_size, gnutls_datum_t * der_ext); diff --git a/tests/alpn-server-prec.c b/tests/alpn-server-prec.c index e8da9ebada..0461c5d39a 100644 --- a/tests/alpn-server-prec.c +++ b/tests/alpn-server-prec.c @@ -45,6 +45,7 @@ int main(int argc, char **argv) #include <sys/wait.h> #include <arpa/inet.h> #include <unistd.h> +#include <signal.h> #include <gnutls/gnutls.h> #include <gnutls/dtls.h> @@ -262,6 +263,8 @@ static void start(const char *p1, const char *p2, const char *cp1, const char *c int fd[2]; int ret; + signal(SIGPIPE, SIG_IGN); + ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); if (ret < 0) { perror("socketpair"); diff --git a/tests/key-material-set-dtls.c b/tests/key-material-set-dtls.c index 692c7a6574..4a569162bb 100644 --- a/tests/key-material-set-dtls.c +++ b/tests/key-material-set-dtls.c @@ -42,6 +42,7 @@ int main(int argc, char **argv) #include <sys/wait.h> #include <arpa/inet.h> #include <unistd.h> +#include <signal.h> #include <gnutls/gnutls.h> #include <gnutls/dtls.h> @@ -354,6 +355,8 @@ static void start(void) int fd[2]; int ret; + signal(SIGPIPE, SIG_IGN); + ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); if (ret < 0) { perror("socketpair"); diff --git a/tests/mini-alpn.c b/tests/mini-alpn.c index 304d0a171c..bed981451a 100644 --- a/tests/mini-alpn.c +++ b/tests/mini-alpn.c @@ -41,6 +41,7 @@ int main(int argc, char **argv) #include <sys/wait.h> #include <arpa/inet.h> #include <unistd.h> +#include <signal.h> #include <gnutls/gnutls.h> #include <gnutls/dtls.h> @@ -264,6 +265,8 @@ static void start(const char *p1, const char *p2) int fd[2]; int ret; + signal(SIGPIPE, SIG_IGN); + ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); if (ret < 0) { perror("socketpair"); diff --git a/tests/mini-dtls-discard.c b/tests/mini-dtls-discard.c index e9201acaea..97bc6de29b 100644 --- a/tests/mini-dtls-discard.c +++ b/tests/mini-dtls-discard.c @@ -44,6 +44,7 @@ int main() #include <arpa/inet.h> #include <unistd.h> #include <errno.h> +#include <signal.h> #include <gnutls/gnutls.h> #include <gnutls/dtls.h> #include <assert.h> @@ -266,6 +267,8 @@ void start(const char *prio) int fd[2]; int ret; + signal(SIGPIPE, SIG_IGN); + ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); if (ret < 0) { perror("socketpair"); diff --git a/tests/mini-dtls-heartbeat.c b/tests/mini-dtls-heartbeat.c index bb6fa7e528..cb575f9b2c 100644 --- a/tests/mini-dtls-heartbeat.c +++ b/tests/mini-dtls-heartbeat.c @@ -43,6 +43,7 @@ int main() #include <sys/wait.h> #include <arpa/inet.h> #include <unistd.h> +#include <signal.h> #include <gnutls/gnutls.h> #include <gnutls/dtls.h> @@ -312,6 +313,8 @@ static void start(int server_initiated) int fd[2]; int ret; + signal(SIGPIPE, SIG_IGN); + ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); if (ret < 0) { perror("socketpair"); diff --git a/tests/mini-dtls-record.c b/tests/mini-dtls-record.c index 63bba89aaf..4d92d81c54 100644 --- a/tests/mini-dtls-record.c +++ b/tests/mini-dtls-record.c @@ -45,6 +45,7 @@ int main() #include <sys/wait.h> #include <arpa/inet.h> #include <unistd.h> +#include <signal.h> #include <gnutls/gnutls.h> #include <gnutls/dtls.h> @@ -367,6 +368,8 @@ static void start(void) int fd[2]; int ret; + signal(SIGPIPE, SIG_IGN); + ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); if (ret < 0) { perror("socketpair"); diff --git a/tests/mini-dtls-srtp.c b/tests/mini-dtls-srtp.c index 93c06820f8..78c03b3d1e 100644 --- a/tests/mini-dtls-srtp.c +++ b/tests/mini-dtls-srtp.c @@ -43,6 +43,7 @@ int main(int argc, char **argv) #include <sys/wait.h> #include <arpa/inet.h> #include <unistd.h> +#include <signal.h> #include <gnutls/gnutls.h> #include <gnutls/dtls.h> @@ -304,6 +305,8 @@ static void start(int profile) int fd[2]; int ret; + signal(SIGPIPE, SIG_IGN); + ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); if (ret < 0) { perror("socketpair"); diff --git a/tests/mini-record-failure.c b/tests/mini-record-failure.c index 02b0546270..46df2a1900 100644 --- a/tests/mini-record-failure.c +++ b/tests/mini-record-failure.c @@ -331,6 +331,7 @@ static void ch_handler(int sig) void doit(void) { + signal(SIGPIPE, SIG_IGN); signal(SIGCHLD, ch_handler); start("aes-cbc", AES_CBC, 1); diff --git a/tests/prf.c b/tests/prf.c index 78526cfba8..ff839fe73c 100644 --- a/tests/prf.c +++ b/tests/prf.c @@ -41,6 +41,7 @@ int main(int argc, char **argv) #include <sys/wait.h> #include <arpa/inet.h> #include <unistd.h> +#include <signal.h> #include <gnutls/gnutls.h> #include <gnutls/dtls.h> @@ -423,6 +424,8 @@ static void start(void) int fd[2]; int ret; + signal(SIGPIPE, SIG_IGN); + ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); if (ret < 0) { perror("socketpair"); diff --git a/tests/psk-file.c b/tests/psk-file.c index 2512086e0f..0a6eef4b87 100644 --- a/tests/psk-file.c +++ b/tests/psk-file.c @@ -48,6 +48,7 @@ int main(int argc, char **argv) #include <sys/wait.h> #endif #include <unistd.h> +#include <signal.h> #include <assert.h> #include <gnutls/gnutls.h> @@ -304,6 +305,8 @@ void run_test3(const char *prio, const char *sprio, const char *user, const gnut int err; int sockets[2]; + signal(SIGPIPE, SIG_IGN); + if (expect_fail_serv || expect_fail_cli) { success("ntest %s (user:%s)\n", prio, user); } else { @@ -407,7 +410,7 @@ void doit(void) run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE4096", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL:+GROUP-FFDHE4096", "jas", &key, 0, GNUTLS_KX_DHE_PSK, 0, 0); /* try without server credentials */ - run_test3("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, "jas", &key, 1, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_INSUFFICIENT_CREDENTIALS); + run_test3("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, "jas", &key, 1, 0, 0, GNUTLS_E_PUSH_ERROR, GNUTLS_E_INSUFFICIENT_CREDENTIALS); } #endif /* _WIN32 */ diff --git a/tests/slow/cipher-api-test.c b/tests/slow/cipher-api-test.c index 66b164037d..4a9cd1ea30 100644 --- a/tests/slow/cipher-api-test.c +++ b/tests/slow/cipher-api-test.c @@ -48,14 +48,54 @@ static void tls_log_func(int level, const char *str) fprintf(stderr, "<%d>| %s", level, str); } -static unsigned error_detected = 0; - -static void custom_abrt(int sig) +/* Test whether an invalid call to gnutls_cipher_encrypt() is caught */ +static void test_cipher(int algo) { - error_detected = 1; + int ret; + gnutls_cipher_hd_t ch; + uint8_t key16[64]; + uint8_t iv16[32]; + uint8_t data[128]; + gnutls_datum_t key, iv; + + key.data = key16; + key.size = gnutls_cipher_get_key_size(algo); + assert(key.size <= sizeof(key16)); + + iv.data = iv16; + iv.size = gnutls_cipher_get_iv_size(algo); + assert(iv.size <= sizeof(iv16)); + + memset(iv.data, 0xff, iv.size); + memset(key.data, 0xfe, key.size); + memset(data, 0xfa, sizeof(data)); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + ret = global_init(); + if (ret < 0) { + fail("Cannot initialize library\n"); /*errcode 1 */ + } + + ret = + gnutls_cipher_init(&ch, algo, &key, &iv); + if (ret < 0) + fail("gnutls_cipher_init failed\n"); /*errcode 1 */ + + /* try encrypting in a way that violates nettle's block conventions */ + ret = gnutls_cipher_encrypt(ch, data, sizeof(data)-1); + if (ret >= 0) + fail("succeeded in encrypting partial data on block cipher\n"); + + gnutls_cipher_deinit(ch); + + gnutls_global_deinit(); } -static void test_cipher(int algo, unsigned aead) +/* Test whether an invalid gnutls_cipher_add_auth() is caught */ +static void test_aead_cipher1(int algo) { int ret; gnutls_cipher_hd_t ch; @@ -63,10 +103,9 @@ static void test_cipher(int algo, unsigned aead) uint8_t iv16[32]; uint8_t data[128]; gnutls_datum_t key, iv; - unsigned auth = 1; if (algo == GNUTLS_CIPHER_CHACHA20_POLY1305) - auth = 0; + return; key.data = key16; key.size = gnutls_cipher_get_key_size(algo); @@ -94,44 +133,84 @@ static void test_cipher(int algo, unsigned aead) if (ret < 0) fail("gnutls_cipher_init failed\n"); /*errcode 1 */ - if (aead) { - if (auth) { - ret = gnutls_cipher_add_auth(ch, data, sizeof(data)-1); - if (ret < 0) - fail("could not add auth data\n"); - - signal(SIGABRT, custom_abrt); - ret = gnutls_cipher_add_auth(ch, data, 16); - signal(SIGABRT, SIG_DFL); - if (ret >= 0 && error_detected == 0) - fail("succeeded in adding auth data data after partial data were given\n"); - } + ret = gnutls_cipher_add_auth(ch, data, sizeof(data)-1); + if (ret < 0) + fail("could not add auth data\n"); - /* try encrypting in a way that violates nettle's AEAD conventions */ - ret = gnutls_cipher_encrypt(ch, data, sizeof(data)-1); - if (ret < 0) - fail("could not encrypt data\n"); + ret = gnutls_cipher_add_auth(ch, data, 16); + if (ret >= 0) + fail("succeeded in adding auth data data after partial data were given\n"); - signal(SIGABRT, custom_abrt); - ret = gnutls_cipher_encrypt(ch, data, sizeof(data)); - signal(SIGABRT, SIG_DFL); - if (ret >= 0 && error_detected == 0) - fail("succeeded in encrypting partial data after partial data were given\n"); + gnutls_cipher_deinit(ch); - } else { - /* try encrypting in a way that violates nettle's block conventions */ - signal(SIGABRT, custom_abrt); - ret = gnutls_cipher_encrypt(ch, data, sizeof(data)-1); - signal(SIGABRT, SIG_DFL); - if (ret >= 0 && error_detected == 0) - fail("succeeded in encrypting partial data on block cipher\n"); + gnutls_global_deinit(); + return; +} + +/* Test whether an invalid call to gnutls_cipher_encrypt() is caught */ +static void test_aead_cipher2(int algo) +{ + int ret; + gnutls_cipher_hd_t ch; + uint8_t key16[64]; + uint8_t iv16[32]; + uint8_t data[128]; + gnutls_datum_t key, iv; + + key.data = key16; + key.size = gnutls_cipher_get_key_size(algo); + assert(key.size <= sizeof(key16)); + + iv.data = iv16; + iv.size = gnutls_cipher_get_iv_size(algo); + assert(iv.size <= sizeof(iv16)); + + memset(iv.data, 0xff, iv.size); + memset(key.data, 0xfe, key.size); + memset(data, 0xfa, sizeof(data)); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + ret = global_init(); + if (ret < 0) { + fail("Cannot initialize library\n"); /*errcode 1 */ } + + ret = + gnutls_cipher_init(&ch, algo, &key, &iv); + if (ret < 0) + fail("gnutls_cipher_init failed\n"); /*errcode 1 */ + + /* try encrypting in a way that violates nettle's AEAD conventions */ + ret = gnutls_cipher_encrypt(ch, data, sizeof(data)-1); + if (ret < 0) + fail("could not encrypt data\n"); + + ret = gnutls_cipher_encrypt(ch, data, sizeof(data)); + if (ret >= 0) + fail("succeeded in encrypting partial data after partial data were given\n"); + gnutls_cipher_deinit(ch); gnutls_global_deinit(); return; } +static void check_status(int status) +{ + if (WEXITSTATUS(status) != 0 || + (WIFSIGNALED(status) && WTERMSIG(status) != SIGABRT)) { + if (WIFSIGNALED(status)) { + fail("Child died with signal %d\n", WTERMSIG(status)); + } else { + fail("Child died with status %d\n", + WEXITSTATUS(status)); + } + } +} + static void start(const char *name, int algo, unsigned aead) { @@ -152,9 +231,34 @@ void start(const char *name, int algo, unsigned aead) int status; /* parent */ wait(&status); - check_wait_status(status); + check_status(status); + } else { + if (!aead) + test_cipher(algo); + else + test_aead_cipher1(algo); + exit(0); + } + + if (!aead) + return; + + /* check test_aead_cipher2 */ + + child = fork(); + if (child < 0) { + perror("fork"); + fail("fork"); + return; + } + + if (child) { + int status; + /* parent */ + wait(&status); + check_status(status); } else { - test_cipher(algo,aead); + test_aead_cipher2(algo); exit(0); } } diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh index 9c7a53678b..49acc0ff9f 100755 --- a/tests/testpkcs11.sh +++ b/tests/testpkcs11.sh @@ -1045,7 +1045,7 @@ if test "x${TOKEN}" = x; then exit_error fi -${P11TOOL} ${ADDITIONAL_PARAM} --list-machanisms ${TOKEN}|grep 25519 >/dev/null +${P11TOOL} ${ADDITIONAL_PARAM} --list-mechanisms ${TOKEN}|grep 25519 >/dev/null if test $? = 0;then have_ed25519=1 fi diff --git a/tests/utils.h b/tests/utils.h index b905065c52..e5728374fa 100644 --- a/tests/utils.h +++ b/tests/utils.h @@ -24,6 +24,7 @@ #define UTILS_H #include <stdio.h> +#include <stdlib.h> #include <signal.h> #include <string.h> #include <stdarg.h> @@ -148,7 +149,7 @@ inline static void _check_wait_status(int status, unsigned sigonly) { #if defined WEXITSTATUS && defined WIFSIGNALED if (WEXITSTATUS(status) != 0 || - (WIFSIGNALED(status) && WTERMSIG(status) == SIGSEGV)) { + (WIFSIGNALED(status) && WTERMSIG(status) != SIGTERM)) { if (WIFSIGNALED(status)) { fail("Child died with signal %d\n", WTERMSIG(status)); } else { |