/* test gnutls_certificate_flags() */
gnutls_certificate_allocate_credentials(&serv_cred);
gnutls_certificate_set_flags(serv_cred, GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH);
+ gnutls_certificate_set_verify_flags(serv_cred, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1);
ret = gnutls_certificate_set_x509_trust_mem(serv_cred, &ca3_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
/* Use default priorities */
gnutls_priority_set_direct(session,
- "NORMAL:+CTYPE-OPENPGP:+DHE-DSS:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256", NULL);
+ "NORMAL:+CTYPE-OPENPGP:+DHE-DSS:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256:%VERIFY_ALLOW_SIGN_WITH_SHA1", NULL);
/* put the x509 credentials to the current session
*/
xcred);
gnutls_transport_set_int(session, sd);
+ gnutls_handshake_set_timeout(session, 20 * 1000);
/* Perform the TLS handshake
*/
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
- gnutls_priority_set_direct(session, "NORMAL:+CTYPE-OPENPGP:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256", NULL);
+ gnutls_priority_set_direct(session, "NORMAL:+CTYPE-OPENPGP:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256:%VERIFY_ALLOW_SIGN_WITH_SHA1", NULL);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, pgp_cred);
session = initialize_tls_session();
gnutls_transport_set_int(session, sd);
+ gnutls_handshake_set_timeout(session, 20 * 1000);
+
ret = gnutls_handshake(session);
if (ret < 0) {
close(sd);
if test "${NO_DSS}" != 1; then
echo "${PREFIX}Checking TLS 1.2 with DHE-DSS..."
- ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
+ ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \
fail ${PID} "Failed"
fi
if test "${NO_DSS}" != 1; then
echo "${PREFIX}Check TLS 1.2 with DHE-DSS ciphersuite"
eval "${GETPORT}"
- launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}"
+ launch_server $$ --priority "NONE:+CIPHER-ALL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}"
PID=$!
wait_server ${PID}
retval=0
-PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:+VERS-SSL3.0"
+PRIORITY="NORMAL:+ARCFOUR-128:%VERIFY_ALLOW_SIGN_WITH_SHA1:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:+VERS-SSL3.0"
${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1
if test $? != 0;then
- PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+VERS-SSL3.0"
+ PRIORITY="NORMAL:+ARCFOUR-128:%VERIFY_ALLOW_SIGN_WITH_SHA1:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+VERS-SSL3.0"
fi
TLS_PY=./tlslite-ng/scripts/tls.py
retval=0
-PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:+VERS-SSL3.0"
+PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:+VERS-SSL3.0"
${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1
if test $? != 0;then
- PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+VERS-SSL3.0"
+ PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+VERS-SSL3.0"
fi
TLS_PY=./tlslite-ng/scripts/tls.py
const gnutls_datum_t *hash_data;
int ret;
unsigned j;
+ unsigned vflags = 0;
- if (hash == GNUTLS_DIG_SHA1)
+ if (hash == GNUTLS_DIG_SHA1) {
hash_data = &sha1_data;
- else if (hash == GNUTLS_DIG_SHA256)
+ vflags |= GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1;
+ } else if (hash == GNUTLS_DIG_SHA256)
hash_data = &sha256_data;
else
abort();
ret =
gnutls_pubkey_verify_hash2(pubkey,
- sign_algo, 0,
+ sign_algo, vflags,
hash_data, &signature);
if (ret < 0) {
print_keys(privkey, pubkey);
/* should fail */
ret =
gnutls_pubkey_verify_hash2(pubkey,
- sign_algo, 0,
+ sign_algo, vflags,
&invalid_hash_data,
&signature);
if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) {
(pubkey, NULL), hash);
ret =
- gnutls_pubkey_verify_hash2(pubkey, sign_algo, 0,
+ gnutls_pubkey_verify_hash2(pubkey, sign_algo, vflags,
hash_data, &signature);
if (ret < 0)
ERR;
/* should fail */
ret =
- gnutls_pubkey_verify_hash2(pubkey, sign_algo, 0,
+ gnutls_pubkey_verify_hash2(pubkey, sign_algo, vflags,
&invalid_hash_data,
&signature);
if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) {
ret =
gnutls_pubkey_verify_hash2(pubkey,
sign_algo,
- GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA,
+ vflags|GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA,
hash_data,
&signature);
if (ret < 0) {
testfail("gnutls_x509_pubkey_import\n");
ret =
- gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, 0, hash_data,
+ gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, hash_data,
&signature);
if (ret < 0)
testfail("gnutls_x509_pubkey_verify_hash2\n");
ret =
- gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, 0, hash_data,
+ gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, hash_data,
&signature2);
if (ret < 0)
testfail("gnutls_x509_pubkey_verify_hash-1 (hashed data)\n");
/* should fail */
ret =
- gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, 0,
- invalid_hash_data,
- &signature2);
+ gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo,
+ GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1,
+ invalid_hash_data,
+ &signature2);
if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
testfail("gnutls_x509_pubkey_verify_hash-2 (hashed data)\n");
(pubkey, NULL), tests[i].digest);
ret =
- gnutls_pubkey_verify_hash2(pubkey, sign_algo, 0,
+ gnutls_pubkey_verify_hash2(pubkey, sign_algo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1,
hash_data, &signature2);
if (ret < 0)
testfail("gnutls_x509_pubkey_verify_hash2-1 (hashed data)\n");
/* should fail */
ret =
- gnutls_pubkey_verify_hash2(pubkey, sign_algo, 0,
+ gnutls_pubkey_verify_hash2(pubkey, sign_algo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1,
invalid_hash_data,
&signature2);
if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED)
projects / thirdparty / gnutls.git / commitdiff
