diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/certtool-args.def | 2 | ||||
| -rw-r--r-- | src/certtool.c | 6 | ||||
| -rw-r--r-- | src/cli-args.def | 2 | ||||
| -rw-r--r-- | src/cli-debug.c | 3 | ||||
| -rw-r--r-- | src/common.c | 5 | ||||
| -rw-r--r-- | src/list.h | 2 | ||||
| -rw-r--r-- | src/serv-args.def | 2 | ||||
| -rw-r--r-- | src/tests.c | 30 |
8 files changed, 37 insertions, 15 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index 645dc563cc..242a01871a 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -1080,7 +1080,7 @@ encryption_key #honor_crq_ext = 2.5.29.17 #honor_crq_ext = 2.5.29.15 -# Path length contraint. Sets the maximum number of +# Path length constraint. Sets the maximum number of # certificates that can be used to certify this certificate. # (i.e. the certificate chain length) #path_len = -1 diff --git a/src/certtool.c b/src/certtool.c index 0e24ac8281..6bdfe376b1 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1426,9 +1426,9 @@ static void cmd_parser(int argc, char **argv) if (HAVE_OPT(VERIFY_PROFILE)) { if (strcasecmp(OPT_ARG(VERIFY_PROFILE), "none")) { - cinfo.verification_profile = GNUTLS_PROFILE_UNKNOWN; + cinfo.verification_profile = (gnutls_sec_param_t)GNUTLS_PROFILE_UNKNOWN; } else { - cinfo.verification_profile = gnutls_certificate_verification_profile_get_id(OPT_ARG(VERIFY_PROFILE)); + cinfo.verification_profile = (gnutls_sec_param_t)gnutls_certificate_verification_profile_get_id(OPT_ARG(VERIFY_PROFILE)); } } else if (!HAVE_OPT(VERIFY_ALLOW_BROKEN)) { if (HAVE_OPT(VERIFY_CHAIN) || HAVE_OPT(VERIFY)) { @@ -2956,7 +2956,7 @@ void generate_pkcs12(common_info_st * cinfo) } if (cinfo->hash != GNUTLS_DIG_UNKNOWN) - mac = cinfo->hash; + mac = (gnutls_mac_algorithm_t)cinfo->hash; else mac = GNUTLS_MAC_SHA1; diff --git a/src/cli-args.def b/src/cli-args.def index 56ae77b077..ac04591325 100644 --- a/src/cli-args.def +++ b/src/cli-args.def @@ -393,7 +393,7 @@ flag = { name = recordsize; arg-type = number; arg-range = "0->4096"; - descrip = "The maximum record size to advertize"; + descrip = "The maximum record size to advertise"; doc = ""; }; diff --git a/src/cli-debug.c b/src/cli-debug.c index ece03a2729..c98c0c6f4a 100644 --- a/src/cli-debug.c +++ b/src/cli-debug.c @@ -85,6 +85,9 @@ static const TLS_TEST tls_tests[] = { test_send_record_with_allow_small_records, "yes", "no", "dunno"}, #ifdef ENABLE_SSL3 {"for SSL 3.0 (RFC6101) support", test_ssl3, "yes", "no", "dunno"}, + /* The following test will disable extensions if the server + * does support SSL 3.0, but only incompletely and without + * extensions. */ {"for SSL 3.0 with extensions", test_ssl3_with_extensions, "yes", "no", "dunno"}, {"for SSL 3.0 with cipher suites not in SSL 3.0 spec", test_ssl3_unknown_ciphersuites, "yes", "no", "dunno"}, diff --git a/src/common.c b/src/common.c index 753481741b..2dc54d09bf 100644 --- a/src/common.c +++ b/src/common.c @@ -282,8 +282,11 @@ int cert_verify(gnutls_session_t session, const char *hostname, const char *purp gnutls_free(out.data); - if (status) + if (status) { + if (!(status & GNUTLS_CERT_INVALID)) + abort(); return 0; + } return 1; } diff --git a/src/list.h b/src/list.h index 967eb193e2..1b3c9e4635 100644 --- a/src/list.h +++ b/src/list.h @@ -40,7 +40,7 @@ slow because these operations search all the way through the list. - queues: whats the difference between a queue and a list? + queues: what's the difference between a queue and a list? very little really. The system implemented here is a doubly linked list with previous diff --git a/src/serv-args.def b/src/serv-args.def index 996fbe36ba..a584085e26 100644 --- a/src/serv-args.def +++ b/src/serv-args.def @@ -51,7 +51,7 @@ flag = { flag = { name = maxearlydata; arg-type = number; - arg-range = "1->4294967295"; + arg-range = "1->"; descrip = "The maximum early data size to accept"; doc = ""; }; diff --git a/src/tests.c b/src/tests.c index 8cc06347c1..76b896b8fd 100644 --- a/src/tests.c +++ b/src/tests.c @@ -635,8 +635,16 @@ test_code_t test_ssl3_with_extensions(gnutls_session_t session) gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); ret = test_do_handshake(session); - if (ret == TEST_SUCCEED) - ssl3_ok = 1; + if (ssl3_ok != 0 && ret != TEST_SUCCEED) { + /* We need to disable extensions before trying TLS 1.0, because + * it also may not work with extensions. There are known servers + * which partially support both SSL 3.0 and TLS 1.0, but *both* + * only with disabled extensions: + * https://gitlab.com/gnutls/gnutls/-/issues/958#note_309267384 + */ + tls_ext_ok = 0; + strcat(rest, ":%NO_EXTENSIONS"); + } return ret; } @@ -645,7 +653,7 @@ test_code_t test_ssl3_unknown_ciphersuites(gnutls_session_t session) { int ret; sprintf(prio_str, INIT_STR - ALL_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:%%NO_EXTENSIONS:" + ALL_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":%s", rest); _gnutls_priority_set_direct(session, prio_str); @@ -1040,7 +1048,8 @@ test_code_t test_record_padding(gnutls_session_t session) if (ret == TEST_SUCCEED) { tls1_ok = 1; strcat(rest, ":%COMPAT"); - } + } else + ret = TEST_IGNORE2; /* neither succeeded */ } return ret; @@ -1050,6 +1059,12 @@ test_code_t test_no_extensions(gnutls_session_t session) { int ret; +#ifdef ENABLE_SSL3 + /* If already disabled by test_ssl3_with_extensions */ + if (ssl3_ok != 0 && tls_ext_ok == 0) + return TEST_FAILED; +#endif + sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS ":" ALL_KX ":%s", protocol_str, rest); @@ -1071,7 +1086,8 @@ test_code_t test_no_extensions(gnutls_session_t session) if (ret == TEST_SUCCEED) { tls_ext_ok = 0; strcat(rest, ":%NO_EXTENSIONS"); - } + } else + ret = TEST_IGNORE2; /* neither succeeded */ } return ret; @@ -1193,7 +1209,7 @@ test_code_t test_tls1_6_fallback(gnutls_session_t session) return TEST_SUCCEED; } -/* Advertize both TLS 1.0 and SSL 3.0. If the connection fails, +/* Advertise both TLS 1.0 and SSL 3.0. If the connection fails, * but the previous SSL 3.0 test succeeded then disable TLS 1.0. */ test_code_t test_tls_disable0(gnutls_session_t session) @@ -1410,7 +1426,7 @@ void _gnutls_rsa_pms_set_version(gnutls_session_t session, test_code_t test_rsa_pms_version_check(gnutls_session_t session) { int ret; - /* here we use an arbitary version in the RSA PMS + /* here we use an arbitrary version in the RSA PMS * to see whether to server will check this version. * * A normal server would abort this handshake. |