[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-336-g23028c4
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-336-g23028c4 |
|
Date: |
Wed, 23 Mar 2011 18:45:17 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=23028c44cbb18a8e0cf0e41014f913f179c8fada
The branch, master has been updated
via 23028c44cbb18a8e0cf0e41014f913f179c8fada (commit)
via 276d69961600f4de7206ec56575c4cd79b792c15 (commit)
via 2da264d66fc9ec655c369e7a3b373cf5421915c5 (commit)
via 5825b5e9b5a729236f8e9b94fbf3ea4f79d6cfc2 (commit)
from bdf510923f25dc54efa66ef0119d551ec45f3845 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 23028c44cbb18a8e0cf0e41014f913f179c8fada
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Mar 23 19:44:52 2011 +0100
Added DSA tests for client certificates as well.
commit 276d69961600f4de7206ec56575c4cd79b792c15
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Mar 23 19:44:32 2011 +0100
Simplified signature algorithm selection.
commit 2da264d66fc9ec655c369e7a3b373cf5421915c5
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Mar 23 18:29:44 2011 +0100
The processed messages go to stdout.
commit 5825b5e9b5a729236f8e9b94fbf3ea4f79d6cfc2
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Mar 23 18:04:16 2011 +0100
updated documentation
-----------------------------------------------------------------------
Summary of changes:
lib/ext_signature.c | 40 +++++++++++--
lib/ext_signature.h | 8 +-
lib/gnutls_handshake.c | 1 -
lib/gnutls_privkey.c | 9 ++-
lib/gnutls_sig.c | 125 ++++++++++++++--------------------------
lib/includes/gnutls/abstract.h | 5 ++
lib/x509/verify.c | 2 +-
src/cli.c | 6 +-
tests/dsa/testdsa | 62 ++++++++++++++++----
9 files changed, 147 insertions(+), 111 deletions(-)
diff --git a/lib/ext_signature.c b/lib/ext_signature.c
index a6a456d..f210e84 100644
--- a/lib/ext_signature.c
+++ b/lib/ext_signature.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2002, 2003, 2004, 2005, 2009, 2010 Free Software
+ * Copyright (C) 2002,2003,2004,2005,2009,2010,2011 Free Software
* Foundation, Inc.
*
* Author: Nikos Mavrogiannopoulos
@@ -34,6 +34,8 @@
#include <gnutls_state.h>
#include <gnutls_num.h>
#include <gnutls_algorithms.h>
+#include <x509/common.h> /* dsa_q_to_hash */
+#include <gnutls_cert.h>
static int _gnutls_signature_algorithm_recv_params (gnutls_session_t session,
const opaque * data,
@@ -248,13 +250,36 @@ _gnutls_signature_algorithm_send_params (gnutls_session_t
session,
return 0;
}
+int cert_compatible_with_sig(gnutls_cert* cert, gnutls_protocol_t ver,
+ gnutls_sign_algorithm_t sign)
+{
+ if (cert->subject_pk_algorithm == GNUTLS_PK_DSA)
+ { /* override */
+ int hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]);
+
+ /* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */
+ if (!_gnutls_version_has_selectable_sighash (ver))
+ {
+ if (hash_algo != GNUTLS_DIG_SHA1)
+ return
gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
+ }
+ else
+ {
+ if (_gnutls_sign_get_hash_algorithm(sign) != hash_algo)
+ return GNUTLS_E_UNWANTED_ALGORITHM;
+ }
+
+ }
+
+ return 0;
+}
+
/* Returns a requested by the peer signature algorithm that
* matches the given public key algorithm. Index can be increased
* to return the second choice etc.
*/
gnutls_sign_algorithm_t
-_gnutls_session_get_sign_algo (gnutls_session_t session,
- gnutls_pk_algorithm_t pk)
+_gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_cert* cert)
{
unsigned i;
int ret;
@@ -270,15 +295,18 @@ _gnutls_session_get_sign_algo (gnutls_session_t session,
if (ret < 0 || !_gnutls_version_has_selectable_sighash (ver)
|| priv->sign_algorithms_size == 0)
- /* none set, allow all */
+ /* none set, allow SHA-1 only */
{
- return _gnutls_x509_pk_to_sign (pk, GNUTLS_DIG_SHA1);
+ return _gnutls_x509_pk_to_sign (cert->subject_pk_algorithm,
GNUTLS_DIG_SHA1);
}
for (i = 0; i < priv->sign_algorithms_size; i++)
{
- if (_gnutls_sign_get_pk_algorithm (priv->sign_algorithms[i]) == pk)
+ if (_gnutls_sign_get_pk_algorithm (priv->sign_algorithms[i]) ==
cert->subject_pk_algorithm)
{
+ if (cert_compatible_with_sig(cert, ver, priv->sign_algorithms[i]) <
0)
+ continue;
+
return priv->sign_algorithms[i];
}
}
diff --git a/lib/ext_signature.h b/lib/ext_signature.h
index b56c772..0288ff1 100644
--- a/lib/ext_signature.h
+++ b/lib/ext_signature.h
@@ -34,15 +34,15 @@ extern extension_entry_st ext_mod_sig;
int _gnutls_session_sign_algo_requested (gnutls_session_t session,
gnutls_sign_algorithm_t sig);
-gnutls_sign_algorithm_t _gnutls_session_get_sign_algo (gnutls_session_t
- session,
- gnutls_pk_algorithm_t
- pk);
+gnutls_sign_algorithm_t
+_gnutls_session_get_sign_algo (gnutls_session_t session, gnutls_cert* cert);
int _gnutls_sign_algorithm_parse_data (gnutls_session_t session,
const opaque * data, size_t data_size);
int _gnutls_sign_algorithm_write_params (gnutls_session_t session,
opaque * data, size_t max_data_size);
int _gnutls_session_sign_algo_enabled (gnutls_session_t session,
gnutls_sign_algorithm_t sig);
+int cert_compatible_with_sig(gnutls_cert* cert, gnutls_protocol_t ver,
+ gnutls_sign_algorithm_t sign);
#endif
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index fb4c3c2..8260896 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -2397,7 +2397,6 @@ _gnutls_handshake_hash_init (gnutls_session_t session)
session->security_parameters.handshake_mac_handle_type =
HANDSHAKE_MAC_TYPE_10;
-
if (session->security_parameters.handshake_mac_handle_type ==
HANDSHAKE_MAC_TYPE_10)
{
diff --git a/lib/gnutls_privkey.c b/lib/gnutls_privkey.c
index 0ee2911..11a691c 100644
--- a/lib/gnutls_privkey.c
+++ b/lib/gnutls_privkey.c
@@ -421,7 +421,7 @@ gnutls_openpgp_keyid_t keyid;
#endif
/**
- * gnutls_privkey_sign_data2:
+ * gnutls_privkey_sign_data:
* @signer: Holds the key
* @hash: should be a digest algorithm
* @flags: should be 0 for now
@@ -431,7 +431,10 @@ gnutls_openpgp_keyid_t keyid;
* This function will sign the given data using a signature algorithm
* supported by the private key. Signature algorithms are always used
* together with a hash functions. Different hash functions may be
- * used for the RSA algorithm, but only SHA-1 for the DSA keys.
+ * used for the RSA algorithm, but only the SHA family for the DSA keys.
+ *
+ * Use gnutls_pubkey_get_preferred_hash_algorithm() to determine
+ * the hash algorithm.
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
@@ -491,7 +494,7 @@ cleanup:
* together with a hash functions. Different hash functions may be
* used for the RSA algorithm, but only SHA-XXX for the DSA keys.
*
- * Use gnutls_x509_crt_get_preferred_hash_algorithm() to determine
+ * Use gnutls_pubkey_get_preferred_hash_algorithm() to determine
* the hash algorithm.
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index ef44cca..02c0711 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -55,37 +55,6 @@ sign_tls_hash (gnutls_session_t session,
gnutls_digest_algorithm_t hash_algo,
*/
#define MAX_SIG_SIZE 19 + MAX_HASH_SIZE
-static int
-get_hash_algo(gnutls_session_t session, int version,
- gnutls_cert* cert,
- gnutls_sign_algorithm_t sign_algo,
- gnutls_digest_algorithm_t *hash_algo)
-{
-int ret;
-
- if (cert->subject_pk_algorithm == GNUTLS_PK_DSA)
- { /* override */
- *hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]);
-
- /* DSA keys over 1024 bits cannot be used with TLS 1.x, x<2 */
- if (!_gnutls_version_has_selectable_sighash (version) && *hash_algo !=
GNUTLS_DIG_SHA1)
- return gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
-
- ret = _gnutls_session_sign_algo_requested(session,
_gnutls_x509_pk_to_sign (GNUTLS_PK_DSA, *hash_algo));
- if (ret < 0)
- return gnutls_assert_val(ret);
- }
- else
- {
- if (sign_algo == GNUTLS_SIGN_UNKNOWN)
- *hash_algo = GNUTLS_DIG_SHA1;
- else
- *hash_algo = _gnutls_sign_get_hash_algorithm (sign_algo);
- }
-
- return 0;
-}
-
/* Generates a signature of all the random data and the parameters.
* Used in DHE_* ciphersuites.
*/
@@ -103,19 +72,17 @@ _gnutls_handshake_sign_data (gnutls_session_t session,
gnutls_cert * cert,
gnutls_digest_algorithm_t hash_algo;
*sign_algo =
- _gnutls_session_get_sign_algo (session, cert->subject_pk_algorithm);
+ _gnutls_session_get_sign_algo (session, cert);
if (*sign_algo == GNUTLS_SIGN_UNKNOWN)
{
gnutls_assert ();
return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
}
- ret = get_hash_algo(session, ver, cert, *sign_algo, &hash_algo);
- if (ret < 0)
- return gnutls_assert_val(ret);
+ hash_algo = _gnutls_sign_get_hash_algorithm (*sign_algo);
- _gnutls_handshake_log("HSK[%p]: hash from highest priority sigalgorithm: %s
(%d)\n",
- session, gnutls_mac_get_name(hash_algo), hash_algo);
+ _gnutls_handshake_log ("HSK[%p]: signing handshake data: using %s\n",
+ session, gnutls_sign_algorithm_get_name (*sign_algo));
ret = _gnutls_hash_init (&td_sha, hash_algo);
if (ret < 0)
@@ -369,14 +336,22 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_cert * cert,
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
gnutls_digest_algorithm_t hash_algo;
- ret = _gnutls_session_sign_algo_enabled (session, algo);
- if (ret < 0)
+ if (_gnutls_version_has_selectable_sighash (ver))
{
- gnutls_assert ();
- return ret;
- }
+ _gnutls_handshake_log ("HSK[%p]: verify handshake data: using %s\n",
+ session, gnutls_sign_algorithm_get_name (algo));
- if (!_gnutls_version_has_selectable_sighash (ver))
+ ret = cert_compatible_with_sig(cert, ver, algo);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = _gnutls_session_sign_algo_enabled (session, algo);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ hash_algo = _gnutls_sign_get_hash_algorithm (algo);
+ }
+ else
{
ret = _gnutls_hash_init (&td_md5, GNUTLS_MAC_MD5);
if (ret < 0)
@@ -390,11 +365,9 @@ _gnutls_handshake_verify_data (gnutls_session_t session,
gnutls_cert * cert,
_gnutls_hash (&td_md5, session->security_parameters.server_random,
GNUTLS_RANDOM_SIZE);
_gnutls_hash (&td_md5, params->data, params->size);
- }
- ret = get_hash_algo(session, ver, cert, algo, &hash_algo);
- if (ret < 0)
- return gnutls_assert_val(ret);
+ hash_algo = GNUTLS_DIG_SHA1;
+ }
ret = _gnutls_hash_init (&td_sha, hash_algo);
if (ret < 0)
@@ -519,6 +492,9 @@ _gnutls_handshake_verify_cert_vrfy (gnutls_session_t
session,
gnutls_datum_t dconcat;
gnutls_protocol_t ver = gnutls_protocol_get_version (session);
+ _gnutls_handshake_log ("HSK[%p]: verify cert vrfy: using %s\n",
+ session, gnutls_sign_algorithm_get_name (sign_algo));
+
if (session->security_parameters.handshake_mac_handle_type ==
HANDSHAKE_MAC_TYPE_12)
{
@@ -617,44 +593,27 @@ _gnutls_handshake_sign_cert_vrfy12 (gnutls_session_t
session,
gnutls_digest_algorithm_t hash_algo;
digest_hd_st *handshake_td;
- handshake_td = &session->internals.handshake_mac_handle.tls12.sha1;
- hash_algo = handshake_td->algorithm;
- sign_algo = _gnutls_x509_pk_to_sign (cert->subject_pk_algorithm, hash_algo);
-
- /* The idea here is to try signing with the one of the algorithms
- * that have been initiated at handshake (SHA1, SHA256). If they
- * are not requested by peer... tough luck
- */
- ret = _gnutls_session_sign_algo_requested (session, sign_algo);
- if (sign_algo == GNUTLS_SIGN_UNKNOWN || ret < 0)
+ sign_algo =
+ _gnutls_session_get_sign_algo (session, cert);
+ if (sign_algo == GNUTLS_SIGN_UNKNOWN)
{
- handshake_td = &session->internals.handshake_mac_handle.tls12.sha256;
- hash_algo = handshake_td->algorithm;
- sign_algo =
- _gnutls_x509_pk_to_sign (cert->subject_pk_algorithm, hash_algo);
- if (sign_algo == GNUTLS_SIGN_UNKNOWN)
- {
- gnutls_assert ();
- return GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM;
- }
-
- ret = _gnutls_session_sign_algo_requested (session, sign_algo);
- if (ret < 0)
- {
- gnutls_assert ();
- _gnutls_debug_log
- ("Server did not allow either '%s' or '%s' for signing\n",
- gnutls_mac_get_name (hash_algo),
- gnutls_mac_get_name (session->internals.handshake_mac_handle.
- tls12.sha1.algorithm));
- return ret;
- }
+ gnutls_assert ();
+ return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
}
+ hash_algo = _gnutls_sign_get_hash_algorithm (sign_algo);
+
_gnutls_debug_log ("sign handshake cert vrfy: picked %s with %s\n",
gnutls_sign_algorithm_get_name (sign_algo),
gnutls_mac_get_name (hash_algo));
+ if (hash_algo ==
session->internals.handshake_mac_handle.tls12.sha1.algorithm)
+ handshake_td = &session->internals.handshake_mac_handle.tls12.sha1;
+ else if (hash_algo ==
session->internals.handshake_mac_handle.tls12.sha256.algorithm)
+ handshake_td = &session->internals.handshake_mac_handle.tls12.sha256;
+ else
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); /* too bad we only
support SHA1 and SHA256 */
+
ret = _gnutls_hash_copy (&td, handshake_td);
if (ret < 0)
{
@@ -692,7 +651,7 @@ _gnutls_handshake_sign_cert_vrfy (gnutls_session_t session,
gnutls_datum_t * signature)
{
gnutls_datum_t dconcat;
- int ret;
+ int ret, hash_algo;
opaque concat[MAX_SIG_SIZE];
digest_hd_st td_md5;
digest_hd_st td_sha;
@@ -769,13 +728,17 @@ _gnutls_handshake_sign_cert_vrfy (gnutls_session_t
session,
dconcat.size = 36;
break;
case GNUTLS_PK_DSA:
+ /* ensure 1024 bit DSA keys are used */
+ hash_algo = _gnutls_dsa_q_to_hash (cert->params[1]);
+ if (!_gnutls_version_has_selectable_sighash (ver) && hash_algo !=
GNUTLS_DIG_SHA1)
+ return gnutls_assert_val(GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL);
+
dconcat.data = &concat[16];
dconcat.size = 20;
break;
default:
- gnutls_assert ();
- return GNUTLS_E_INTERNAL_ERROR;
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
}
ret = sign_tls_hash (session, GNUTLS_DIG_NULL, cert, pkey, &dconcat,
signature);
if (ret < 0)
diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
index 8bc46c6..bd68765 100644
--- a/lib/includes/gnutls/abstract.h
+++ b/lib/includes/gnutls/abstract.h
@@ -93,6 +93,11 @@ int gnutls_privkey_init (gnutls_privkey_t * key);
void gnutls_privkey_deinit (gnutls_privkey_t key);
int gnutls_privkey_get_pk_algorithm (gnutls_privkey_t key,
unsigned int *bits);
+
+int
+gnutls_privkey_get_preferred_hash_algorithm (gnutls_privkey_t key,
+ gnutls_digest_algorithm_t *
+ hash, unsigned int *mand);
gnutls_privkey_type_t gnutls_privkey_get_type (gnutls_privkey_t key);
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index bee3266..f05c191 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -839,13 +839,13 @@ dsa_verify_sig (const gnutls_datum_t * text,
gnutls_digest_algorithm_t algo;
algo = _gnutls_dsa_q_to_hash (params[1]);
-
if (hash)
{
/* SHA1 or better allowed */
if (!hash->data || hash->size != _gnutls_hash_get_algo_len(algo))
{
gnutls_assert();
+ _gnutls_debug_log("Hash size (%d) does not correspond to hash %s",
(int)hash->size, gnutls_mac_get_name(algo));
return GNUTLS_E_INVALID_REQUEST;
}
digest = *hash;
diff --git a/src/cli.c b/src/cli.c
index 3180dfc..5ef6b09 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -229,7 +229,7 @@ load_keys (void)
}
x509_crt_size = ret;
}
- fprintf (stderr, "Processed %d client certificates...\n", ret);
+ fprintf (stdout, "Processed %d client certificates...\n", ret);
unload_file (data);
@@ -269,7 +269,7 @@ load_keys (void)
unload_file (data);
}
- fprintf (stderr, "Processed %d client X.509 certificates...\n",
+ fprintf (stdout, "Processed %d client X.509 certificates...\n",
x509_crt_size);
}
#ifdef ENABLE_OPENPGP
@@ -366,7 +366,7 @@ load_keys (void)
}
}
- fprintf (stderr, "Processed 1 client PGP certificate...\n");
+ fprintf (stdout, "Processed 1 client PGP certificate...\n");
}
#endif
diff --git a/tests/dsa/testdsa b/tests/dsa/testdsa
index 94ad95e..bbd0802 100755
--- a/tests/dsa/testdsa
+++ b/tests/dsa/testdsa
@@ -24,6 +24,7 @@ srcdir="${srcdir:-.}"
SERV="${SERV:-../../src/gnutls-serv} -q"
CLI="${CLI:-../../src/gnutls-cli}"
PORT="${PORT:-5559}"
+DEBUG=""
unset RETCODE
fail() {
@@ -37,14 +38,32 @@ echo "Checking various DSA key sizes"
echo "Checking DSA-1024 with TLS 1.0"
-$SERV -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem >/dev/null 2>&1 &
+$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0"
--x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem
>/dev/null 2>&1 &
# give the server a chance to initialize
sleep 2
-$CLI -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
fail "Failed connection to a server with DSA 1024 key and TLS 1.0!"
+echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.0"
+
+#try with client key of 1024 bits (should succeed)
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem </dev/null
>/dev/null || \
+ fail "Failed connection to a server with DSA 1024 key and TLS 1.0!"
+
+echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.0"
+
+#try with client key of 2048 bits (should fail)
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem </dev/null
>/dev/null 2>&1 && \
+ fail "Succeeded connection to a server with a client DSA 2048 key and TLS
1.0!"
+
+echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.0"
+
+#try with client key of 3072 bits (should fail)
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem </dev/null
>/dev/null 2>&1 && \
+ fail "Succeeded connection to a server with a client DSA 3072 key and TLS
1.0!"
+
kill %1
wait
@@ -52,14 +71,33 @@ wait
echo "Checking DSA-1024 with TLS 1.2"
-$SERV -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" --x509certfile
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem >/dev/null 2>&1 &
+$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"
--x509certfile $srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem
>/dev/null 2>&1 &
# give the server a chance to initialize
sleep 2
-$CLI -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
fail "Failed connection to a server with DSA 1024 key and TLS 1.2!"
+echo "Checking server DSA-1024 with client DSA-1024 and TLS 1.2"
+
+#try with client key of 1024 bits (should succeed)
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.1024.pem --x509keyfile $srcdir/dsa.1024.pem </dev/null
>/dev/null || \
+ fail "Failed connection to a server with DSA 1024 key and TLS 1.2!"
+
+echo "Checking server DSA-1024 with client DSA-2048 and TLS 1.2"
+
+#try with client key of 2048 bits (should succeed)
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem </dev/null
>/dev/null || \
+ fail "Failed connection to a server with a client DSA 2048 key and TLS 1.2!"
+
+echo "Checking server DSA-1024 with client DSA-3072 and TLS 1.2"
+
+#try with client key of 3072 bits (should succeed)
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure --x509certfile
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem </dev/null
>/dev/null || \
+ fail "Failed connection to a server with a client DSA 3072 key and TLS 1.2!"
+
+
kill %1
wait
@@ -67,12 +105,12 @@ wait
echo "Checking DSA-2048 with TLS 1.0"
-$SERV -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem >/dev/null 2>&1 &
+$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0"
--x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem
>/dev/null 2>&1 &
# give the server a chance to initialize
sleep 2
-$CLI -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null 2>&1 && \
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null 2>&1 && \
fail "Succeeded connection to a server with DSA 2048 key and TLS 1.0. Should
have failed!"
kill %1
@@ -82,12 +120,12 @@ wait
echo "Checking DSA-2048 with TLS 1.2"
-$SERV -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" --x509certfile
$srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem >/dev/null 2>&1 &
+$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"
--x509certfile $srcdir/cert.dsa.2048.pem --x509keyfile $srcdir/dsa.2048.pem
>/dev/null 2>&1 &
# give the server a chance to initialize
sleep 2
-$CLI -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
fail "Failed connection to a server with DSA 2048 key and TLS 1.2!"
kill %1
@@ -97,12 +135,12 @@ wait
echo "Checking DSA-3072 with TLS 1.0"
-$SERV -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509certfile
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem >/dev/null 2>&1 &
+$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0"
--x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem
>/dev/null 2>&1 &
# give the server a chance to initialize
sleep 2
-$CLI -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null 2>&1 && \
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null 2>&1 && \
fail "Succeeded connection to a server with DSA 2048 key and TLS 1.0. Should
have failed!"
kill %1
@@ -112,12 +150,12 @@ wait
echo "Checking DSA-3072 with TLS 1.2"
-$SERV -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" --x509certfile
$srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem >/dev/null 2>&1 &
+$SERV $DEBUG -p $PORT --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"
--x509certfile $srcdir/cert.dsa.3072.pem --x509keyfile $srcdir/dsa.3072.pem
>/dev/null 2>&1 &
# give the server a chance to initialize
sleep 2
-$CLI -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
+$CLI $DEBUG -p $PORT 127.0.0.1 --insecure </dev/null >/dev/null || \
fail "Failed connection to a server with DSA 3072 key and TLS 1.2!"
kill %1
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-336-g23028c4,
Nikos Mavrogiannopoulos <=