summaryrefslogtreecommitdiff
path: root/tests
Commit message (Collapse)AuthorAgeFilesLines
* TLS 1.3: implement anti-replay measure using ClientHello recordingDaiki Ueno2018-11-123-14/+277
| | | | | | | This implements ClientHello recording outlined in section 8.2 of RFC 8446. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* db: introduce gnutls_db_check_entry_expire_timeDaiki Ueno2018-11-121-1/+8
| | | | | | | | | | This would be particularly useful when the same database is used to store long-lived TLS 1.2 session data and short-lived TLS 1.3 anti-replay entries. Note that the existing gnutls_db_check_entry doesn't fit in this use-case, as it takes gnutls_session_t as the argument. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* testcompat-tls13-openssl: exercise early data transmissionDaiki Ueno2018-11-121-0/+54
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tests: add tests for early dataDaiki Ueno2018-11-122-1/+326
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* testcompat-openssl: do not test DSS or small curves with 1.1.1tmp-fix-ci-runsNikos Mavrogiannopoulos2018-11-071-25/+39
| | | | | | | DSA uses 1024-bit parameters, and these together with curves of less than 256 bits are not accepted by debian's openssl. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'tmp-ignore-ctypes' into 'master'Nikos Mavrogiannopoulos2018-11-024-1/+11
|\ | | | | | | | | | | | | gnutls_priority_init: ignore CTYPE-OPENPGP options Closes #593 See merge request gnutls/gnutls!789
| * gnutls_priority_init: ignore CTYPE-OPENPGP optionstmp-ignore-ctypesNikos Mavrogiannopoulos2018-11-014-1/+11
| | | | | | | | | | | | | | | | | | | | | | | | In GnuTLS 3.6.0 we dropped support for openpgp keys, however the CTYPE-OPENPGP is often seen in applications, sometimes as -CTYPE-OPENPGP to ensure it is not enabled. We simply ignore this priority string when seen, to avoid preventing these applications from running. Resolves #593 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | ext/record_size_limit: handle the extension in TLS 1.2 ServerHellotmp-fix-record-size-limit-tls12Daiki Ueno2018-11-011-8/+18
|/ | | | | | | Previously it had assumed that TLS 1.2 servers don't send the extension, while actually it can be present in ServerHello. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* gnutls_priority_set: do not override the version after handshake is completeNikos Mavrogiannopoulos2018-10-302-1/+136
| | | | | | | | | | | When an application would re-set priorities prior to a rehandshake we would override the negotiated version with the highest supported, something which may lead to issues. This disables that unnecessary version override. See: https://bugzilla.redhat.com/show_bug.cgi?id=1634736 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* system: provide a means to replace gettime implementationDaiki Ueno2018-10-261-6/+21
| | | | | | | | | While gettime() is extensively used in the code, the library previously hadn't provided a way to replace it for testing. This adds a new internal function _gnutls_global_set_gettime_function and makes use of it through virt-time.h. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Merge branch 'tmp-fix-fips-mode' into 'master'Nikos Mavrogiannopoulos2018-10-241-0/+8
|\ | | | | | | | | fips140: aligned code with documentation See merge request gnutls/gnutls!781
| * fips140: aligned code with documentationtmp-fix-fips-modeNikos Mavrogiannopoulos2018-10-231-0/+8
| | | | | | | | | | | | | | That is, we introduce the documented but unimplemented macros GNUTLS_FIPS140_SET_LAX_MODE() and GNUTLS_FIPS140_SET_STRICT_MODE(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | p11tool: fix initialization of security officer's PINtmp-initialize-so-pin-fixNikos Mavrogiannopoulos2018-10-241-2/+119
|/ | | | | | | | | | | | Previously we would call gnutls_pkcs11_token_set_pin() without an old PIN provided, which will result to the use of C_InitPIN() on the underlying module. The C_InitPIN() in contrast with C_SetPIN() will only work for the user and not for the administrator. As such, we always provide the oldpin for when we change the admin's PIN. Resolves #561 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'tmp-update-tlsfuzzer' into 'master'Nikos Mavrogiannopoulos2018-10-195-4/+72
|\ | | | | | | | | | | | | update tlsfuzzer scripts to latest version Closes #591 See merge request gnutls/gnutls!774
| * tlsfuzzer: updated to latest upstream and enabled new teststmp-update-tlsfuzzerNikos Mavrogiannopoulos2018-10-165-4/+72
| | | | | | | | | | | | Resolves: #591 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Merge branch 'tmp-uris' into 'master'Nikos Mavrogiannopoulos2018-10-182-3/+17
|\ \ | | | | | | | | | | | | | | | | | | pkcs11 uris: the scheme is case insensitive Closes #590 See merge request gnutls/gnutls!616
| * | pkcs11 uris: the URI scheme is case insensitivetmp-urisNikos Mavrogiannopoulos2018-10-122-3/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Makes the comparisons of the URI scheme to use c_strcasecmp from gnulib. It also replaces various straw strcasecmp with the gnulib variant. This ensures that comparison will be reliable irrespective of the locale. Resolves #590 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | SKIP tests/global-init-override if weak symbols don't worktmp-fix-global-init-overrideTim Rühsen2018-10-181-5/+28
| | | | | | | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | | tests: eagain-auto-auth: only compiled in systems with cmocka availableNikos Mavrogiannopoulos2018-10-161-2/+3
| |/ |/| | | | | | | | | This fixes build issue at MacOSX CI. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | gnutls_init: added flag for automatic re-authenticationNikos Mavrogiannopoulos2018-10-164-1/+882
| | | | | | | | | | | | | | | | | | This introduces the GNUTLS_AUTO_REAUTH gnutls_init() flag and makes re-authentication under TLS simpler to enable and use. Resolves #571 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Merge branch 'tmp-fix-eina-cpu-on-solaris' into 'master'Nikos Mavrogiannopoulos2018-10-101-2/+2
|\ \ | | | | | | | | | | | | Fix check for GNU C compiler in eina_cpu.c See merge request gnutls/gnutls!772
| * | Fix check for GNU C compiler in eina_cpu.ctmp-fix-eina-cpu-on-solarisTim Rühsen2018-10-091-2/+2
| |/ | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | Skip tests/tls13/prf.c if visibility 'protected' doesn't worktmp-fix-584Tim Rühsen2018-10-082-1/+13
|/ | | | | | | | | | Overriding gnutls_rnd() with visibility 'protected' doesn't always work. E.g. LDFLAGS="-Wl,-Bsymbolic-functions" seems to have priority on Debian derived systems. Fixes #584 Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* tests: added unit test for gnutls_session_set_idtmp-add-unit-testNikos Mavrogiannopoulos2018-10-062-1/+212
| | | | | | | | | | This adds a unit and a negative test which ensures that a client will not be tricked in performing resumption when this function is used. Resolves #585 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls_priority_set: do not override version on handshaketmp-fix-priority-set-callNikos Mavrogiannopoulos2018-10-033-1/+160
| | | | | | | | | | When handshake is in progress, do not override the default TLS version in the session. This allows gnutls_priority_set to be called in the post_client_hello function without breaking the handshake. Resolves #580 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Merge branch 'tlsfuzzer-ssl3' into 'master'Nikos Mavrogiannopoulos2018-09-2910-270/+272
|\ | | | | | | | | tlsfuzzer: add missing script See merge request gnutls/gnutls!759
| * tlsfuzzer: disable SSL3.0 in export-ciphers-rejected testDmitry Eremin-Solenikov2018-09-271-1/+21
| | | | | | | | | | | | | | | | These tests will fail with SSL3.0-enabled gnutls-serv unless --ssl3 option was passed. We will run these tests anyway from gnutls-nocert-ssl3.json, so disable them here. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * tlsfuzzer: support running from separate build dirDmitry Eremin-Solenikov2018-09-272-10/+9
| | | | | | | | | | | | | | Adapt tls-fuzzer-common.sh script to be able to run tests in case srcdir != builddir. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * tlsfuzzer: add missing scriptDmitry Eremin-Solenikov2018-09-271-0/+29
| | | | | | | | | | | | | | Makefile.am refers tls-fuzzer-nocert-ssl3.sh script, which is missing in the source tree. Add it back. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * tlsfuzzer: move common code to separate fileDmitry Eremin-Solenikov2018-09-277-185/+72
| | | | | | | | | | | | Move common code to tls-fuzzer-common.sh to ease further adjustments. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * tlsfuzzer: use random port for tls-fuzzer-nocert testDmitry Eremin-Solenikov2018-09-272-73/+136
| | | | | | | | | | | | | | Like the rest of tls-fuzzer tests, pass "-p PORT" to subtests, allowing usage of random port for server. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * tlsfuzzer: use random port for tls-fuzzer-cert testDmitry Eremin-Solenikov2018-09-272-13/+17
| | | | | | | | | | | | | | Like the rest of tls-fuzzer tests, pass "-p PORT" to subtests, allowing usage of random port for server. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | tests: removed unused fileNikos Mavrogiannopoulos2018-09-261-273/+0
|/ | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: pkcs12-utf8 depend on bashtmp-enable-tls13Nikos Mavrogiannopoulos2018-09-241-2/+3
| | | | | | | | | The NetBSD default shell cannot handle the UTF-8 strings we use in that script. Resolves #544 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Enable the TLS1.3 protocol by defaultNikos Mavrogiannopoulos2018-09-246-45/+4
| | | | | | | As the protocol has been finalized, and the implementation is stable and interoperable, there is no need to enable it conditionally. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'tmp-pkcs11-lax-search' into 'master'Nikos Mavrogiannopoulos2018-09-241-0/+131
|\ | | | | | | | | | | | | Provide a less restrictive PKCS#11 search of certificates Closes #569 See merge request gnutls/gnutls!757
| * Provide a more flexible PKCS#11 search of trust store certificatestmp-pkcs11-lax-searchNikos Mavrogiannopoulos2018-09-211-0/+131
| | | | | | | | | | | | | | | | | | | | This addresses the problem where the CA certificate doesn't have a subject key identifier whereas the end certificates have an authority key identifier. Resolves #569 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Merge branch 'tmp-be-strict-on-crls' into 'master'Nikos Mavrogiannopoulos2018-09-213-2/+190
|\ \ | | | | | | | | | | | | | | | | | | gnutls-cli enables CRL validation on startup Closes #564 See merge request gnutls/gnutls!752
| * | gnutls-cli: enable CRL validation on startupNikos Mavrogiannopoulos2018-09-213-2/+190
| |/ | | | | | | | | | | | | | | This also makes the failure in adding CRLs or CAs, a fatal error. Resolves #564 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Merge branch 'tmp-session-ticket-key-rotation-ajuaristi' into 'master'Nikos Mavrogiannopoulos2018-09-214-6/+590
|\ \ | |/ |/| | | | | | | | | Session ticket key rotation with TOTP Closes #184 See merge request gnutls/gnutls!695
| * tests: use virt-time.h in resumption testsNikos Mavrogiannopoulos2018-09-193-13/+22
| | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * Added session ticket key rotation with TOTPAnder Juaristi2018-09-193-1/+576
| | | | | | | | | | | | | | | | | | | | | | This introduces session ticket key rotation on server side. The key set with gnutls_session_ticket_enable_server() is used as a master key to generate time-based keys for tickets. The rotation relates to the gnutls_db_set_cache_expiration() period. Resolves #184 Signed-off-by: Ander Juaristi <a@juaristi.eus>
* | Fix issue introduced in 20886264feTim Rühsen2018-09-201-2/+1
| | | | | | | | | | | | | | This makes _gnutls_resolve_priorities() return a string that is always allocated with the gnutls memory functions. Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | x509: print_pubkey: print GOST public key with MSB firstDmitry Eremin-Solenikov2018-09-181-3/+2
| | | | | | | | | | | | | | OpenSSL and other libraries print MSB first, when printing GOST public keys. Let's return to this convention. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | lib: use little endian when importing/exporting GOST keysDmitry Eremin-Solenikov2018-09-182-6/+6
|/ | | | | | | | GOST R 34.10 native format is little endian. It is better for the application code to use native format data to interface library, rather than convert buffers on their own. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* tests: pkcs1-pad: run with SHA-1 enabled or disabledtmp-sha1-fix-testNikos Mavrogiannopoulos2018-09-171-3/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* .gitlab-ci.yml: enable run with SHA-1 enabledNikos Mavrogiannopoulos2018-09-172-2/+12
| | | | | | | This adds a CI run with SHA-1 enabled, and corrects issues in the testsuite when that's the case. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added CRL verification testsNikos Mavrogiannopoulos2018-09-176-1/+92
| | | | | | | | | This tests CRL verification with certtool --verify-crl on correct and incorrect cases. Relates #564 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* dtls: recover when a NewSessionTicket message is lostNikos Mavrogiannopoulos2018-09-142-1/+248
| | | | | | | | | | | When the server's NewSessionTicket gets lost while the ChangeCipherSpec goes through, the client did not request retransmission by retransmitting his last flight, and the handshake was blocked. This commit addresses the issue and adds a reproducer. Resolves #543 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tlsfuzzer: remove duplicate tests and sort them alphabeticallyDaiki Ueno2018-09-141-28/+20
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
View Lorry Controller Status