tests: added checks for OCSP response file support
That is, check the usability of the APIs for setting and using
an ocsp response. This improves and makes more generic the
test suite API and test_cli_serv() in particular.
dtls: added a null pointer check in record_overhead
According to my reading this check is unnecessary as in
no case a null pointer can be encountered. However gcc6
warns about a null pointer derefence and thus adding it,
to be safe.
This error code is returned when the session resumption parameters
are requested during a handshake. That is, to increase the clarity
when requesting these parameters while false start is active and
the handshake is not complete even if gnutls_handshake() has returned.
Martin Ukrop [Wed, 20 Jul 2016 12:52:00 +0000 (14:52 +0200)]
x509: Fix DNS name constraints checking
- If the intersection of name constraints of the given type was empty, the results allowed all names instead of none.
- Fixed by adding an universal excluded name constraint in case the intersection for the particular type is empty.
- Moved the logic of creating a name constraint node copy from _gnutls_name_constraints_intersect to name_constraints_intersect_nodes (previously name_constraints_match), as intersecting IP addresses will require further processing (not just taking one of the compared nodes as was the implementation till now).
- GNUTLS_SAN_MAX added in order to comfortably iterate over SAN type enum.
Martin Ukrop [Wed, 20 Jul 2016 12:29:40 +0000 (14:29 +0200)]
tests: Add DNS name constraints tests
- One chaintest with empty permitted intersection.
- Merge testset with 2 permitted constraints with empty intersection (intersected list is completely empty).
- Merge testset with 3 permitted constraints, 2 of which have empty intersection.
- Merge testset with 2 permitted constraints with empty intersection and one constraints of different type that remains (intersected list is not empty).
- Enhance failing function with suite number for easier comprehension.
Martin Ukrop [Wed, 20 Jul 2016 12:28:20 +0000 (14:28 +0200)]
tests: Tidy up old X509 name constraints tests
- Use convenience functions for error checking and failure reporting.
- Drop explicit (de)initialization (prevents some not reed reachable memory due to PKCS11 subsystem not being deinitialized in the destructor).
- Use variables to count set permitted/excluded constraints instead of hard-coded numbers.
tests: removed an skipped failures due to bugs in softhsm 2.0.0
These are no longer an issue as the CI has been updated to softhsm
2.1.0, which addresses them, and they prevented catching the
GNUTLS-SA-2016-2 regression.
configure: prevent a version of getentropy() in a linux libc to be used
For now, we auto-detect and switch between getrandom() and /dev/urandom
when the former is not available. With the complexity of dealing with
libc's that have the feature but kernel not supporting it, or vice versa
it is best keep things simple.
nettle: split the rnd-common to rnd-windows, rnd-getentropy, and rnd-linux
That is, to the windows random generator as well as the getentropy()
generator in BSDs, as well as the getrandom(), /dev/urandom,
and EGD generators on Linux systems.
Added auto-detection of getrandom() system call in Linux systems
In addition use getrandom() via the syscall interface if it doesn't
exist in Libc. The reason for the latter is that getrandom() support
for glibc is in limbo for several years, and for auto-detection is that
even if it is going to be present in libc we will not be able to guarrantee
that the system call is available just because it is present in glibc.
For that we detect on initialization whether getrandom() can obtain
random data, and if yes, we continue using that.
certtool: added options to set arbitrary extensions to certificates and requests
This allows setting arbitrary extensions using the following new template options:
add_extension = "5.6.7.8 0x0001020304050607AAABCD"
add_critical_extension = "9.10.11.12.13.14.15.16.17.1.5 0xCAFE"
asm: updated openssl and the asm sources for AES-GCM from openssl 1.0.2h
This improves the performance of AES-GCM significantly by taking
advantage of AVX and MOVBE instructions where available. This
utilizes Andy Polyakov's code under BSD license.
tests: added check to verify the tolerance of broken C_GetAttributes
That is, test gnutls_pkcs11_obj_list_import_url4() when importing
private keys from tokens that return CKR_OK on sensitive objects,
and tokens that return CKR_ATTRIBUTE_SENSTIVE.
pkcs11_get_attribute_avalue: do not assign values on failure
When C_GetAttributeValue() returns size but does not return data
then pkcs11_get_attribute_avalue() would set the return data pointer
to a free'd value. This is against the convention expected by callers,
i.e, set data to NULL. Reported by Anthony Alba in #108.