[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-101-g8697eee
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-101-g8697eee |
Date: |
Thu, 26 May 2011 16:24:37 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=8697eeefc3a887671323974687b9db52e9075c19
The branch, master has been updated
via 8697eeefc3a887671323974687b9db52e9075c19 (commit)
via 8207ff6d95b3f658c237d2aa004a97ef213b583a (commit)
from 6a125fea8d4ddb545a6c88dbab04b6ac26c183ab (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 8697eeefc3a887671323974687b9db52e9075c19
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu May 26 17:47:11 2011 +0200
Changes to allow ECDH-DSA with client mode certificates.
commit 8207ff6d95b3f658c237d2aa004a97ef213b583a
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu May 26 17:46:36 2011 +0200
Added server and client mode tests for ECDH-ECDSA.
-----------------------------------------------------------------------
Summary of changes:
lib/gnutls_pubkey.c | 2 +-
lib/gnutls_sig.c | 1 +
tests/certs/ca-cert-ecc.pem | 14 ++++++++++
tests/certs/ca-ecc.pem | 28 ++++++++++++++++++++
tests/certs/cert-ecc.pem | 13 +++++++++
tests/certs/ecc.pem | 25 ++++++++++++++++++
tests/suite/testcompat-main | 59 +++++++++++++++++++++++++++++++++---------
7 files changed, 128 insertions(+), 14 deletions(-)
create mode 100644 tests/certs/ca-cert-ecc.pem
create mode 100644 tests/certs/ca-ecc.pem
create mode 100644 tests/certs/cert-ecc.pem
create mode 100644 tests/certs/ecc.pem
diff --git a/lib/gnutls_pubkey.c b/lib/gnutls_pubkey.c
index 7769b78..227036d 100644
--- a/lib/gnutls_pubkey.c
+++ b/lib/gnutls_pubkey.c
@@ -1197,7 +1197,7 @@ gnutls_pubkey_get_verify_algorithm (gnutls_pubkey_t key,
int _gnutls_pubkey_compatible_with_sig(gnutls_pubkey_t pubkey,
gnutls_protocol_t ver,
gnutls_sign_algorithm_t sign)
{
- if (pubkey->pk_algorithm == GNUTLS_PK_DSA || pubkey->pk_algorithm ==
GNUTLS_PK_ECC)
+ if (pubkey->pk_algorithm == GNUTLS_PK_DSA)
{ /* override */
int hash_algo = _gnutls_dsa_q_to_hash (pubkey->pk_algorithm,
&pubkey->params);
diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c
index 4331165..88d53ea 100644
--- a/lib/gnutls_sig.c
+++ b/lib/gnutls_sig.c
@@ -724,6 +724,7 @@ _gnutls_handshake_sign_cert_vrfy (gnutls_session_t session,
dconcat.size = 36;
break;
case GNUTLS_PK_DSA:
+ case GNUTLS_PK_ECC:
dconcat.data = &concat[16];
dconcat.size = 20;
diff --git a/tests/certs/ca-cert-ecc.pem b/tests/certs/ca-cert-ecc.pem
new file mode 100644
index 0000000..ad8a34b
--- /dev/null
+++ b/tests/certs/ca-cert-ecc.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
+A1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2VydGlmaWNhdGUgYXV0aG9y
+aXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdudVRMUyBjZXJ0aWZpY2F0
+ZSBhdXRob3JpdHkwHhcNMTEwNTIzMjAzODIxWhcNMTIxMjIyMDc0MTUxWjB9MQsw
+CQYDVQQGEwJCRTEPMA0GA1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2Vy
+dGlmaWNhdGUgYXV0aG9yaXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdu
+dVRMUyBjZXJ0aWZpY2F0ZSBhdXRob3JpdHkwWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAARS2I0jiuNn14Y2sSALCX3IybqiIJUvxUpj+oNfzngvj/Niyv2394BWnW4X
+uQ4RTEiywK87WRcWMGgJB5kX/t2no0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1Ud
+DwEB/wQFAwMHBgAwHQYDVR0OBBYEFPC0gf6YEr+1KLlkQAPLzB9mTigDMAoGCCqG
+SM49BAMCA0gAMEUCIDGuwD1KPyG+hRf88MeyMQcqOFZD0TbVleF+UsAGQ4enAiEA
+l4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo=
+-----END CERTIFICATE-----
diff --git a/tests/certs/ca-ecc.pem b/tests/certs/ca-ecc.pem
new file mode 100644
index 0000000..3f15e01
--- /dev/null
+++ b/tests/certs/ca-ecc.pem
@@ -0,0 +1,28 @@
+Testing SECP224R1 (1)
+Testing SECP256R1 (2)
+Testing SECP384R1 (3)
+Public Key Info:
+ Public Key Algorithm: ECC
+ Key Security Level: High
+
+curve: SECP256R1
+private key:
+ 19:f4:6b:fc:8e:67:e7:51:98:ef:58:67:5f:4c:ee:
+ 22:b9:2e:a4:22:ad:99:28:0d:29:c1:1e:3b:f7:2c:
+ 61:48:
+x:
+ 52:d8:8d:23:8a:e3:67:d7:86:36:b1:20:0b:09:7d:
+ c8:c9:ba:a2:20:95:2f:c5:4a:63:fa:83:5f:ce:78:
+ 2f:8f:
+y:
+ 00:f3:62:ca:fd:b7:f7:80:56:9d:6e:17:b9:0e:11:
+ 4c:48:b2:c0:af:3b:59:17:16:30:68:09:07:99:17:
+ fe:dd:a7:
+
+Public Key ID: D8:37:48:4E:0C:07:DE:56:4E:C8:1E:7F:13:1D:7B:54:FA:9D:2D:BE
+
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIBn0a/yOZ+dRmO9YZ19M7iK5LqQirZkoDSnBHjv3LGFIoAoGCCqGSM49
+AwEHoUQDQgAEUtiNI4rjZ9eGNrEgCwl9yMm6oiCVL8VKY/qDX854L4/zYsr9t/eA
+Vp1uF7kOEUxIssCvO1kXFjBoCQeZF/7dpw==
+-----END EC PRIVATE KEY-----
diff --git a/tests/certs/cert-ecc.pem b/tests/certs/cert-ecc.pem
new file mode 100644
index 0000000..d0baccb
--- /dev/null
+++ b/tests/certs/cert-ecc.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+jCCAaGgAwIBAgIETd4LiTAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEP
+MA0GA1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2VydGlmaWNhdGUgYXV0
+aG9yaXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdudVRMUyBjZXJ0aWZp
+Y2F0ZSBhdXRob3JpdHkwHhcNMTEwNTI2MDgxMjU4WhcNMTIxMjI0MTkxNjI5WjAh
+MQswCQYDVQQGEwJCRTESMBAGA1UEAxMJbG9jYWxob3N0ME4wEAYHKoZIzj0CAQYF
+K4EEACEDOgAEajvYx+4zlK+ML3N97kxGydOZ09wqD7YwOvRqLEt6lYUymIwd7RpG
+Ejz2W69GUXtw8vMbZmULNjyjdjB0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYI
+KwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUm+S0YAc8Me/osocf
+UaYG4uYxpwkwHwYDVR0jBBgwFoAU8LSB/pgSv7UouWRAA8vMH2ZOKAMwCgYIKoZI
+zj0EAwIDRwAwRAIgTqvgggIh57TVhSKXRie+XDhndnCUeNTE7qx2VO5CgfACIAwA
+OLnOYanr1sWQVKxSACU1wnNZ6UsuWSMr/uDlKJfZ
+-----END CERTIFICATE-----
diff --git a/tests/certs/ecc.pem b/tests/certs/ecc.pem
new file mode 100644
index 0000000..0204664
--- /dev/null
+++ b/tests/certs/ecc.pem
@@ -0,0 +1,25 @@
+Testing SECP224R1 (1)
+Testing SECP256R1 (2)
+Testing SECP384R1 (3)
+Public Key Info:
+ Public Key Algorithm: ECC
+ Key Security Level: Normal
+
+curve: SECP224R1
+private key:
+ 00:ff:d4:4c:0f:f1:ec:f1:8d:1c:a3:b4:57:1a:92:
+ 65:5f:91:69:6e:ae:d4:e1:c7:02:be:84:e8:6c:
+x:
+ 6a:3b:d8:c7:ee:33:94:af:8c:2f:73:7d:ee:4c:46:
+ c9:d3:99:d3:dc:2a:0f:b6:30:3a:f4:6a:2c:
+y:
+ 4b:7a:95:85:32:98:8c:1d:ed:1a:46:12:3c:f6:5b:
+ af:46:51:7b:70:f2:f3:1b:66:65:0b:36:3c:
+
+Public Key ID: 0E:DF:58:4C:FA:6C:38:DE:12:4D:D3:28:77:51:37:02:5C:CA:24:DF
+
+-----BEGIN EC PRIVATE KEY-----
+MGkCAQEEHQD/1EwP8ezxjRyjtFcakmVfkWlurtThxwK+hOhsoAcGBSuBBAAhoTwD
+OgAEajvYx+4zlK+ML3N97kxGydOZ09wqD7YwOvRqLEt6lYUymIwd7RpGEjz2W69G
+UXtw8vMbZmULNjw=
+-----END EC PRIVATE KEY-----
diff --git a/tests/suite/testcompat-main b/tests/suite/testcompat-main
index ee9a924..b17f38c 100755
--- a/tests/suite/testcompat-main
+++ b/tests/suite/testcompat-main
@@ -31,8 +31,11 @@ fi
. ../scripts/common.sh
-echo "Compatibility checks using "`openssl version`
-openssl version|grep -e 1\.0 >/dev/null 2>&1
+SERV=openssl
+OPENSSL_CLI="openssl"
+
+echo "Compatibility checks using "`$SERV version`
+$SERV version|grep -e 1\.0 >/dev/null 2>&1
SV=$?
if test $SV != 0;then
echo "OpenSSL 1.0.0 is required for ECDH and DTLS tests"
@@ -48,6 +51,10 @@ CA_CERT=$srcdir/../../doc/credentials/x509-ca.pem
CLI_CERT=$srcdir/../../doc/credentials/x509-client.pem
CLI_KEY=$srcdir/../../doc/credentials/x509-client-key.pem
+CA_ECC_CERT=$srcdir/../certs/ca-cert-ecc.pem
+ECC_CERT=$srcdir/../certs/cert-ecc.pem
+ECC_KEY=$srcdir/../certs/ecc.pem
+
SERV_CERT=$srcdir/../../doc/credentials/x509-server.pem
SERV_KEY=$srcdir/../../doc/credentials/x509-server-key.pem
SERV_DSA_CERT=$srcdir/../../doc/credentials/x509-server-dsa.pem
@@ -57,7 +64,6 @@ echo "#####################"
echo "# Client mode tests #"
echo "#####################"
-SERV=openssl
launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -ssl3 -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT -dkey
$DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT &
PID=$!
@@ -113,6 +119,23 @@ $CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL
kill $PID
wait
+if test $SV = 0;then
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+launch_bare_server $$ s_server -quiet -www -accept $PORT -keyform pem
-certform pem -tls1 -key $ECC_KEY -cert $ECC_CERT -Verify 1 -named_curve
secp224r1 -CAfile $CA_ECC_CERT &
+PID=$!
+wait_server $PID
+
+# Test TLS 1.0 with ECDHE-ECDSA ciphersuite
+echo "Checking TLS 1.0 with ECDHE-ECDSA..."
+$CLI $DEBUG -p $PORT 127.0.0.1 --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--insecure --x509certfile $ECC_CERT --x509keyfile $ECC_KEY </dev/null
>/dev/null || \
+ fail "Failed"
+
+kill $PID
+wait
+
+fi
+
launch_bare_server $$ s_server -quiet -accept $PORT -keyform pem -certform pem
-dtls1 -mtu 1000 -timeout -dhparam params.dh -key $RSA_KEY -cert $RSA_CERT
-dkey $DSA_KEY -dcert $DSA_CERT -Verify 1 -CAfile $CA_CERT &
PID=$!
wait_server $PID
@@ -161,7 +184,6 @@ echo "#####################"
echo "# Server mode tests #"
echo "#####################"
SERV="../../src/gnutls-serv$EXEEXT -q"
-CLI="openssl"
PORT="5559"
# Note that openssl s_client does not return error code on failure
@@ -170,7 +192,7 @@ echo "Check SSL 3.0 with RSA ciphersuite"
launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+RSA"
--x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT
--dhparams params.dh & PID=$!
wait_server $PID
-$CLI s_client -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key $CLI_KEY
-CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
+$OPENSSL_CLI s_client -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key
$CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
fail "Failed"
kill $PID
@@ -180,7 +202,7 @@ echo "Check SSL 3.0 with DHE-RSA ciphersuite"
launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-RSA"
--x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT
--dhparams params.dh & PID=$!
wait_server $PID
-$CLI s_client -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key $CLI_KEY
-CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
+$OPENSSL_CLI s_client -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key
$CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
fail "Failed"
kill $PID
@@ -190,7 +212,7 @@ echo "Check SSL 3.0 with DHE-DSS ciphersuite"
launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-SSL3.0:+DHE-DSS"
--x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh
& PID=$!
wait_server $PID
-$CLI s_client -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key $CLI_KEY
-CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
+$OPENSSL_CLI s_client -host localhost -port $PORT -ssl3 -cert $CLI_CERT -key
$CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
fail "Failed"
kill $PID
@@ -202,7 +224,7 @@ echo "Check TLS 1.0 with RSA ciphersuite (SSLv2 hello)"
launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA"
--x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT
--dhparams params.dh & PID=$!
wait_server $PID
-$CLI s_client -host localhost -port $PORT -cert $CLI_CERT -key $CLI_KEY
-CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
+$OPENSSL_CLI s_client -host localhost -port $PORT -cert $CLI_CERT -key
$CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
fail "Failed"
kill $PID
@@ -212,7 +234,7 @@ echo "Check TLS 1.0 with DHE-RSA ciphersuite"
launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA"
--x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT
--dhparams params.dh & PID=$!
wait_server $PID
-$CLI s_client -host localhost -tls1 -port $PORT -cert $CLI_CERT -key $CLI_KEY
-CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $CLI_CERT -key
$CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
fail "Failed"
kill $PID
@@ -222,7 +244,7 @@ echo "Check TLS 1.0 with DHE-DSS ciphersuite"
launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-DSS"
--x509certfile $SERV_DSA_CERT --x509keyfile $SERV_DSA_KEY --dhparams params.dh
& PID=$!
wait_server $PID
-$CLI s_client -host localhost -tls1 -port $PORT -cert $CLI_CERT -key $CLI_KEY
-CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $CLI_CERT -key
$CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
fail "Failed"
kill $PID
@@ -231,11 +253,22 @@ wait
if test $SV = 0;then
echo "Check TLS 1.0 with ECDHE-RSA ciphersuite"
-launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL"
--x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT
--dhparams params.dh & PID=$!
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-RSA:+CURVE-ALL"
--x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT &
PID=$!
wait_server $PID
#-cipher ECDHE-RSA-AES128-SHA
-$CLI s_client -host localhost -tls1 -port $PORT -cert $CLI_CERT -key $CLI_KEY
-CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $CLI_CERT -key
$CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
+ fail "Failed"
+
+kill $PID
+wait
+
+echo "Check TLS 1.0 with ECDHE-ECDSA ciphersuite"
+launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+ECDHE-ECDSA:+CURVE-ALL"
--x509certfile $ECC_CERT --x509keyfile $ECC_KEY --x509cafile $CA_ECC_CERT &
PID=$!
+wait_server $PID
+
+#-cipher ECDHE-ECDSA-AES128-SHA
+$OPENSSL_CLI s_client -host localhost -tls1 -port $PORT -cert $ECC_CERT -key
$ECC_KEY -CAfile $CA_ECC_CERT </dev/null 2>&1 | grep "\:error\:" && \
fail "Failed"
kill $PID
@@ -246,7 +279,7 @@ echo "Check DTLS 1.0 with RSA ciphersuite"
launch_server $$ --priority
"NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.0:+RSA" --udp
--x509certfile $SERV_CERT --x509keyfile $SERV_KEY --x509cafile $CA_CERT
--dhparams params.dh & PID=$!
wait_server $PID
-$CLI s_client -host localhost -port $PORT -dtls1 -cert $CLI_CERT -key
$CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
+$OPENSSL_CLI s_client -host localhost -port $PORT -dtls1 -cert $CLI_CERT -key
$CLI_KEY -CAfile $CA_CERT </dev/null 2>&1 | grep "\:error\:" && \
fail "Failed"
kill $PID
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_99_1-101-g8697eee,
Nikos Mavrogiannopoulos <=