diff options
79 files changed, 252 insertions, 114 deletions
diff --git a/.gitignore b/.gitignore index 88c4d33b68..2b23292693 100644 --- a/.gitignore +++ b/.gitignore @@ -344,6 +344,7 @@ tests/atfork tests/auto-verify tests/base64 tests/base64-raw +tests/buffer tests/cert tests/cert-key-exchange tests/cert-status @@ -353,6 +354,7 @@ tests/certificate_set_x509_crl tests/certuniqueid tests/chainverify tests/chainverify-unsorted +tests/cipher-alignment tests/cipher-test tests/client tests/client-fastopen @@ -376,6 +378,7 @@ tests/cve-2009-1416 tests/dane tests/dane-strcodes tests/datefudge-check +tests/dh-compute tests/dh-params tests/dhepskself tests/dhex509self @@ -386,6 +389,7 @@ tests/dtls-client-with-seccomp tests/dtls-etm tests/dtls-handshake-versions tests/dtls-max-record +tests/dtls-pthread tests/dtls-record-check tests/dtls-rehandshake-anon tests/dtls-rehandshake-cert @@ -402,9 +406,11 @@ tests/dtls1.0-cert-key-exchange tests/dtls1.2-cert-key-exchange tests/dtls10-cert-key-exchange tests/dtls12-cert-key-exchange +tests/dtls_hello_random_value tests/duplicate-extensions tests/eagain tests/eagain-auto-auth +tests/ecdh-compute tests/empty_retrieve_function tests/fallback-scsv tests/finished @@ -414,6 +420,7 @@ tests/fips-test tests/gc tests/global-init tests/global-init-override +tests/gnutls-ids tests/gnutls-strcodes tests/gnutls_ext_raw_parse tests/gnutls_ext_raw_parse_dtls @@ -454,6 +461,7 @@ tests/key-usage-ecdhe-rsa tests/key-usage-rsa tests/keygen tests/keylog-env +tests/keylog-func tests/libpkcs11mock1.la tests/libpkcs11mock2.la tests/libutils.la @@ -521,6 +529,8 @@ tests/mini-x509-ipaddr tests/mini-x509-kx tests/mini-x509-rehandshake tests/mini-xssl +tests/missingissuer +tests/missingissuer_aia tests/moredn tests/mpi tests/multi-alerts @@ -537,6 +547,7 @@ tests/ocsp tests/ocsp-filename-memleak tests/ocsp-resp tests/oids +tests/openconnect-dtls12 tests/openpgp-auth tests/openpgp-auth2 tests/openpgp-callback @@ -617,6 +628,7 @@ tests/privkey-keygen tests/privkey-verify-broken tests/psk-file tests/pskself +tests/pskself2 tests/pubkey-import-export tests/random-art tests/rawpk-api @@ -643,6 +655,8 @@ tests/resume-with-previous-stek tests/resume-with-record-size-limit tests/resume-with-stek-expiration tests/resume-x509 +tests/rfc7633-missing +tests/rfc7633-ok tests/rng-fork tests/rng-no-onload tests/rng-op-key @@ -693,6 +707,7 @@ tests/set_x509_key_file_ocsp_multi tests/set_x509_key_file_ocsp_multi2 tests/set_x509_key_mem tests/set_x509_key_utf8 +tests/set_x509_ocsp_multi_cli tests/set_x509_ocsp_multi_invalid tests/set_x509_ocsp_multi_pem tests/set_x509_ocsp_multi_unknown @@ -705,10 +720,12 @@ tests/sign-md5-rep tests/sign-pk-api tests/sign-verify tests/sign-verify-data +tests/sign-verify-data-newapi tests/sign-verify-deterministic tests/sign-verify-ed25519-rfc8080 tests/sign-verify-ext tests/sign-verify-ext4 +tests/sign-verify-newapi tests/simple tests/slow/cipher-api-test tests/slow/cipher-compat @@ -722,6 +739,8 @@ tests/slow/hash-large tests/slow/keygen tests/slow/mac-override tests/softhsm-*.db/ +tests/softhsm-neg-no-key.config +tests/softhsm-post-handshake-with-cert-pkcs11.config tests/spki tests/spki-abstract tests/srp @@ -767,7 +786,10 @@ tests/suite/testpkcs11.debug tests/suite/testtpm.sh tests/suite/tlslite tests/suite/x509paths/X509tests +tests/system-override-hash +tests/system-override-sig tests/system-prio-file +tests/time tests/tls-client-with-seccomp tests/tls-crt_type-neg tests/tls-etm @@ -777,6 +799,7 @@ tests/tls-force-etm tests/tls-max-record tests/tls-neg-ext-key tests/tls-neg-ext4-key +tests/tls-pthread tests/tls-record-size-limit tests/tls-record-size-limit-asym tests/tls-rehandshake-anon @@ -827,6 +850,7 @@ tests/tls13-rehandshake-cert tests/tls13-resume-psk tests/tls13-resume-x509 tests/tls13-server-kx-neg +tests/tls13-without-timeout-func tests/tls13/anti_replay tests/tls13/change_cipher_spec tests/tls13/cookie @@ -837,6 +861,7 @@ tests/tls13/key_share tests/tls13/key_update tests/tls13/key_update_multiple tests/tls13/multi-ocsp +tests/tls13/no-auto-send-ticket tests/tls13/no-psk-exts tests/tls13/ocsp-client tests/tls13/post-handshake-with-cert @@ -851,7 +876,7 @@ tests/tls13/psk-dumbfw tests/tls13/psk-ext tests/tls13/supported_versions tests/tls13/tls12-no-tls13-exts -tests/tls13/no-auto-send-ticket +tests/tls_hello_random_value tests/tlsext-decoding tests/tlsfeature-crt tests/tlsfeature-ext @@ -871,6 +896,7 @@ tests/x509-dn tests/x509-dn-decode tests/x509-dn-decode-compat tests/x509-extensions +tests/x509-server-verify tests/x509-verify-with-crl tests/x509_altname tests/x509cert diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 86b2d589fb..628dd367b1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -7,7 +7,7 @@ stages: # name to allow expiration of old caches. cache: - key: "$CI_JOB_NAME-ver15" + key: "$CI_JOB_NAME-ver16" paths: - cache/ diff --git a/configure.ac b/configure.ac index e4ca66aecb..a46d85d070 100644 --- a/configure.ac +++ b/configure.ac @@ -347,6 +347,9 @@ AM_CONDITIONAL([GTK_DOC_USE_LIBTOOL], false) AM_GNU_GETTEXT([external]) AM_GNU_GETTEXT_VERSION([0.19]) +m4_ifdef([AM_GNU_GETTEXT_REQUIRE_VERSION],[ +AM_GNU_GETTEXT_REQUIRE_VERSION([0.19]) +]) AC_C_BIGENDIAN @@ -459,6 +462,9 @@ fi AM_CONDITIONAL(WANT_TEST_SUITE, test "$full_test_suite" = "yes") +# parts of the extended test suite use Python +AM_PATH_PYTHON(,, [:]) + AC_ARG_ENABLE(oldgnutls-interop, AS_HELP_STRING([--enable-oldgnutls-interop], [enable interoperability testing with old gnutls version]), enable_oldgnutls_interop=$enableval, enable_oldgnutls_interop=no) @@ -741,7 +747,10 @@ LIBS=$save_LIBS save_LIBS=$LIBS LIBS="$LIBS $GMP_LIBS" AC_MSG_CHECKING([gmp soname]) -AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], +AC_LINK_IFELSE([AC_LANG_PROGRAM([ + #include <gmp.h>],[ + mpz_t n; + mpz_init(n);])], [gmp_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libgmp\.so'`], [gmp_so=none]) if test -z "$gmp_so"; then @@ -754,7 +763,10 @@ LIBS=$save_LIBS save_LIBS=$LIBS LIBS="$LIBS $NETTLE_LIBS" AC_MSG_CHECKING([nettle soname]) -AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], +AC_LINK_IFELSE([AC_LANG_PROGRAM([ + #include <nettle/sha2.h>],[ + struct sha256_ctx ctx; + sha256_init(&ctx);])], [nettle_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libnettle\.so'`], [nettle_so=none]) if test -z "$nettle_so"; then @@ -767,7 +779,10 @@ LIBS=$save_LIBS save_LIBS=$LIBS LIBS="$LIBS $HOGWEED_LIBS" AC_MSG_CHECKING([hogweed soname]) -AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], +AC_LINK_IFELSE([AC_LANG_PROGRAM([ + #include <nettle/rsa.h>],[ + struct rsa_private_key priv; + nettle_rsa_private_key_init(&priv);])], [hogweed_so=`(eval "$LDDPROG conftest$EXEEXT $LDDPOSTPROC") | grep '^libhogweed\.so'`], [hogweed_so=none]) if test -z "$hogweed_so"; then diff --git a/lib/algorithms.h b/lib/algorithms.h index 9cdb3abf7a..7a051b6365 100644 --- a/lib/algorithms.h +++ b/lib/algorithms.h @@ -174,11 +174,24 @@ inline static int _gnutls_mac_get_key_size(const mac_entry_st * e) return e->key_size; } +inline static gnutls_digest_algorithm_t +_gnutls_mac_to_dig(gnutls_mac_algorithm_t mac) +{ + if (unlikely(mac >= GNUTLS_MAC_AEAD)) + return GNUTLS_DIG_UNKNOWN; + + return (gnutls_digest_algorithm_t)mac; +} + +#define MAC_TO_DIG(mac) _gnutls_mac_to_dig(mac) + /* Functions for digests. */ #define _gnutls_x509_digest_to_oid _gnutls_x509_mac_to_oid #define _gnutls_digest_get_name _gnutls_mac_get_name #define _gnutls_hash_get_algo_len _gnutls_mac_get_algo_len +#define DIG_TO_MAC(dig) (gnutls_mac_algorithm_t)(dig) + /* Security against pre-image attacks */ inline static int _gnutls_digest_is_secure(const mac_entry_st * e) { diff --git a/lib/algorithms/mac.c b/lib/algorithms/mac.c index a82270975d..518323bca1 100644 --- a/lib/algorithms/mac.c +++ b/lib/algorithms/mac.c @@ -132,14 +132,17 @@ mac_entry_st hash_algorithms[] = { .id = GNUTLS_MAC_RMD160, .output_size = 20, .key_size = 20, - .block_size = 64}, + .block_size = 64 + }, {.name = "GOSTR341194", .oid = HASH_OID_GOST_R_3411_94, .mac_oid = MAC_OID_GOST_R_3411_94, .id = GNUTLS_MAC_GOSTR_94, .output_size = 32, .key_size = 32, - .block_size = 32}, + .block_size = 32, + .flags = GNUTLS_MAC_FLAG_PREIMAGE_INSECURE + }, {.name = "STREEBOG-256", .oid = HASH_OID_STREEBOG_256, .mac_oid = MAC_OID_STREEBOG_256, diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c index 0d8d1a89c9..2728a54478 100644 --- a/lib/algorithms/sign.c +++ b/lib/algorithms/sign.c @@ -797,7 +797,7 @@ _gnutls_sign_get_hash_strength(gnutls_sign_algorithm_t sign) if (unlikely(se == NULL)) return 0; - me = mac_to_entry(se->hash); + me = hash_to_entry(se->hash); if (unlikely(me == NULL)) return 0; diff --git a/lib/crypto-api.c b/lib/crypto-api.c index adef4bee7b..bd600ef166 100644 --- a/lib/crypto-api.c +++ b/lib/crypto-api.c @@ -588,7 +588,7 @@ int gnutls_hash_init(gnutls_hash_hd_t * dig, gnutls_digest_algorithm_t algorithm) { - if (is_mac_algo_forbidden(algorithm)) + if (is_mac_algo_forbidden(DIG_TO_MAC(algorithm))) return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); *dig = gnutls_malloc(sizeof(digest_hd_st)); @@ -684,7 +684,7 @@ int gnutls_hash_fast(gnutls_digest_algorithm_t algorithm, const void *ptext, size_t ptext_len, void *digest) { - if (is_mac_algo_forbidden(algorithm)) + if (is_mac_algo_forbidden(DIG_TO_MAC(algorithm))) return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); return _gnutls_hash_fast(algorithm, ptext, ptext_len, digest); diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c index 6f66cd84dd..70b0f618ff 100644 --- a/lib/crypto-selftests-pk.c +++ b/lib/crypto-selftests-pk.c @@ -321,6 +321,10 @@ static int test_sig(gnutls_pk_algorithm_t pk, gnutls_datum_t sig = { NULL, 0 }; gnutls_pubkey_t pub = NULL; char param_name[32]; + unsigned vflags = 0; + + if (sigalgo == GNUTLS_SIGN_GOST_94) + vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; ret = gnutls_privkey_init(&key); if (ret < 0) @@ -427,7 +431,7 @@ static int test_sig(gnutls_pk_algorithm_t pk, } ret = - gnutls_pubkey_verify_data2(pub, sigalgo, 0, + gnutls_pubkey_verify_data2(pub, sigalgo, vflags, &signed_data, &sig); if (ret < 0) { ret = GNUTLS_E_SELF_TEST_ERROR; @@ -436,7 +440,7 @@ static int test_sig(gnutls_pk_algorithm_t pk, } ret = - gnutls_pubkey_verify_data2(pub, sigalgo, 0, + gnutls_pubkey_verify_data2(pub, sigalgo, vflags, &bad_data, &sig); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) { @@ -475,6 +479,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, gnutls_pubkey_t pub = NULL; gnutls_privkey_t key; char param_name[32]; + unsigned vflags = 0; if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 || @@ -484,6 +489,8 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, snprintf(param_name, sizeof(param_name), "%s", gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE (bits))); + if (dig == GNUTLS_DIG_GOSTR_94) + vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; } else { snprintf(param_name, sizeof(param_name), "%u", bits); } @@ -553,7 +560,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, } ret = - gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, + gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), vflags, &signed_data, &sig); if (ret < 0) { ret = GNUTLS_E_SELF_TEST_ERROR; diff --git a/lib/hash_int.c b/lib/hash_int.c index 8c528d5f90..59eddeba37 100644 --- a/lib/hash_int.c +++ b/lib/hash_int.c @@ -80,7 +80,7 @@ int _gnutls_digest_exists(gnutls_digest_algorithm_t algo) { const gnutls_crypto_digest_st *cc = NULL; - if (is_mac_algo_forbidden(algo)) + if (is_mac_algo_forbidden(DIG_TO_MAC(algo))) return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); cc = _gnutls_get_crypto_digest(algo); diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c index ccf403b007..57a8560ede 100644 --- a/lib/nettle/pk.c +++ b/lib/nettle/pk.c @@ -917,7 +917,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, /* This call will return a valid MAC entry and * getters will check that is not null anyway. */ - me = mac_to_entry(_gnutls_gost_digest(pk_params->algo)); + me = hash_to_entry(_gnutls_gost_digest(pk_params->algo)); if (_gnutls_mac_get_algo_len(me) != vdata->size) { gnutls_assert(); _gnutls_debug_log @@ -987,7 +987,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, ret = _gnutls_ecdsa_compute_k(k, curve_id, pk_params->params[ECC_K], - sign_params->dsa_dig, + DIG_TO_MAC(sign_params->dsa_dig), vdata->data, vdata->size); if (ret < 0) @@ -1056,7 +1056,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, ret = _gnutls_dsa_compute_k(k, pub.q, TOMPZ(priv), - sign_params->dsa_dig, + DIG_TO_MAC(sign_params->dsa_dig), vdata->data, vdata->size); if (ret < 0) @@ -1312,7 +1312,7 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo, /* This call will return a valid MAC entry and * getters will check that is not null anyway. */ - me = mac_to_entry(_gnutls_gost_digest(pk_params->algo)); + me = hash_to_entry(_gnutls_gost_digest(pk_params->algo)); if (_gnutls_mac_get_algo_len(me) != vdata->size) return gnutls_assert_val(GNUTLS_E_PK_SIG_VERIFY_FAILED); diff --git a/lib/tls-sig.c b/lib/tls-sig.c index 779e02c18f..7d2b04323e 100644 --- a/lib/tls-sig.c +++ b/lib/tls-sig.c @@ -160,7 +160,7 @@ _gnutls_handshake_sign_data10(gnutls_session_t session, dconcat.data = concat; dconcat.size = _gnutls_hash_get_algo_len(me); - ret = gnutls_privkey_sign_hash(pkey, me->id, GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA, + ret = gnutls_privkey_sign_hash(pkey, MAC_TO_DIG(me->id), GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA, &dconcat, signature); if (ret < 0) { gnutls_assert(); @@ -788,7 +788,7 @@ _gnutls_handshake_sign_crt_vrfy10(gnutls_session_t session, dconcat.data = concat; dconcat.size = _gnutls_hash_get_algo_len(me); - ret = gnutls_privkey_sign_hash(pkey, me->id, GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA, + ret = gnutls_privkey_sign_hash(pkey, MAC_TO_DIG(me->id), GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA, &dconcat, signature); if (ret < 0) { gnutls_assert(); diff --git a/lib/tls13-sig.c b/lib/tls13-sig.c index e15d8305e2..b14390e353 100644 --- a/lib/tls13-sig.c +++ b/lib/tls13-sig.c @@ -104,7 +104,7 @@ _gnutls13_handshake_verify_data(gnutls_session_t session, goto cleanup; } - ret = gnutls_hash_fast(session->security_parameters.prf->id, + ret = gnutls_hash_fast(MAC_TO_DIG(session->security_parameters.prf->id), session->internals.handshake_hash_buffer.data, session->internals.handshake_hash_buffer_prev_len, prefix); @@ -186,7 +186,7 @@ _gnutls13_handshake_sign_data(gnutls_session_t session, goto cleanup; } - ret = gnutls_hash_fast(session->security_parameters.prf->id, + ret = gnutls_hash_fast(MAC_TO_DIG(session->security_parameters.prf->id), session->internals.handshake_hash_buffer.data, session->internals.handshake_hash_buffer.length, tmp); diff --git a/lib/tls13/finished.c b/lib/tls13/finished.c index 35ab87f9af..68eab993ea 100644 --- a/lib/tls13/finished.c +++ b/lib/tls13/finished.c @@ -45,7 +45,7 @@ int _gnutls13_compute_finished(const mac_entry_st *prf, if (ret < 0) return gnutls_assert_val(ret); - ret = gnutls_hash_fast(prf->id, + ret = gnutls_hash_fast(MAC_TO_DIG(prf->id), handshake_hash_buffer->data, handshake_hash_buffer->length, ts_hash); diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c index cdb284026a..2dc0823905 100644 --- a/lib/x509/pkcs12.c +++ b/lib/x509/pkcs12.c @@ -1098,7 +1098,7 @@ int gnutls_pkcs12_verify_mac(gnutls_pkcs12_t pkcs12, const char *pass) return _gnutls_asn2err(result); } - algo = gnutls_oid_to_digest(oid); + algo = DIG_TO_MAC(gnutls_oid_to_digest(oid)); if (algo == GNUTLS_MAC_UNKNOWN) { unknown_mac: gnutls_assert(); @@ -1970,7 +1970,7 @@ gnutls_pkcs12_mac_info(gnutls_pkcs12_t pkcs12, unsigned int *mac, *oid = (char*)tmp.data; } - algo = gnutls_oid_to_digest((char*)tmp.data); + algo = DIG_TO_MAC(gnutls_oid_to_digest((char*)tmp.data)); if (algo == GNUTLS_MAC_UNKNOWN || mac_to_entry(algo) == NULL) { gnutls_assert(); return GNUTLS_E_UNKNOWN_HASH_ALGORITHM; diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c index 98669e8879..0ff55ba04b 100644 --- a/lib/x509/pkcs7.c +++ b/lib/x509/pkcs7.c @@ -2277,7 +2277,7 @@ static int write_attributes(ASN1_TYPE c2, const char *root, /* If we add any attribute we should add them all */ /* Add hash */ digest_size = _gnutls_hash_get_algo_len(me); - ret = gnutls_hash_fast(me->id, data->data, data->size, digest); + ret = gnutls_hash_fast(MAC_TO_DIG(me->id), data->data, data->size, digest); if (ret < 0) { gnutls_assert(); return ret; diff --git a/src/certtool.c b/src/certtool.c index 0e24ac8281..6bdfe376b1 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1426,9 +1426,9 @@ static void cmd_parser(int argc, char **argv) if (HAVE_OPT(VERIFY_PROFILE)) { if (strcasecmp(OPT_ARG(VERIFY_PROFILE), "none")) { - cinfo.verification_profile = GNUTLS_PROFILE_UNKNOWN; + cinfo.verification_profile = (gnutls_sec_param_t)GNUTLS_PROFILE_UNKNOWN; } else { - cinfo.verification_profile = gnutls_certificate_verification_profile_get_id(OPT_ARG(VERIFY_PROFILE)); + cinfo.verification_profile = (gnutls_sec_param_t)gnutls_certificate_verification_profile_get_id(OPT_ARG(VERIFY_PROFILE)); } } else if (!HAVE_OPT(VERIFY_ALLOW_BROKEN)) { if (HAVE_OPT(VERIFY_CHAIN) || HAVE_OPT(VERIFY)) { @@ -2956,7 +2956,7 @@ void generate_pkcs12(common_info_st * cinfo) } if (cinfo->hash != GNUTLS_DIG_UNKNOWN) - mac = cinfo->hash; + mac = (gnutls_mac_algorithm_t)cinfo->hash; else mac = GNUTLS_MAC_SHA1; diff --git a/src/cli-debug.c b/src/cli-debug.c index ece03a2729..c98c0c6f4a 100644 --- a/src/cli-debug.c +++ b/src/cli-debug.c @@ -85,6 +85,9 @@ static const TLS_TEST tls_tests[] = { test_send_record_with_allow_small_records, "yes", "no", "dunno"}, #ifdef ENABLE_SSL3 {"for SSL 3.0 (RFC6101) support", test_ssl3, "yes", "no", "dunno"}, + /* The following test will disable extensions if the server + * does support SSL 3.0, but only incompletely and without + * extensions. */ {"for SSL 3.0 with extensions", test_ssl3_with_extensions, "yes", "no", "dunno"}, {"for SSL 3.0 with cipher suites not in SSL 3.0 spec", test_ssl3_unknown_ciphersuites, "yes", "no", "dunno"}, diff --git a/src/tests.c b/src/tests.c index 8cc06347c1..c7f2662efe 100644 --- a/src/tests.c +++ b/src/tests.c @@ -635,8 +635,16 @@ test_code_t test_ssl3_with_extensions(gnutls_session_t session) gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); ret = test_do_handshake(session); - if (ret == TEST_SUCCEED) - ssl3_ok = 1; + if (ssl3_ok != 0 && ret != TEST_SUCCEED) { + /* We need to disable extensions before trying TLS 1.0, because + * it also may not work with extensions. There are known servers + * which partially support both SSL 3.0 and TLS 1.0, but *both* + * only with disabled extensions: + * https://gitlab.com/gnutls/gnutls/-/issues/958#note_309267384 + */ + tls_ext_ok = 0; + strcat(rest, ":%NO_EXTENSIONS"); + } return ret; } @@ -645,7 +653,7 @@ test_code_t test_ssl3_unknown_ciphersuites(gnutls_session_t session) { int ret; sprintf(prio_str, INIT_STR - ALL_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:%%NO_EXTENSIONS:" + ALL_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":%s", rest); _gnutls_priority_set_direct(session, prio_str); @@ -1040,7 +1048,8 @@ test_code_t test_record_padding(gnutls_session_t session) if (ret == TEST_SUCCEED) { tls1_ok = 1; strcat(rest, ":%COMPAT"); - } + } else + ret = TEST_IGNORE2; /* neither succeeded */ } return ret; @@ -1050,6 +1059,12 @@ test_code_t test_no_extensions(gnutls_session_t session) { int ret; +#ifdef ENABLE_SSL3 + /* If already disabled by test_ssl3_with_extensions */ + if (ssl3_ok != 0 && tls_ext_ok == 0) + return TEST_FAILED; +#endif + sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS ":" ALL_KX ":%s", protocol_str, rest); @@ -1071,7 +1086,8 @@ test_code_t test_no_extensions(gnutls_session_t session) if (ret == TEST_SUCCEED) { tls_ext_ok = 0; strcat(rest, ":%NO_EXTENSIONS"); - } + } else + ret = TEST_IGNORE2; /* neither succeeded */ } return ret; diff --git a/tests/cert-reencoding.sh b/tests/cert-reencoding.sh index aadd6fd1bd..240d336778 100755 --- a/tests/cert-reencoding.sh +++ b/tests/cert-reencoding.sh @@ -57,7 +57,7 @@ export TZ="UTC" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge eval "${GETPORT}" # Port for gnutls-serv diff --git a/tests/cert-tests/alt-chain b/tests/cert-tests/alt-chain index b715416cc0..a2261b3809 100755 --- a/tests/cert-tests/alt-chain +++ b/tests/cert-tests/alt-chain @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge OLD_CA_FILE="${srcdir}/data/alt-chain-old-ca.pem" NEW_CA_FILE="${srcdir}/data/alt-chain-new-ca.pem" diff --git a/tests/cert-tests/cert-critical b/tests/cert-tests/cert-critical index 74f335cb87..f923b29fa4 100755 --- a/tests/cert-tests/cert-critical +++ b/tests/cert-tests/cert-critical @@ -36,7 +36,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge "2017-2-28" \ ${VALGRIND} "${CERTTOOL}" --verify-chain --infile ${srcdir}/data/chain-with-critical-on-root.pem diff --git a/tests/cert-tests/cert-non-digits-time b/tests/cert-tests/cert-non-digits-time index 28880b87ac..9c25c396de 100755 --- a/tests/cert-tests/cert-non-digits-time +++ b/tests/cert-tests/cert-non-digits-time @@ -32,7 +32,7 @@ if ! test -z "${VALGRIND}"; then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi -check_for_datefudge +skip_if_no_datefudge # Check whether certificates with non-digits time fields are accepted datefudge -s "2019-12-19" \ diff --git a/tests/cert-tests/certtool b/tests/cert-tests/certtool index 3494aaacbe..0fd29beea9 100755 --- a/tests/cert-tests/certtool +++ b/tests/cert-tests/certtool @@ -171,7 +171,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge cat "${srcdir}/../certs/cert-ecc256.pem" "${srcdir}/../certs/ca-cert-ecc.pem"|datefudge "2012-11-22" \ ${VALGRIND} "${CERTTOOL}" --verify-chain diff --git a/tests/cert-tests/certtool-eddsa b/tests/cert-tests/certtool-eddsa index c097fbf6c6..7e07822507 100755 --- a/tests/cert-tests/certtool-eddsa +++ b/tests/cert-tests/certtool-eddsa @@ -124,7 +124,7 @@ rm -f "${TMPFILE}" "${TMPFILE2}" rm -f "${KEYFILE}" -check_for_datefudge +skip_if_no_datefudge # Test certificate chain using Ed25519 datefudge "2017-7-6" \ diff --git a/tests/cert-tests/certtool-rsa-pss b/tests/cert-tests/certtool-rsa-pss index aed79ff2e2..654bf34869 100755 --- a/tests/cert-tests/certtool-rsa-pss +++ b/tests/cert-tests/certtool-rsa-pss @@ -210,7 +210,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge "2012-11-22" \ ${VALGRIND} "${CERTTOOL}" --verify --load-ca-certificate "${srcdir}/data/cert-rsa-pss.pem" --infile "${srcdir}/data/cert-rsa-pss.pem" diff --git a/tests/cert-tests/certtool-verify-profiles b/tests/cert-tests/certtool-verify-profiles index a7ebd711ea..a4d738627e 100755 --- a/tests/cert-tests/certtool-verify-profiles +++ b/tests/cert-tests/certtool-verify-profiles @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge echo "Checking chain with insecure leaf" datefudge -s "2019-12-19" \ diff --git a/tests/cert-tests/crl b/tests/cert-tests/crl index 62b320b2bf..f4f97d757b 100755 --- a/tests/cert-tests/crl +++ b/tests/cert-tests/crl @@ -171,7 +171,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge -s "2020-01-20 10:00:00" ${VALGRIND} \ "${CERTTOOL}" --generate-crl --load-ca-privkey "${srcdir}/data/template-test.key" \ diff --git a/tests/cert-tests/crq b/tests/cert-tests/crq index 89099cfc0a..1d64dee27e 100755 --- a/tests/cert-tests/crq +++ b/tests/cert-tests/crq @@ -40,7 +40,7 @@ OUTFILE2=out2.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge ${VALGRIND} "${CERTTOOL}" --inder --crq-info --infile "${srcdir}/data/csr-invalid.der" >"${OUTFILE}" 2>&1 rc=$? diff --git a/tests/cert-tests/data/gost-cert-nogost.pem b/tests/cert-tests/data/gost-cert-nogost.pem index 76fcd3d8b9..cd9459f9fb 100644 --- a/tests/cert-tests/data/gost-cert-nogost.pem +++ b/tests/cert-tests/data/gost-cert-nogost.pem @@ -6,8 +6,17 @@ X.509 Certificate Information: Not Before: Fri Aug 17 06:47:36 UTC 2012 Not After: Sat Aug 17 06:47:36 UTC 2013 Subject: CN=SuperTerm0000001,OU=SuperPlat Terminals,O=SuperPlat,L=Moscow,ST=Russia,C=RU -error importing public key: The curve is unsupported Subject Public Key Algorithm: GOST R 34.10-2001 + Algorithm Security Level: High (256 bits) + Curve: CryptoPro-A + Digest: GOSTR341194 + ParamSet: CryptoPro-A + X: + e0:35:f2:a8:40:cf:ea:25:63:b5:c1:eb:fa:fd:1d:7f + 45:d6:2a:31:96:56:35:75:25:19:f6:62:69:db:da:eb + Y: + 57:41:b2:c1:e2:1f:7b:d0:13:c8:dd:eb:9f:ba:cb:42 + a3:63:c7:0b:f4:e9:24:d7:dd:e9:34:8d:12:18:67:d8 Extensions: Basic Constraints (not critical): Certificate Authority (CA): FALSE @@ -19,6 +28,7 @@ error importing public key: The curve is unsupported Authority Key Identifier (not critical): 9875a3b785c1641b23344d9bfbae0c2a256b44eb Signature Algorithm: GOSTR341001 +warning: signed using a broken signature algorithm that can be forged. Signature: 8f:37:24:fd:be:f0:37:d9:f3:1a:5c:31:5e:33:ef:35 61:93:07:03:3d:4d:e8:2c:1b:39:a2:6c:d4:2f:85:35 @@ -28,6 +38,11 @@ Other Information: Fingerprint: sha1:621f34c4fdd7e93f9b8f18224ba0bcd1c63a4771 sha256:ac6ecf4e7a876edf3e61f538d6061353c2015bfbdf60370492f7404d7f09e13a + Public Key ID: + sha1:43757042dae9e9f5fa92cc2d2cbf4950f28a7bd0 + sha256:cee4a59e7803bafb101af8e39e5355d7895e3b85e7616fe624d48f2c51e8bdbf + Public Key PIN: + pin-sha256:zuSlnngDuvsQGvjjnlNV14leO4XnYW/mJNSPLFHovb8= -----BEGIN CERTIFICATE----- MIICXjCCAgugAwIBAgICAR8wCgYGKoUDAgIDBQAwdDELMAkGA1UEBhMCUlUxDzAN diff --git a/tests/cert-tests/data/gost-cert.pem b/tests/cert-tests/data/gost-cert.pem index bec29b8bb5..cd9459f9fb 100644 --- a/tests/cert-tests/data/gost-cert.pem +++ b/tests/cert-tests/data/gost-cert.pem @@ -28,6 +28,7 @@ X.509 Certificate Information: Authority Key Identifier (not critical): 9875a3b785c1641b23344d9bfbae0c2a256b44eb Signature Algorithm: GOSTR341001 +warning: signed using a broken signature algorithm that can be forged. Signature: 8f:37:24:fd:be:f0:37:d9:f3:1a:5c:31:5e:33:ef:35 61:93:07:03:3d:4d:e8:2c:1b:39:a2:6c:d4:2f:85:35 diff --git a/tests/cert-tests/data/grfc.crt b/tests/cert-tests/data/grfc.crt index 0b06f778b8..fe7700e3e1 100644 --- a/tests/cert-tests/data/grfc.crt +++ b/tests/cert-tests/data/grfc.crt @@ -41,6 +41,7 @@ X.509 Certificate Information: 1.2.643.100.113.2 (Russian security class KC2) 2.5.29.32.0 (anyPolicy) Signature Algorithm: GOSTR341001 +warning: signed using a broken signature algorithm that can be forged. Signature: bd:95:dd:5f:3a:2b:74:a5:29:62:20:c2:24:a8:8b:a0 13:1a:21:f5:4a:d6:2e:b1:3f:f5:50:e9:96:a0:a2:c9 diff --git a/tests/cert-tests/inhibit-anypolicy b/tests/cert-tests/inhibit-anypolicy index 7e82a20014..ba5e1100f6 100755 --- a/tests/cert-tests/inhibit-anypolicy +++ b/tests/cert-tests/inhibit-anypolicy @@ -36,7 +36,7 @@ SUBCAFILE=inhibit-subca.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge -s "2017-04-22" \ "${CERTTOOL}" --generate-self-signed \ diff --git a/tests/cert-tests/invalid-sig b/tests/cert-tests/invalid-sig index bcebf995cb..58134a4d09 100755 --- a/tests/cert-tests/invalid-sig +++ b/tests/cert-tests/invalid-sig @@ -33,14 +33,16 @@ if ! test -x "${CERTTOOL}"; then exit 77 fi +. ${srcdir}/../scripts/common.sh + #check whether a different PKCS #1 signature than the advertized in certificate is tolerated ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig.pem" rc=$? # We're done. -if test "${rc}" = "0"; then +if test $rc = 0; then echo "Verification of invalid signature (1) failed" - exit ${rc} + exit 1 fi #check whether a different tbsCertificate than the outer signature algorithm is tolerated @@ -48,9 +50,9 @@ ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig2.pem" rc=$? # We're done. -if test "${rc}" = "0"; then +if test $rc = 0; then echo "Verification of invalid signature (2) failed" - exit ${rc} + exit 1 fi #check whether a different tbsCertificate than the outer signature algorithm is tolerated @@ -58,9 +60,9 @@ ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig3.pem" rc=$? # We're done. -if test "${rc}" = "0"; then +if test $rc = 0; then echo "Verification of invalid signature (3) failed" - exit ${rc} + exit 1 fi #check whether different parameters in tbsCertificate than the outer signature is tolerated @@ -68,9 +70,9 @@ ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig4.pem" rc=$? # We're done. -if test "${rc}" = "0"; then +if test $rc = 0; then echo "Verification of invalid signature (4) failed" - exit ${rc} + exit 1 fi #check whether different RSA-PSS parameters in tbsCertificate than the outer signature is tolerated @@ -78,19 +80,24 @@ ${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/invalid-sig5.p rc=$? # We're done. -if test "${rc}" = "0"; then +if test $rc = 0; then echo "Verification of invalid signature (5) failed" - exit ${rc} + exit 1 fi -#this was causing a double free; verify that we receive the expected error code -${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem" -rc=$? - -# We're done. -if test "${rc}" != "1"; then - echo "Verification of invalid signature (6) failed" - exit ${rc} +if check_for_datefudge; then + #this was causing a double free; verify that we receive the expected error code + datefudge -s 2020-01-01 \ + ${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem" + rc=$? + + # We're done. + if test $rc != 1; then + echo "Verification of invalid signature (6) failed" + exit 1 + fi +else + echo "Verification of invalid signature (6) skipped" fi exit 0 diff --git a/tests/cert-tests/krb5-test b/tests/cert-tests/krb5-test index 3eca7d7e31..a6e092cc90 100755 --- a/tests/cert-tests/krb5-test +++ b/tests/cert-tests/krb5-test @@ -34,7 +34,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge if ! test -z "${VALGRIND}"; then ORIG_VALGRIND=${VALGRIND} diff --git a/tests/cert-tests/md5-test b/tests/cert-tests/md5-test index a9635cc1d8..15d6280b1c 100755 --- a/tests/cert-tests/md5-test +++ b/tests/cert-tests/md5-test @@ -34,7 +34,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Test MD5 signatures diff --git a/tests/cert-tests/name-constraints b/tests/cert-tests/name-constraints index f23462117e..3b2370d49a 100755 --- a/tests/cert-tests/name-constraints +++ b/tests/cert-tests/name-constraints @@ -36,7 +36,7 @@ TMPFILE=constraints.$$.pem.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge -s "2016-04-22" \ ${VALGRIND} "${CERTTOOL}" --verify-allow-broken -e --infile "${srcdir}/data/name-constraints-ip.pem" diff --git a/tests/cert-tests/othername-test b/tests/cert-tests/othername-test index 38032fee1c..00f93b22dd 100755 --- a/tests/cert-tests/othername-test +++ b/tests/cert-tests/othername-test @@ -33,7 +33,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Note that in rare cases this test may fail because the # time set using datefudge could have changed since the generation diff --git a/tests/cert-tests/pkcs1-pad b/tests/cert-tests/pkcs1-pad index 33663a6a0b..c75ab9e09d 100755 --- a/tests/cert-tests/pkcs1-pad +++ b/tests/cert-tests/pkcs1-pad @@ -34,7 +34,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge TMPFILE1=pkcs1-pad.$$.tmp TMPFILE2=pkcs1-pad-2.$$.tmp diff --git a/tests/cert-tests/pkcs7 b/tests/cert-tests/pkcs7 index 35d438107e..5767e09646 100755 --- a/tests/cert-tests/pkcs7 +++ b/tests/cert-tests/pkcs7 @@ -38,7 +38,7 @@ TMPFILE=tmp-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge if test "${ENABLE_GOST}" = "1" && test "${GNUTLS_FORCE_FIPS_MODE}" != "1" then @@ -330,6 +330,15 @@ then ${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-gost01.pem" <"${OUTFILE}" rc=$? + if test "${rc}" != "1"; then + echo "${FILE}: PKCS7 struct signing succeeded verification with broken algo" + exit ${rc} + fi + + FILE="gost01-signing-verify" + ${VALGRIND} "${CERTTOOL}" --p7-verify --verify-allow-broken --load-certificate "${srcdir}/../../doc/credentials/x509/cert-gost01.pem" <"${OUTFILE}" + rc=$? + if test "${rc}" != "0"; then echo "${FILE}: PKCS7 struct signing failed verification" exit ${rc} diff --git a/tests/cert-tests/pkcs7-cat b/tests/cert-tests/pkcs7-cat index 0f5b82df12..6543397431 100755 --- a/tests/cert-tests/pkcs7-cat +++ b/tests/cert-tests/pkcs7-cat @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge -s "2016-10-1" \ ${VALGRIND} "${CERTTOOL}" --verify-allow-broken --p7-verify --inder --infile "${srcdir}/data/pkcs7-cat.p7" --load-ca-certificate "${srcdir}/data/pkcs7-cat-ca.pem" rc=$? diff --git a/tests/cert-tests/pkcs7-constraints b/tests/cert-tests/pkcs7-constraints index 8e5b5345d1..6964d26f09 100755 --- a/tests/cert-tests/pkcs7-constraints +++ b/tests/cert-tests/pkcs7-constraints @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge FILE="signing" diff --git a/tests/cert-tests/pkcs7-constraints2 b/tests/cert-tests/pkcs7-constraints2 index 389071e27b..7d1816a33a 100755 --- a/tests/cert-tests/pkcs7-constraints2 +++ b/tests/cert-tests/pkcs7-constraints2 @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge FILE="signing" diff --git a/tests/cert-tests/pkcs7-eddsa b/tests/cert-tests/pkcs7-eddsa index 1fd767bd73..6f235c512b 100755 --- a/tests/cert-tests/pkcs7-eddsa +++ b/tests/cert-tests/pkcs7-eddsa @@ -36,7 +36,7 @@ OUTFILE2=out2-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge KEY="${srcdir}/../certs/ed25519.pem" CERT="${srcdir}/../certs/cert-ed25519.pem" diff --git a/tests/cert-tests/pkcs7-list-sign b/tests/cert-tests/pkcs7-list-sign index 1c4e930e5b..5ca04d8005 100755 --- a/tests/cert-tests/pkcs7-list-sign +++ b/tests/cert-tests/pkcs7-list-sign @@ -37,7 +37,7 @@ OUTFILE2=out2-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Test signing FILE="signing-with-cert-list" ${VALGRIND} "${CERTTOOL}" --p7-sign --load-certificate "${srcdir}/data/pkcs7-chain.pem" --load-privkey "${srcdir}/data/pkcs7-chain-endcert-key.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}" diff --git a/tests/cert-tests/rsa-pss-pad b/tests/cert-tests/rsa-pss-pad index d9a05e4e0f..2c87c750fc 100755 --- a/tests/cert-tests/rsa-pss-pad +++ b/tests/cert-tests/rsa-pss-pad @@ -33,7 +33,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Note that in rare cases this test may fail because the # time set using datefudge could have changed since the generation diff --git a/tests/cert-tests/sha3-test b/tests/cert-tests/sha3-test index dc3cf8f6ba..a4300672c3 100755 --- a/tests/cert-tests/sha3-test +++ b/tests/cert-tests/sha3-test @@ -33,7 +33,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Note that in rare cases this test may fail because the # time set using datefudge could have changed since the generation diff --git a/tests/cert-tests/smime b/tests/cert-tests/smime index dd5514f687..f5e68401cf 100755 --- a/tests/cert-tests/smime +++ b/tests/cert-tests/smime @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # test the --smime-to-p7 functionality ${VAGRLIND} "${CERTTOOL}" --smime-to-p7 --infile "${srcdir}/data/pkcs7.smime" --outfile ${OUTFILE} diff --git a/tests/cert-tests/template-exts-test b/tests/cert-tests/template-exts-test index 32e90f91e3..276ba2f798 100755 --- a/tests/cert-tests/template-exts-test +++ b/tests/cert-tests/template-exts-test @@ -33,7 +33,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge -s "2007-04-22" \ "${CERTTOOL}" --generate-self-signed \ diff --git a/tests/cert-tests/template-test b/tests/cert-tests/template-test index f7ebefb664..091021315b 100755 --- a/tests/cert-tests/template-test +++ b/tests/cert-tests/template-test @@ -34,7 +34,7 @@ TMPFILE=tmp-tt.pem.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge echo "Running test for ${ac_cv_sizeof_time_t}-byte time_t" diff --git a/tests/cert-tests/tlsfeature-test b/tests/cert-tests/tlsfeature-test index aadbffc26a..fb26f6225b 100755 --- a/tests/cert-tests/tlsfeature-test +++ b/tests/cert-tests/tlsfeature-test @@ -34,7 +34,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # # Test certificate generation diff --git a/tests/certtool-pkcs11.sh b/tests/certtool-pkcs11.sh index 9a599e6146..daba535a4d 100755 --- a/tests/certtool-pkcs11.sh +++ b/tests/certtool-pkcs11.sh @@ -68,7 +68,7 @@ exit_error () { exit 1 } -check_for_datefudge +skip_if_no_datefudge # $1: token # $2: PIN diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh index 0ab6069b8f..3351764216 100755 --- a/tests/gnutls-cli-debug.sh +++ b/tests/gnutls-cli-debug.sh @@ -48,7 +48,7 @@ SERV="${SERV} -q" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem diff --git a/tests/gnutls-cli-invalid-crl.sh b/tests/gnutls-cli-invalid-crl.sh index d7383a555b..1a82bfafd3 100755 --- a/tests/gnutls-cli-invalid-crl.sh +++ b/tests/gnutls-cli-invalid-crl.sh @@ -47,7 +47,7 @@ SERV="${SERV} -q" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge echo "Checking whether connecting to a server but with an invalid CRL provided, returns the expected error" diff --git a/tests/gnutls-cli-self-signed.sh b/tests/gnutls-cli-self-signed.sh index 07cd5824b8..fbb5375bf0 100755 --- a/tests/gnutls-cli-self-signed.sh +++ b/tests/gnutls-cli-self-signed.sh @@ -45,7 +45,7 @@ SERV="${SERV} -q" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge echo "Checking whether connecting to a self signed certificate returns the expected error" diff --git a/tests/ocsp-tests/ocsp-load-chain b/tests/ocsp-tests/ocsp-load-chain index 04de48f7ed..0822bc3d99 100755 --- a/tests/ocsp-tests/ocsp-load-chain +++ b/tests/ocsp-tests/ocsp-load-chain @@ -31,7 +31,7 @@ export TZ="UTC" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge datefudge -s "2017-06-19" \ "${OCSPTOOL}" -e --load-chain "${srcdir}/ocsp-tests/certs/chain-amazon.com.pem" --infile "${srcdir}/ocsp-tests/certs/ocsp-amazon.com.der" --verify-allow-broken diff --git a/tests/ocsp-tests/ocsp-must-staple-connection b/tests/ocsp-tests/ocsp-must-staple-connection index 490cc032f0..49c355dda3 100755 --- a/tests/ocsp-tests/ocsp-must-staple-connection +++ b/tests/ocsp-tests/ocsp-must-staple-connection @@ -53,7 +53,7 @@ fi . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge eval "${GETPORT}" # Port for gnutls-serv diff --git a/tests/ocsp-tests/ocsp-test b/tests/ocsp-tests/ocsp-test index 3730175208..bc2641a22e 100755 --- a/tests/ocsp-tests/ocsp-test +++ b/tests/ocsp-tests/ocsp-test @@ -32,7 +32,7 @@ export TZ="UTC" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge # Note that in rare cases this test may fail because the # time set using datefudge could have changed since the generation diff --git a/tests/ocsp-tests/ocsp-tls-connection b/tests/ocsp-tests/ocsp-tls-connection index bcc77ec2d9..870f4ff78b 100755 --- a/tests/ocsp-tests/ocsp-tls-connection +++ b/tests/ocsp-tests/ocsp-tls-connection @@ -54,7 +54,7 @@ export TZ="UTC" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge eval "${GETPORT}" # Port for gnutls-serv diff --git a/tests/pkcs7-cat.sh b/tests/pkcs7-cat.sh index 2f3b0b0b35..a7a53a431a 100755 --- a/tests/pkcs7-cat.sh +++ b/tests/pkcs7-cat.sh @@ -34,7 +34,7 @@ fi . ${srcdir}/scripts/common.sh -check_for_datefudge +skip_if_no_datefudge #try verification datefudge -s "2010-10-10" \ diff --git a/tests/privkey-keygen.c b/tests/privkey-keygen.c index 31634bd095..565beccb20 100644 --- a/tests/privkey-keygen.c +++ b/tests/privkey-keygen.c @@ -64,6 +64,7 @@ static void sign_verify_data(gnutls_pk_algorithm_t algorithm, gnutls_x509_privke gnutls_pubkey_t pubkey; gnutls_datum_t signature; gnutls_digest_algorithm_t digest; + unsigned vflags = 0; assert(gnutls_privkey_init(&privkey) >= 0); @@ -81,6 +82,9 @@ static void sign_verify_data(gnutls_pk_algorithm_t algorithm, gnutls_x509_privke if (ret < 0) fail("gnutls_pubkey_get_preferred_hash_algorithm\n"); + if (digest == GNUTLS_DIG_GOSTR_94) + vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; + /* sign arbitrary data */ ret = gnutls_privkey_sign_data(privkey, digest, 0, &raw_data, &signature); @@ -89,7 +93,7 @@ static void sign_verify_data(gnutls_pk_algorithm_t algorithm, gnutls_x509_privke /* verify data */ ret = gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm(pubkey, NULL),digest), - 0, &raw_data, &signature); + vflags, &raw_data, &signature); if (ret < 0) fail("gnutls_pubkey_verify_data2\n"); diff --git a/tests/rsa-md5-collision/rsa-md5-collision.sh b/tests/rsa-md5-collision/rsa-md5-collision.sh index a935804dc0..e319544b73 100755 --- a/tests/rsa-md5-collision/rsa-md5-collision.sh +++ b/tests/rsa-md5-collision/rsa-md5-collision.sh @@ -31,7 +31,7 @@ if ! test -x "${CERTTOOL}"; then fi . ${srcdir}/scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Disable leak detection ASAN_OPTIONS="detect_leaks=0" diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh index 95f8a5298e..6ae19fa586 100644 --- a/tests/scripts/common.sh +++ b/tests/scripts/common.sh @@ -80,7 +80,12 @@ check_for_datefudge() { TSTAMP=`datefudge -s "2006-09-23" "${top_builddir}/tests/datefudge-check" || true` if test "$TSTAMP" != "1158969600" || test "$WINDOWS" = 1; then - echo $TSTAMP + return 1 + fi +} + +skip_if_no_datefudge() { + if ! check_for_datefudge; then echo "You need datefudge to run this test" exit 77 fi diff --git a/tests/server-multi-keys.sh b/tests/server-multi-keys.sh index 3138fb6888..7737ec9b83 100755 --- a/tests/server-multi-keys.sh +++ b/tests/server-multi-keys.sh @@ -46,7 +46,7 @@ SERV="${SERV} -q" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge echo "Checking whether server can utilize multiple keys" diff --git a/tests/server-weak-keys.sh b/tests/server-weak-keys.sh index 31c51a80bc..1fa14711fb 100755 --- a/tests/server-weak-keys.sh +++ b/tests/server-weak-keys.sh @@ -46,7 +46,7 @@ SERV="${SERV} -q" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge echo "Checking whether a client will refuse weak but trusted keys" diff --git a/tests/sign-is-secure.c b/tests/sign-is-secure.c index 5f987e08b4..64e0836963 100644 --- a/tests/sign-is-secure.c +++ b/tests/sign-is-secure.c @@ -85,13 +85,14 @@ void doit(void) CHECK_INSECURE_SIG(GNUTLS_SIGN_RSA_MD5); CHECK_INSECURE_SIG(GNUTLS_SIGN_RSA_MD2); + CHECK_INSECURE_SIG(GNUTLS_SIGN_GOST_94); for (i=1;i<=GNUTLS_SIGN_MAX;i++) { #ifndef ALLOW_SHA1 if (i==GNUTLS_SIGN_RSA_SHA1||i==GNUTLS_SIGN_DSA_SHA1||i==GNUTLS_SIGN_ECDSA_SHA1) continue; #endif - if (i==GNUTLS_SIGN_RSA_MD5||i==GNUTLS_SIGN_RSA_MD2||i==GNUTLS_SIGN_UNKNOWN) + if (i==GNUTLS_SIGN_GOST_94||i==GNUTLS_SIGN_RSA_MD5||i==GNUTLS_SIGN_RSA_MD2||i==GNUTLS_SIGN_UNKNOWN) continue; /* skip any unused elements */ if (gnutls_sign_algorithm_get_name(i)==NULL) diff --git a/tests/slow/hash-large.c b/tests/slow/hash-large.c index 33dc1df0da..71312ef369 100644 --- a/tests/slow/hash-large.c +++ b/tests/slow/hash-large.c @@ -139,7 +139,7 @@ void doit(void) /* SHA1 */ err = - gnutls_hash_fast(GNUTLS_MAC_SHA1, buf, size, + gnutls_hash_fast(GNUTLS_DIG_SHA1, buf, size, digest); if (err < 0) fail("gnutls_hash_fast(SHA1) failed: %d\n", err); diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am index 025f513f78..d6f6ff135b 100644 --- a/tests/suite/Makefile.am +++ b/tests/suite/Makefile.am @@ -48,6 +48,7 @@ scripts_to_test = chain.sh \ TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT) \ LC_ALL="C" \ + PYTHON="$(PYTHON)" \ VALGRIND="$(VALGRIND)" \ top_builddir="$(top_builddir)" \ srcdir="$(srcdir)" \ diff --git a/tests/suite/multi-ticket-reception.sh b/tests/suite/multi-ticket-reception.sh index d84367703c..6c0113e372 100755 --- a/tests/suite/multi-ticket-reception.sh +++ b/tests/suite/multi-ticket-reception.sh @@ -26,6 +26,10 @@ PYPATH="${srcdir}/tls-fuzzer/tlsfuzzer/" CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" unset RETCODE +if test "${PYTHON}" = ":" ; then + exit 77 +fi + if ! test -x "${TLSPY_SERV}"; then exit 77 fi @@ -36,7 +40,7 @@ fi if test "${WINDIR}" != ""; then exit 77 -fi +fi if ! test -z "${VALGRIND}"; then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" @@ -45,7 +49,7 @@ fi . "${srcdir}/../scripts/common.sh" KEY1=${srcdir}/tls-fuzzer/tlslite-ng/tests/serverX509Key.pem -CERT1=${srcdir}/tls-fuzzer/tlsfuzzer/tests/serverX509Cert.pem +CERT1=${srcdir}/tls-fuzzer/tlsfuzzer/tests/serverX509Cert.pem #create links necessary for tlslite to function test -L "${srcdir}/tls-fuzzer/tlsfuzzer/ecdsa" || \ @@ -56,7 +60,7 @@ test -L "${srcdir}/tls-fuzzer/tlsfuzzer/tlslite" || \ echo "Checking whether receiving 1 ticket succeeds (sanity)" eval "${GETPORT}" -PYTHONPATH="${PYPATH}" ${TLSPY_SERV} server --tickets 1 -k ${KEY1} -c ${CERT1} 127.0.0.1:${PORT} & +PYTHONPATH="${PYPATH}" "${PYTHON}" ${TLSPY_SERV} server --tickets 1 -k ${KEY1} -c ${CERT1} 127.0.0.1:${PORT} & PID=$! wait_server ${PID} @@ -70,7 +74,7 @@ wait echo "Checking whether receiving 3 tickets in the same record succeeds" eval "${GETPORT}" -PYTHONPATH="${PYPATH}" ${TLSPY_SERV} server --tickets 3 -k ${KEY1} -c ${CERT1} 127.0.0.1:${PORT} & +PYTHONPATH="${PYPATH}" "${PYTHON}" ${TLSPY_SERV} server --tickets 3 -k ${KEY1} -c ${CERT1} 127.0.0.1:${PORT} & PID=$! wait_server ${PID} @@ -84,7 +88,7 @@ wait echo "Checking whether receiving multiple tickets that span many records succeeds" eval "${GETPORT}" -PYTHONPATH="${PYPATH}" ${TLSPY_SERV} server --tickets 1512 -k ${KEY1} -c ${CERT1} 127.0.0.1:${PORT} & +PYTHONPATH="${PYPATH}" "${PYTHON}" ${TLSPY_SERV} server --tickets 1512 -k ${KEY1} -c ${CERT1} 127.0.0.1:${PORT} & PID=$! wait_server ${PID} diff --git a/tests/suite/testcompat-oldgnutls.sh b/tests/suite/testcompat-oldgnutls.sh index 2ec96b20c2..937bf57050 100755 --- a/tests/suite/testcompat-oldgnutls.sh +++ b/tests/suite/testcompat-oldgnutls.sh @@ -54,7 +54,7 @@ LDPATH=/usr/local/OLDGNUTLS/lib/x86_64-linux-gnu:/usr/local/OLDGNUTLS/usr/lib/x8 . "${srcdir}/../scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge . "${srcdir}/testcompat-common" diff --git a/tests/suite/testcompat-openssl.sh b/tests/suite/testcompat-openssl.sh index bfc59c09ac..b932a599c9 100755 --- a/tests/suite/testcompat-openssl.sh +++ b/tests/suite/testcompat-openssl.sh @@ -54,7 +54,7 @@ export TZ="UTC" # Check for datefudge . "${srcdir}/../scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge timeout 1800 datefudge "2012-09-2" "${srcdir}/testcompat-main-openssl" diff --git a/tests/suite/testcompat-polarssl.sh b/tests/suite/testcompat-polarssl.sh index 1af0099dca..2197a94bf7 100755 --- a/tests/suite/testcompat-polarssl.sh +++ b/tests/suite/testcompat-polarssl.sh @@ -42,7 +42,7 @@ fi # Check for datefudge . "${srcdir}/../scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge cat /proc/cpuinfo|grep "model name"|grep "VIA Esther" >/dev/null 2>&1 if test $? = 0; then diff --git a/tests/suite/testcompat-tls13-openssl.sh b/tests/suite/testcompat-tls13-openssl.sh index 128873ab23..bc198a02b6 100755 --- a/tests/suite/testcompat-tls13-openssl.sh +++ b/tests/suite/testcompat-tls13-openssl.sh @@ -49,7 +49,7 @@ fi . "${srcdir}/../scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge . "${srcdir}/testcompat-common" diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-common.sh b/tests/suite/tls-fuzzer/tls-fuzzer-common.sh index b41f068a07..72ed56df19 100755 --- a/tests/suite/tls-fuzzer/tls-fuzzer-common.sh +++ b/tests/suite/tls-fuzzer/tls-fuzzer-common.sh @@ -33,6 +33,10 @@ if ! test -d "${srcdir}/tls-fuzzer/tlsfuzzer" ; then exit 77 fi +if test "${PYTHON}" = ":" ; then + exit 77 +fi + pushd "${srcdir}/tls-fuzzer/tlsfuzzer" test -L ecdsa || ln -s ../python-ecdsa/src/ecdsa ecdsa @@ -44,7 +48,7 @@ retval=0 tls_fuzzer_prepare -PYTHONPATH=. python tests/scripts_retention.py ${TMPFILE} ${SERV} 821 +PYTHONPATH=. "${PYTHON}" tests/scripts_retention.py ${TMPFILE} ${SERV} 821 retval=$? rm -f ${TMPFILE} diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer -Subproject 477b22683238fc540f512dd0c09963fa467ddef +Subproject 54a1350ae9fa1981062679acb2966e697140c3d diff --git a/tests/system-override-profiles.sh b/tests/system-override-profiles.sh index 88ec631798..516ce57e71 100755 --- a/tests/system-override-profiles.sh +++ b/tests/system-override-profiles.sh @@ -41,7 +41,7 @@ fi . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge CERT="${srcdir}/certs/cert-ecc256.pem" KEY="${srcdir}/certs/ecc256.pem" diff --git a/tests/system-override-tls.sh b/tests/system-override-tls.sh index 6114d76282..54bc190dd9 100755 --- a/tests/system-override-tls.sh +++ b/tests/system-override-tls.sh @@ -40,7 +40,7 @@ fi . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge CERT="${srcdir}/certs/cert-ecc256.pem" KEY="${srcdir}/certs/ecc256.pem" diff --git a/tests/test-chains.h b/tests/test-chains.h index 9b06b85f5f..cf8198e8c5 100644 --- a/tests/test-chains.h +++ b/tests/test-chains.h @@ -4264,8 +4264,10 @@ static struct { "rsa pss: chain with changing hashes - ok", rsa_pss_chain_sha512_sha384_sha256_ok, &rsa_pss_chain_sha512_sha384_sha256_ok[3], 0, 0, 0, 1501159136}, { "no subject id: chain with missing subject id, but valid auth id - ok", chain_with_no_subject_id_in_ca_ok, &chain_with_no_subject_id_in_ca_ok[4], 0, 0, 0, 1537518468}, #ifdef ENABLE_GOST - { "gost 34.10-01 - ok", gost01, &gost01[2], 0, 0, 0, 1466612070, 1}, - { "gost 34.10-01 - not ok (due to profile)", gost01, &gost01[2], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), + { "gost 34.10-01 - ok", gost01, &gost01[2], GNUTLS_VERIFY_ALLOW_BROKEN, 0, 0, 1466612070, 1}, + { "gost 34.10-01 - not ok (due to gostr94)", gost01, &gost01[2], 0, + GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1466612070, 1}, + { "gost 34.10-01 - not ok (due to profile)", gost01, &gost01[2], GNUTLS_VERIFY_ALLOW_BROKEN|GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1466612070, 1}, { "gost 34.10-12-256 - ok", gost12_256, &gost12_256[0], 0, 0, 0, 1466612070, 1}, { "gost 34.10-12-512 - ok", gost12_512, &gost12_512[0], 0, 0, 0, 1466612070, 1}, diff --git a/tests/tls13/prf-early.sh b/tests/tls13/prf-early.sh index b19da4cb65..7f62aba8d8 100755 --- a/tests/tls13/prf-early.sh +++ b/tests/tls13/prf-early.sh @@ -23,7 +23,7 @@ builddir="${builddir:-.}" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge datefudge -s 2019-04-12 "${builddir}/tls13/prf-early" "$@" exit $? diff --git a/tests/x509sign-verify-common.h b/tests/x509sign-verify-common.h index 80aea5cd63..6b7498586b 100644 --- a/tests/x509sign-verify-common.h +++ b/tests/x509sign-verify-common.h @@ -114,9 +114,10 @@ void test_sig(gnutls_pk_algorithm_t pk, unsigned hash, unsigned bits) vflags |= GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1; } else if (hash == GNUTLS_DIG_SHA256) hash_data = &sha256_data; - else if (hash == GNUTLS_DIG_GOSTR_94) + else if (hash == GNUTLS_DIG_GOSTR_94) { hash_data = &gostr94_data; - else if (hash == GNUTLS_DIG_STREEBOG_256) + vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; + } else if (hash == GNUTLS_DIG_STREEBOG_256) hash_data = &streebog256_data; else if (hash == GNUTLS_DIG_STREEBOG_512) hash_data = &streebog512_data; |