From tim.ruehsen at gmx.de Tue Aug 2 16:47:54 2016 From: tim.ruehsen at gmx.de (Tim Ruehsen) Date: Tue, 02 Aug 2016 16:47:54 +0200 Subject: [gnutls-devel] Speedup idea... Message-ID: <7742688.hTZLG4inon@blitz-lx> Hi Nikos, hi list. Right after gnutls_init() the wget/wget2 code loads the certificate list - all available certs. That currently are 172 CA certs on Debian Sid right now. This takes 15-20ms here (i3, 3.1GHz), when the files are already cached. With session resumption (or False Start) and TCP Fast Open I just have 1xRTT tradeoff for TLS handshake. With slightly less than 33ms RTT that let's me theoretically fetch a file via HTTPS in ~66ms. But I have this damn load-them- all-CA (gnutls_certificate_set_x509_system_trust()) taking another 15ms, so I am at ~81ms for fetching a file. This is quite a big portion of the overall download time - having lower RTT makes this relation even worse. My quick solution was (I thought it could work), why not load the certs during the handshake. Right after the first write(), when the handshake waits for the server answer, I have 33ms of time that I can use for loading. But then... in ciphersuites.c/_gnutls_remove_unwanted_ciphersuites(), you "unload" all ciphersuites not needed by the certs, resulting in an error if no certs are loaded (because having 0 ciphersuites for client hello). But everything works like a charm (I really have just 66ms total time) when I remove these lines from ciphersuites.c/_gnutls_remove_unwanted_ciphersuites(): if (!session->internals.premaster_set && _gnutls_get_kx_cred(session, kx) == NULL) { continue; } I guess, all cipher suites known by GnuTLS (or set via priorities) are offered by the client hello !? What can we/I do to make the above scenario 'officially' work ? Wouldn't it be good to offer all cipher suites set by gnutls_priority_set() ? AFAIR, OpenSSL do not need certs to be loaded before client hello... but I might be wrong. Regards, Tim -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From n.mavrogiannopoulos at gmail.com Wed Aug 3 06:43:39 2016 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Wed, 03 Aug 2016 06:43:39 +0200 Subject: [gnutls-devel] Speedup idea... In-Reply-To: <7742688.hTZLG4inon@blitz-lx> References: <7742688.hTZLG4inon@blitz-lx> Message-ID: Hi Tim, During handshake you must have a certificate credentials structure set or the handshake will fail as you say. It may be empty though, it doesn't need to have ca certificates set. You can load these prior to calling the certificate verify peers function. This violates the rule that the credentials must be read only after being set on a session, but on client side they are only used during verification. An alternative approach is to verify the peers certificates using a trust list. Btw out of curiosity, have you tested the same operation in fedora which uses the p11kit trust module instead of files? On 2 August 2016 16:47:54 CEST, Tim Ruehsen wrote: >Hi Nikos, hi list. > >Right after gnutls_init() the wget/wget2 code loads the certificate >list - all >available certs. That currently are 172 CA certs on Debian Sid right >now. > >This takes 15-20ms here (i3, 3.1GHz), when the files are already >cached. > >With session resumption (or False Start) and TCP Fast Open I just have >1xRTT >tradeoff for TLS handshake. With slightly less than 33ms RTT that let's >me >theoretically fetch a file via HTTPS in ~66ms. But I have this damn >load-them- >all-CA (gnutls_certificate_set_x509_system_trust()) taking another >15ms, so I >am at ~81ms for fetching a file. This is quite a big portion of the >overall >download time - having lower RTT makes this relation even worse. > >My quick solution was (I thought it could work), why not load the certs >during >the handshake. Right after the first write(), when the handshake waits >for the >server answer, I have 33ms of time that I can use for loading. > >But then... in ciphersuites.c/_gnutls_remove_unwanted_ciphersuites(), >you >"unload" all ciphersuites not needed by the certs, resulting in an >error if no >certs are loaded (because having 0 ciphersuites for client hello). > >But everything works like a charm (I really have just 66ms total time) >when I >remove these lines from >ciphersuites.c/_gnutls_remove_unwanted_ciphersuites(): > > if (!session->internals.premaster_set && > _gnutls_get_kx_cred(session, kx) == NULL) { > continue; > } > >I guess, all cipher suites known by GnuTLS (or set via priorities) are >offered >by the client hello !? > >What can we/I do to make the above scenario 'officially' work ? >Wouldn't it be good to offer all cipher suites set by >gnutls_priority_set() ? >AFAIR, OpenSSL do not need certs to be loaded before client hello... >but I >might be wrong. > >Regards, Tim > > >------------------------------------------------------------------------ > >_______________________________________________ >Gnutls-devel mailing list >Gnutls-devel at lists.gnutls.org >http://lists.gnupg.org/mailman/listinfo/gnutls-devel -- Sent fron my mobile. Please excuse my brevity. From tim.ruehsen at gmx.de Wed Aug 3 10:19:54 2016 From: tim.ruehsen at gmx.de (Tim Ruehsen) Date: Wed, 03 Aug 2016 10:19:54 +0200 Subject: [gnutls-devel] Speedup idea... In-Reply-To: References: <7742688.hTZLG4inon@blitz-lx> Message-ID: <2649316.ZQDDIFLkro@blitz-lx> Hi Nikos, thanks for your answer. On Wednesday, August 3, 2016 6:43:39 AM CEST Nikos Mavrogiannopoulos wrote: > Hi Tim, > During handshake you must have a certificate credentials structure set or > the handshake will fail as you say. It may be empty though, it doesn't > need to have ca certificates set. You can load these prior to calling the > certificate verify peers function. Fine, thanks gain. It works as you say. > This violates the rule that the credentials must be read only after being > set on a session, but on client side they are only used during > verification. An alternative approach is to verify the peers certificates > using a trust list. My goal is to only load that CA cert(s) that really have to be checked against. I need to create a hash from the server certs which 'point' to the CA cert files on disk, like OpenSSL already does. Well, we talked about that in the past and you pointed me to p11kit... but in fact, I so far do not really have a 'big picture' - the p11kit docs are mostly technical details, no understandable explanation what 's it all about. > Btw out of curiosity, have you tested the same operation in fedora which > uses the p11kit trust module instead of files? I don't have a fedora VM installed. If you have (and have time), maybe you send me the output of 'wget -d https://www.google.com/a.html' - makes only sense if wget is linked to GnuTLS, of course. Regards, Tim > On 2 August 2016 16:47:54 CEST, Tim Ruehsen wrote: > >Hi Nikos, hi list. > > > >Right after gnutls_init() the wget/wget2 code loads the certificate > >list - all > >available certs. That currently are 172 CA certs on Debian Sid right > >now. > > > >This takes 15-20ms here (i3, 3.1GHz), when the files are already > >cached. > > > >With session resumption (or False Start) and TCP Fast Open I just have > >1xRTT > >tradeoff for TLS handshake. With slightly less than 33ms RTT that let's > >me > >theoretically fetch a file via HTTPS in ~66ms. But I have this damn > >load-them- > >all-CA (gnutls_certificate_set_x509_system_trust()) taking another > >15ms, so I > >am at ~81ms for fetching a file. This is quite a big portion of the > >overall > >download time - having lower RTT makes this relation even worse. > > > >My quick solution was (I thought it could work), why not load the certs > >during > >the handshake. Right after the first write(), when the handshake waits > >for the > >server answer, I have 33ms of time that I can use for loading. > > > >But then... in ciphersuites.c/_gnutls_remove_unwanted_ciphersuites(), > >you > >"unload" all ciphersuites not needed by the certs, resulting in an > >error if no > >certs are loaded (because having 0 ciphersuites for client hello). > > > >But everything works like a charm (I really have just 66ms total time) > >when I > >remove these lines from > > > >ciphersuites.c/_gnutls_remove_unwanted_ciphersuites(): > > if (!session->internals.premaster_set && > > > > _gnutls_get_kx_cred(session, kx) == NULL) { > > > > continue; > > > > } > > > >I guess, all cipher suites known by GnuTLS (or set via priorities) are > >offered > >by the client hello !? > > > >What can we/I do to make the above scenario 'officially' work ? > >Wouldn't it be good to offer all cipher suites set by > >gnutls_priority_set() ? > >AFAIR, OpenSSL do not need certs to be loaded before client hello... > >but I > >might be wrong. > > > >Regards, Tim > > > > > >------------------------------------------------------------------------ > > > >_______________________________________________ > >Gnutls-devel mailing list > >Gnutls-devel at lists.gnutls.org > >http://lists.gnupg.org/mailman/listinfo/gnutls-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From n.mavrogiannopoulos at gmail.com Thu Aug 4 13:46:13 2016 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Thu, 4 Aug 2016 13:46:13 +0200 Subject: [gnutls-devel] pkcs11 api: exposing the low level handles Message-ID: Hi, Gnutls pkcs11 wrapping API is quite limited, but I would like to keep it so intentionally, so that we handle basic operations without making a huge API over another huge API. However, on several occasions it may be good to use gnutls' API and expose any internal pkcs11 handles for advanced use (e.g., use with a mechanism not supported by gnutls). Does that make sense overall, are there use-cases of it you've encountered? If yes, the would an API such as in [0] satisfy those needs, or we would need something more advanced (if so please propose). regards, Nikos [0]. https://gitlab.com/gnutls/gnutls/merge_requests/38/commits From tim.ruehsen at gmx.de Fri Aug 5 14:04:00 2016 From: tim.ruehsen at gmx.de (Tim Ruehsen) Date: Fri, 05 Aug 2016 14:04:00 +0200 Subject: [gnutls-devel] Speedup idea... In-Reply-To: <2649316.ZQDDIFLkro@blitz-lx> References: <7742688.hTZLG4inon@blitz-lx> <2649316.ZQDDIFLkro@blitz-lx> Message-ID: <1755561.zbYpCI7zt6@blitz-lx> On Wednesday, August 3, 2016 10:19:54 AM CEST Tim Ruehsen wrote: > My goal is to only load that CA cert(s) that really have to be checked > against. I need to create a hash from the server certs which 'point' to the > CA cert files on disk, like OpenSSL already does. Well, we talked about > that in the past and you pointed me to p11kit... but in fact, I so far do > not really have a 'big picture' - the p11kit docs are mostly technical > details, no understandable explanation what 's it all about. Hi Nikos, maybe you can help me. I found no OpenSSL-like subject hashing in p11kit, so I looked at the source - and it *basically* does a sha1 sum of the certificate subject. Doing the same in GnuTLS certtool fails (but I am close:). The 'subject' in OpenSSL (same cert) has 95 bytes and looks slightly different than what GnuTLS gives me (97 bytes). The hexdump of OpenSSL's subject: 310B300906035504060C02757331173015060355040A0C0E766572697369676E2C20696E632E31373035060355040B0C2E636C6173732033207075626C6963207072696D6172792063657274696669636174696F6E20617574686F72697479 The hexdump of GnuTLS's subject: 305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479 With GnuTLS, I used asn1_der_coding(cert->cert, ""tbsCertificate.subject", ...) Well, is there some kind of 'ASN.1 normalization', or how can I retrieve the same bytes that OpenSSL shows ? Regards, Tim -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From n.mavrogiannopoulos at gmail.com Fri Aug 5 14:30:52 2016 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Fri, 5 Aug 2016 14:30:52 +0200 Subject: [gnutls-devel] Speedup idea... In-Reply-To: <1755561.zbYpCI7zt6@blitz-lx> References: <7742688.hTZLG4inon@blitz-lx> <2649316.ZQDDIFLkro@blitz-lx> <1755561.zbYpCI7zt6@blitz-lx> Message-ID: On Fri, Aug 5, 2016 at 2:04 PM, Tim Ruehsen wrote: > On Wednesday, August 3, 2016 10:19:54 AM CEST Tim Ruehsen wrote: >> My goal is to only load that CA cert(s) that really have to be checked >> against. I need to create a hash from the server certs which 'point' to the >> CA cert files on disk, like OpenSSL already does. Well, we talked about >> that in the past and you pointed me to p11kit... but in fact, I so far do >> not really have a 'big picture' - the p11kit docs are mostly technical >> details, no understandable explanation what 's it all about. > > Hi Nikos, > > maybe you can help me. > > I found no OpenSSL-like subject hashing in p11kit, so I looked at the source - > and it *basically* does a sha1 sum of the certificate subject. There is p11_openssl_symlink() which does some magic there, including md5 hashes. This may be out-of-date though as this bug indicates [0]. [0]. https://bugzilla.redhat.com/show_bug.cgi?id=1053882 > Doing the same in GnuTLS certtool fails (but I am close:). > The 'subject' in OpenSSL (same cert) has 95 bytes and looks slightly different > than what GnuTLS gives me (97 bytes). Did you try using gnutls_x509_crt_get_raw_dn() or the issuer equivalent? > The hexdump of OpenSSL's subject: > 310B300906035504060C02757331173015060355040A0C0E766572697369676E2C20696E632E31373035060355040B0C2E636C6173732033207075626C6963207072696D6172792063657274696669636174696F6E20617574686F72697479 > > The hexdump of GnuTLS's subject: > 305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479 > > With GnuTLS, I used > asn1_der_coding(cert->cert, ""tbsCertificate.subject", ...) > Well, is there some kind of 'ASN.1 normalization', or how can I retrieve the > same bytes that OpenSSL shows ? It seems the latter includes the SEQUENCE bytes of RDNSequence, while the former has these removed. It seems (without having fully checked it) that p11_openssl_canon_name_der() in p11-kit's trust module does something similar. The comment: "Yes the OpenSSL canon strangeness, is a concatenation of all the RelativeDistinguishedName DER encodings, without an outside wrapper." implies that. regards, Nikos From tim.ruehsen at gmx.de Fri Aug 5 16:23:33 2016 From: tim.ruehsen at gmx.de (Tim Ruehsen) Date: Fri, 05 Aug 2016 16:23:33 +0200 Subject: [gnutls-devel] Speedup idea... In-Reply-To: References: <7742688.hTZLG4inon@blitz-lx> <1755561.zbYpCI7zt6@blitz-lx> Message-ID: <1505502.gPti3M4iAP@blitz-lx> On Friday, August 5, 2016 2:30:52 PM CEST Nikos Mavrogiannopoulos wrote: > On Fri, Aug 5, 2016 at 2:04 PM, Tim Ruehsen wrote: > > On Wednesday, August 3, 2016 10:19:54 AM CEST Tim Ruehsen wrote: > >> My goal is to only load that CA cert(s) that really have to be checked > >> against. I need to create a hash from the server certs which 'point' to > >> the > >> CA cert files on disk, like OpenSSL already does. Well, we talked about > >> that in the past and you pointed me to p11kit... but in fact, I so far do > >> not really have a 'big picture' - the p11kit docs are mostly technical > >> details, no understandable explanation what 's it all about. > > > > Hi Nikos, > > > > maybe you can help me. > > > > I found no OpenSSL-like subject hashing in p11kit, so I looked at the > > source - and it *basically* does a sha1 sum of the certificate subject. > > There is p11_openssl_symlink() which does some magic there, including > md5 hashes. This may be out-of-date though as this bug indicates [0]. > [0]. https://bugzilla.redhat.com/show_bug.cgi?id=1053882 Nice ! In fact I oversaw p11_openssl_symlink(). It does both, the old md5 hash symlink and the current sha1 hash. > > Doing the same in GnuTLS certtool fails (but I am close:). > > The 'subject' in OpenSSL (same cert) has 95 bytes and looks slightly > > different than what GnuTLS gives me (97 bytes). > > Did you try using gnutls_x509_crt_get_raw_dn() or the issuer equivalent? P11-kit has the code, though I have no idea if p11-kit uses these hashes to find the CA certs from the servers certs received during handshake. I am clueless, if anything else is needed. I guess, GnuTLS doesn't need an API for that... but how do I convert GnuTLS structures into p11-kit structures to use p11 API directly ? Was your recent question about "exposing low level handles from pkcs11" ? If yes, that is what I need... > > The hexdump of OpenSSL's subject: > > 310B300906035504060C02757331173015060355040A0C0E766572697369676E2C20696E63 > > 2E31373035060355040B0C2E636C6173732033207075626C6963207072696D617279206365 > > 7274696669636174696F6E20617574686F72697479 > > > > The hexdump of GnuTLS's subject: > > 305F310B300906035504061302555331173015060355040A130E566572695369676E2C2049 > > 6E632E31373035060355040B132E436C6173732033205075626C6963205072696D61727920 > > 43657274696669636174696F6E20417574686F72697479 > > > > With GnuTLS, I used > > > > asn1_der_coding(cert->cert, ""tbsCertificate.subject", ...) > > > > Well, is there some kind of 'ASN.1 normalization', or how can I retrieve > > the same bytes that OpenSSL shows ? > > It seems the latter includes the SEQUENCE bytes of RDNSequence, while > the former has these removed. It seems (without having fully checked > it) that p11_openssl_canon_name_der() in p11-kit's trust module does > something similar. The comment: "Yes the OpenSSL canon strangeness, is > a concatenation > of all the RelativeDistinguishedName DER encodings, without an outside > wrapper." implies that. I see that now, thanks. Regards, Tim -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From n.mavrogiannopoulos at gmail.com Fri Aug 5 16:46:50 2016 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Fri, 5 Aug 2016 16:46:50 +0200 Subject: [gnutls-devel] Speedup idea... In-Reply-To: <1505502.gPti3M4iAP@blitz-lx> References: <7742688.hTZLG4inon@blitz-lx> <1755561.zbYpCI7zt6@blitz-lx> <1505502.gPti3M4iAP@blitz-lx> Message-ID: On Fri, Aug 5, 2016 at 4:23 PM, Tim Ruehsen wrote: >> > Doing the same in GnuTLS certtool fails (but I am close:). >> > The 'subject' in OpenSSL (same cert) has 95 bytes and looks slightly >> > different than what GnuTLS gives me (97 bytes). >> >> Did you try using gnutls_x509_crt_get_raw_dn() or the issuer equivalent? > > P11-kit has the code, though I have no idea if p11-kit uses these hashes to > find the CA certs from the servers certs received during handshake. It uses it, to general the certificate dir the way openssl expects it. > I am clueless, if anything else is needed. I guess, GnuTLS doesn't need an API > for that... but how do I convert GnuTLS structures into p11-kit structures to > use p11 API directly ? Could you be more specific? What would you like to convert? regards, Nikos From Stefan.Sorensen at spectralink.com Mon Aug 8 13:30:39 2016 From: Stefan.Sorensen at spectralink.com (=?utf-8?B?U8O4cmVuc2VuLCBTdGVmYW4=?=) Date: Mon, 8 Aug 2016 11:30:39 +0000 Subject: [gnutls-devel] DCO Message-ID: <1470655839.2357.3.camel@spectralink.com> Developer's Certificate of Origin 1.1 By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I ????have the right to submit it under the open source license ????indicated in the file; or (b) The contribution is based upon previous work that, to the best ????of my knowledge, is covered under an appropriate open source ????license and I have the right under that license to submit that ????work with modifications, whether created in whole or in part ????by me, under the same open source license (unless I am ????permitted to submit under a different license), as indicated ????in the file; or (c) The contribution was provided directly to me by some other ????person who certified (a), (b) or (c) and I have not modified ????it. (d) I understand and agree that this project and the contribution ????are public and that a record of the contribution (including all ????personal information I submit with it, including my sign-off) is ????maintained indefinitely and may be redistributed consistent with ????this project or the open source license(s) involved. From stefan.sorensen at spectralink.com Mon Aug 8 13:31:17 2016 From: stefan.sorensen at spectralink.com (=?UTF-8?q?Stefan=20S=C3=B8rensen?=) Date: Mon, 8 Aug 2016 13:31:17 +0200 Subject: [gnutls-devel] [PATCH 4/5] tests: Use common ca3 test certificates in x509cert, x509dn and x509self tests. In-Reply-To: <1470655878-9651-1-git-send-email-stefan.sorensen@spectralink.com> References: <1470655878-9651-1-git-send-email-stefan.sorensen@spectralink.com> Message-ID: <1470655878-9651-4-git-send-email-stefan.sorensen@spectralink.com> Signed-off-by: Stefan S?rensen --- tests/x509cert.c | 136 ++++++++----------------------------------------------- tests/x509dn.c | 102 +++-------------------------------------- tests/x509self.c | 101 +++-------------------------------------- 3 files changed, 32 insertions(+), 307 deletions(-) diff --git a/tests/x509cert.c b/tests/x509cert.c index 7cf814a..ba03f82 100644 --- a/tests/x509cert.c +++ b/tests/x509cert.c @@ -41,6 +41,7 @@ #include #include "utils.h" +#include "cert-common.h" /* Test for gnutls_certificate_get_issuer() and implicitly for * gnutls_trust_list_get_issuer(). @@ -51,107 +52,6 @@ static void tls_log_func(int level, const char *str) fprintf(stderr, "<%d>| %s", level, str); } -static unsigned char ca_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIIB5zCCAVKgAwIBAgIERiYdJzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" - "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTExWhcNMDgwNDE3MTMyOTExWjAZMRcw\n" - "FQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA\n" - "vuyYeh1vfmslnuggeEKgZAVmQ5ltSdUY7H25WGSygKMUYZ0KT74v8C780qtcNt9T\n" - "7EPH/N6RvB4BprdssgcQLsthR3XKA84jbjjxNCcaGs33lvOz8A1nf8p3hD+cKfRi\n" - "kfYSW2JazLrtCC4yRCas/SPOUxu78of+3HiTfFm/oXUCAwEAAaNDMEEwDwYDVR0T\n" - "AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTpPBz7rZJu5gak\n" - "Viyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAiaIRqGfp1jPpNeVhABK60SU0KIAy\n" - "njuu7kHq5peUgYn8Jd9zNzExBOEp1VOipGsf6G66oQAhDFp2o8zkz7ZH71zR4HEW\n" - "KoX6n5Emn6DvcEH/9pAhnGxNHJAoS7czTKv/JDZJhkqHxyrE1fuLsg5Qv25DTw7+\n" - "PfqUpIhz5Bbm7J4=\n" "-----END CERTIFICATE-----\n"; -const gnutls_datum_t ca = { ca_pem, sizeof(ca_pem) - 1}; - -static unsigned char cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIICHjCCAYmgAwIBAgIERiYdNzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" - "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTI3WhcNMDgwNDE3MTMyOTI3WjAdMRsw\n" - "GQYDVQQDExJHbnVUTFMgdGVzdCBjbGllbnQwgZwwCwYJKoZIhvcNAQEBA4GMADCB\n" - "iAKBgLtmQ/Xyxde2jMzF3/WIO7HJS2oOoa0gUEAIgKFPXKPQ+GzP5jz37AR2ExeL\n" - "ZIkiW8DdU3w77XwEu4C5KL6Om8aOoKUSy/VXHqLnu7czSZ/ju0quak1o/8kR4jKN\n" - "zj2AC41179gAgY8oBAOgIo1hBAf6tjd9IQdJ0glhaZiQo1ipAgMBAAGjdjB0MAwG\n" - "A1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweg\n" - "ADAdBgNVHQ4EFgQUTLkKm/odNON+3svSBxX+odrLaJEwHwYDVR0jBBgwFoAU6Twc\n" - "+62SbuYGpFYsouHAUyfI8pUwCwYJKoZIhvcNAQEFA4GBALujmBJVZnvaTXr9cFRJ\n" - "jpfc/3X7sLUsMvumcDE01ls/cG5mIatmiyEU9qI3jbgUf82z23ON/acwJf875D3/\n" - "U7jyOsBJ44SEQITbin2yUeJMIm1tievvdNXBDfW95AM507ShzP12sfiJkJfjjdhy\n" - "dc8Siq5JojruiMizAf0pA7in\n" "-----END CERTIFICATE-----\n" - "-----BEGIN CERTIFICATE-----\n" - "MIIB5zCCAVKgAwIBAgIERiYdJzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" - "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTExWhcNMDgwNDE3MTMyOTExWjAZMRcw\n" - "FQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA\n" - "vuyYeh1vfmslnuggeEKgZAVmQ5ltSdUY7H25WGSygKMUYZ0KT74v8C780qtcNt9T\n" - "7EPH/N6RvB4BprdssgcQLsthR3XKA84jbjjxNCcaGs33lvOz8A1nf8p3hD+cKfRi\n" - "kfYSW2JazLrtCC4yRCas/SPOUxu78of+3HiTfFm/oXUCAwEAAaNDMEEwDwYDVR0T\n" - "AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTpPBz7rZJu5gak\n" - "Viyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAiaIRqGfp1jPpNeVhABK60SU0KIAy\n" - "njuu7kHq5peUgYn8Jd9zNzExBOEp1VOipGsf6G66oQAhDFp2o8zkz7ZH71zR4HEW\n" - "KoX6n5Emn6DvcEH/9pAhnGxNHJAoS7czTKv/JDZJhkqHxyrE1fuLsg5Qv25DTw7+\n" - "PfqUpIhz5Bbm7J4=\n" "-----END CERTIFICATE-----\n"; -const gnutls_datum_t cert = { cert_pem, sizeof(cert_pem) - 1}; - -static unsigned char key_pem[] = - "-----BEGIN RSA PRIVATE KEY-----\n" - "MIICXAIBAAKBgQC7ZkP18sXXtozMxd/1iDuxyUtqDqGtIFBACIChT1yj0Phsz+Y8\n" - "9+wEdhMXi2SJIlvA3VN8O+18BLuAuSi+jpvGjqClEsv1Vx6i57u3M0mf47tKrmpN\n" - "aP/JEeIyjc49gAuNde/YAIGPKAQDoCKNYQQH+rY3fSEHSdIJYWmYkKNYqQIDAQAB\n" - "AoGADpmARG5CQxS+AesNkGmpauepiCz1JBF/JwnyiX6vEzUh0Ypd39SZztwrDxvF\n" - "PJjQaKVljml1zkJpIDVsqvHdyVdse8M+Qn6hw4x2p5rogdvhhIL1mdWo7jWeVJTF\n" - "RKB7zLdMPs3ySdtcIQaF9nUAQ2KJEvldkO3m/bRJFEp54k0CQQDYy+RlTmwRD6hy\n" - "7UtMjR0H3CSZJeQ8svMCxHLmOluG9H1UKk55ZBYfRTsXniqUkJBZ5wuV1L+pR9EK\n" - "ca89a+1VAkEA3UmBelwEv2u9cAU1QjKjmwju1JgXbrjEohK+3B5y0ESEXPAwNQT9\n" - "TrDM1m9AyxYTWLxX93dI5QwNFJtmbtjeBQJARSCWXhsoaDRG8QZrCSjBxfzTCqZD\n" - "ZXtl807ymCipgJm60LiAt0JLr4LiucAsMZz6+j+quQbSakbFCACB8SLV1QJBAKZQ\n" - "YKf+EPNtnmta/rRKKvySsi3GQZZN+Dt3q0r094XgeTsAqrqujVNfPhTMeP4qEVBX\n" - "/iVX2cmMTSh3w3z8MaECQEp0XJWDVKOwcTW6Ajp9SowtmiZ3YDYo1LF9igb4iaLv\n" - "sWZGfbnU3ryjvkb6YuFjgtzbZDZHWQCo8/cOtOBmPdk=\n" - "-----END RSA PRIVATE KEY-----\n"; -const gnutls_datum_t key = { key_pem, sizeof(key_pem) - 1}; - -static unsigned char server_cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" - "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" - "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" - "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" - "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" - "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" - "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" - "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" - "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" - "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" - "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" - "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" - "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; - -const gnutls_datum_t server_cert = { server_cert_pem, - sizeof(server_cert_pem) - 1 -}; - -static unsigned char server_key_pem[] = - "-----BEGIN RSA PRIVATE KEY-----\n" - "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" - "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" - "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" - "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" - "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" - "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" - "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" - "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" - "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" - "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" - "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" - "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" - "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" - "-----END RSA PRIVATE KEY-----\n"; - -const gnutls_datum_t server_key = { server_key_pem, - sizeof(server_key_pem) - 1 -}; #define LIST_SIZE 3 void doit(void) @@ -183,11 +83,11 @@ void doit(void) gnutls_global_set_log_level(6); gnutls_certificate_allocate_credentials(&x509_cred); - gnutls_certificate_set_x509_trust_mem(x509_cred, &ca, + gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); - gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert, - &server_key, + gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_cert, + &server_ca3_key, GNUTLS_X509_FMT_PEM); /* test for gnutls_certificate_get_issuer() */ @@ -196,7 +96,7 @@ void doit(void) * certificate */ list_size = LIST_SIZE; ret = - gnutls_x509_crt_list_import(list, &list_size, &ca, + gnutls_x509_crt_list_import(list, &list_size, &ca3_cert, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) @@ -205,7 +105,7 @@ void doit(void) list_size = LIST_SIZE; ret = - gnutls_x509_crt_list_import(list, &list_size, &cert, + gnutls_x509_crt_list_import(list, &list_size, &cli_ca3_cert, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) @@ -249,12 +149,12 @@ void doit(void) if (ret < 0) fail("gnutls_x509_privkey_export2"); - if (get_datum.size != server_key.size || - memcmp(get_datum.data, server_key.data, get_datum.size) != 0) { + if (get_datum.size != server_ca3_key.size || + memcmp(get_datum.data, server_ca3_key.data, get_datum.size) != 0) { fail( "exported key %u vs. %u\n\n%s\n\nvs.\n\n%s", - get_datum.size, server_key.size, - get_datum.data, server_key.data); + get_datum.size, server_ca3_key.size, + get_datum.data, server_ca3_key.data); } gnutls_free(get_datum.data); @@ -273,12 +173,12 @@ void doit(void) if (ret < 0) fail("gnutls_x509_crt_export2"); - if (get_datum.size != server_cert.size || - memcmp(get_datum.data, server_cert.data, get_datum.size) != 0) { + if (get_datum.size != server_ca3_cert.size || + memcmp(get_datum.data, server_ca3_cert.data, get_datum.size) != 0) { fail( "exported certificate %u vs. %u\n\n%s\n\nvs.\n\n%s", - get_datum.size, server_cert.size, - get_datum.data, server_cert.data); + get_datum.size, server_ca3_cert.size, + get_datum.data, server_ca3_cert.data); } gnutls_free(get_datum.data); @@ -298,12 +198,12 @@ void doit(void) if (ret < 0) fail("gnutls_x509_crt_export2"); - if (get_datum.size != ca.size || - memcmp(get_datum.data, ca.data, get_datum.size) != 0) { + if (get_datum.size != ca3_cert.size || + memcmp(get_datum.data, ca3_cert.data, get_datum.size) != 0) { fail( "exported CA certificate %u vs. %u\n\n%s\n\nvs.\n\n%s", - get_datum.size, ca.size, - get_datum.data, ca.data); + get_datum.size, ca3_cert.size, + get_datum.data, ca3_cert.data); } gnutls_x509_crt_deinit(get_ca_crt); diff --git a/tests/x509dn.c b/tests/x509dn.c index 4263265..3eb1e29 100644 --- a/tests/x509dn.c +++ b/tests/x509dn.c @@ -29,6 +29,7 @@ #include #include +#include "cert-common.h" #if defined(_WIN32) @@ -70,56 +71,7 @@ static void tls_log_func(int level, const char *str) #define MAX_BUF 1024 #define MSG "Hello TLS" -static unsigned char ca_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIIB5zCCAVKgAwIBAgIERiYdJzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" - "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTExWhcNMDgwNDE3MTMyOTExWjAZMRcw\n" - "FQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA\n" - "vuyYeh1vfmslnuggeEKgZAVmQ5ltSdUY7H25WGSygKMUYZ0KT74v8C780qtcNt9T\n" - "7EPH/N6RvB4BprdssgcQLsthR3XKA84jbjjxNCcaGs33lvOz8A1nf8p3hD+cKfRi\n" - "kfYSW2JazLrtCC4yRCas/SPOUxu78of+3HiTfFm/oXUCAwEAAaNDMEEwDwYDVR0T\n" - "AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTpPBz7rZJu5gak\n" - "Viyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAiaIRqGfp1jPpNeVhABK60SU0KIAy\n" - "njuu7kHq5peUgYn8Jd9zNzExBOEp1VOipGsf6G66oQAhDFp2o8zkz7ZH71zR4HEW\n" - "KoX6n5Emn6DvcEH/9pAhnGxNHJAoS7czTKv/JDZJhkqHxyrE1fuLsg5Qv25DTw7+\n" - "PfqUpIhz5Bbm7J4=\n" "-----END CERTIFICATE-----\n"; -const gnutls_datum_t ca = { ca_pem, sizeof(ca_pem) }; - -static unsigned char cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIICHjCCAYmgAwIBAgIERiYdNzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" - "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTI3WhcNMDgwNDE3MTMyOTI3WjAdMRsw\n" - "GQYDVQQDExJHbnVUTFMgdGVzdCBjbGllbnQwgZwwCwYJKoZIhvcNAQEBA4GMADCB\n" - "iAKBgLtmQ/Xyxde2jMzF3/WIO7HJS2oOoa0gUEAIgKFPXKPQ+GzP5jz37AR2ExeL\n" - "ZIkiW8DdU3w77XwEu4C5KL6Om8aOoKUSy/VXHqLnu7czSZ/ju0quak1o/8kR4jKN\n" - "zj2AC41179gAgY8oBAOgIo1hBAf6tjd9IQdJ0glhaZiQo1ipAgMBAAGjdjB0MAwG\n" - "A1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweg\n" - "ADAdBgNVHQ4EFgQUTLkKm/odNON+3svSBxX+odrLaJEwHwYDVR0jBBgwFoAU6Twc\n" - "+62SbuYGpFYsouHAUyfI8pUwCwYJKoZIhvcNAQEFA4GBALujmBJVZnvaTXr9cFRJ\n" - "jpfc/3X7sLUsMvumcDE01ls/cG5mIatmiyEU9qI3jbgUf82z23ON/acwJf875D3/\n" - "U7jyOsBJ44SEQITbin2yUeJMIm1tievvdNXBDfW95AM507ShzP12sfiJkJfjjdhy\n" - "dc8Siq5JojruiMizAf0pA7in\n" "-----END CERTIFICATE-----\n"; -const gnutls_datum_t cert = { cert_pem, sizeof(cert_pem) }; - -static unsigned char key_pem[] = - "-----BEGIN RSA PRIVATE KEY-----\n" - "MIICXAIBAAKBgQC7ZkP18sXXtozMxd/1iDuxyUtqDqGtIFBACIChT1yj0Phsz+Y8\n" - "9+wEdhMXi2SJIlvA3VN8O+18BLuAuSi+jpvGjqClEsv1Vx6i57u3M0mf47tKrmpN\n" - "aP/JEeIyjc49gAuNde/YAIGPKAQDoCKNYQQH+rY3fSEHSdIJYWmYkKNYqQIDAQAB\n" - "AoGADpmARG5CQxS+AesNkGmpauepiCz1JBF/JwnyiX6vEzUh0Ypd39SZztwrDxvF\n" - "PJjQaKVljml1zkJpIDVsqvHdyVdse8M+Qn6hw4x2p5rogdvhhIL1mdWo7jWeVJTF\n" - "RKB7zLdMPs3ySdtcIQaF9nUAQ2KJEvldkO3m/bRJFEp54k0CQQDYy+RlTmwRD6hy\n" - "7UtMjR0H3CSZJeQ8svMCxHLmOluG9H1UKk55ZBYfRTsXniqUkJBZ5wuV1L+pR9EK\n" - "ca89a+1VAkEA3UmBelwEv2u9cAU1QjKjmwju1JgXbrjEohK+3B5y0ESEXPAwNQT9\n" - "TrDM1m9AyxYTWLxX93dI5QwNFJtmbtjeBQJARSCWXhsoaDRG8QZrCSjBxfzTCqZD\n" - "ZXtl807ymCipgJm60LiAt0JLr4LiucAsMZz6+j+quQbSakbFCACB8SLV1QJBAKZQ\n" - "YKf+EPNtnmta/rRKKvySsi3GQZZN+Dt3q0r094XgeTsAqrqujVNfPhTMeP4qEVBX\n" - "/iVX2cmMTSh3w3z8MaECQEp0XJWDVKOwcTW6Ajp9SowtmiZ3YDYo1LF9igb4iaLv\n" - "sWZGfbnU3ryjvkb6YuFjgtzbZDZHWQCo8/cOtOBmPdk=\n" - "-----END RSA PRIVATE KEY-----\n"; -const gnutls_datum_t key = { key_pem, sizeof(key_pem) }; - -#define EXPECT_RDN0 "GnuTLS test CA" +#define EXPECT_RDN0 "CA-3" static int cert_callback(gnutls_session_t session, @@ -200,7 +152,7 @@ static void client(int sd) /* sets the trusted cas file */ - ret = gnutls_certificate_set_x509_trust_mem(xcred, &ca, + ret = gnutls_certificate_set_x509_trust_mem(xcred, &ca3_cert, GNUTLS_X509_FMT_PEM); if (ret <= 0) { fail("client: no CAs loaded!\n"); @@ -303,47 +255,6 @@ static int generate_dh_params(void) -static unsigned char server_cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" - "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" - "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" - "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" - "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" - "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" - "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" - "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" - "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" - "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" - "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" - "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" - "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; - -const gnutls_datum_t server_cert = { server_cert_pem, - sizeof(server_cert_pem) -}; - -static unsigned char server_key_pem[] = - "-----BEGIN RSA PRIVATE KEY-----\n" - "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" - "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" - "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" - "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" - "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" - "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" - "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" - "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" - "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" - "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" - "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" - "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" - "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" - "-----END RSA PRIVATE KEY-----\n"; - -const gnutls_datum_t server_key = { server_key_pem, - sizeof(server_key_pem) -}; - static void server(int sd) { gnutls_certificate_credentials_t x509_cred; @@ -359,14 +270,15 @@ char buffer[MAX_BUF + 1]; gnutls_global_set_log_level(4711); gnutls_certificate_allocate_credentials(&x509_cred); - ret = gnutls_certificate_set_x509_trust_mem(x509_cred, &ca, + ret = gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); if (ret == 0) { fail("server: no CAs loaded\n"); } - gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert, - &server_key, + gnutls_certificate_set_x509_key_mem(x509_cred, + &server_ca3_localhost_cert, + &server_ca3_key, GNUTLS_X509_FMT_PEM); if (debug) diff --git a/tests/x509self.c b/tests/x509self.c index 0a2703b..00ff480 100644 --- a/tests/x509self.c +++ b/tests/x509self.c @@ -29,6 +29,7 @@ #include #include +#include "cert-common.h" #if defined(_WIN32) @@ -69,54 +70,6 @@ static void tls_log_func(int level, const char *str) #define MAX_BUF 1024 #define MSG "Hello TLS" -static unsigned char ca_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIIB5zCCAVKgAwIBAgIERiYdJzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" - "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTExWhcNMDgwNDE3MTMyOTExWjAZMRcw\n" - "FQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA\n" - "vuyYeh1vfmslnuggeEKgZAVmQ5ltSdUY7H25WGSygKMUYZ0KT74v8C780qtcNt9T\n" - "7EPH/N6RvB4BprdssgcQLsthR3XKA84jbjjxNCcaGs33lvOz8A1nf8p3hD+cKfRi\n" - "kfYSW2JazLrtCC4yRCas/SPOUxu78of+3HiTfFm/oXUCAwEAAaNDMEEwDwYDVR0T\n" - "AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTpPBz7rZJu5gak\n" - "Viyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAiaIRqGfp1jPpNeVhABK60SU0KIAy\n" - "njuu7kHq5peUgYn8Jd9zNzExBOEp1VOipGsf6G66oQAhDFp2o8zkz7ZH71zR4HEW\n" - "KoX6n5Emn6DvcEH/9pAhnGxNHJAoS7czTKv/JDZJhkqHxyrE1fuLsg5Qv25DTw7+\n" - "PfqUpIhz5Bbm7J4=\n" "-----END CERTIFICATE-----\n"; -const gnutls_datum_t ca = { ca_pem, sizeof(ca_pem) }; - -static unsigned char cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIICHjCCAYmgAwIBAgIERiYdNzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" - "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTI3WhcNMDgwNDE3MTMyOTI3WjAdMRsw\n" - "GQYDVQQDExJHbnVUTFMgdGVzdCBjbGllbnQwgZwwCwYJKoZIhvcNAQEBA4GMADCB\n" - "iAKBgLtmQ/Xyxde2jMzF3/WIO7HJS2oOoa0gUEAIgKFPXKPQ+GzP5jz37AR2ExeL\n" - "ZIkiW8DdU3w77XwEu4C5KL6Om8aOoKUSy/VXHqLnu7czSZ/ju0quak1o/8kR4jKN\n" - "zj2AC41179gAgY8oBAOgIo1hBAf6tjd9IQdJ0glhaZiQo1ipAgMBAAGjdjB0MAwG\n" - "A1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweg\n" - "ADAdBgNVHQ4EFgQUTLkKm/odNON+3svSBxX+odrLaJEwHwYDVR0jBBgwFoAU6Twc\n" - "+62SbuYGpFYsouHAUyfI8pUwCwYJKoZIhvcNAQEFA4GBALujmBJVZnvaTXr9cFRJ\n" - "jpfc/3X7sLUsMvumcDE01ls/cG5mIatmiyEU9qI3jbgUf82z23ON/acwJf875D3/\n" - "U7jyOsBJ44SEQITbin2yUeJMIm1tievvdNXBDfW95AM507ShzP12sfiJkJfjjdhy\n" - "dc8Siq5JojruiMizAf0pA7in\n" "-----END CERTIFICATE-----\n"; -const gnutls_datum_t cert = { cert_pem, sizeof(cert_pem) }; - -static unsigned char key_pem[] = - "-----BEGIN RSA PRIVATE KEY-----\n" - "MIICXAIBAAKBgQC7ZkP18sXXtozMxd/1iDuxyUtqDqGtIFBACIChT1yj0Phsz+Y8\n" - "9+wEdhMXi2SJIlvA3VN8O+18BLuAuSi+jpvGjqClEsv1Vx6i57u3M0mf47tKrmpN\n" - "aP/JEeIyjc49gAuNde/YAIGPKAQDoCKNYQQH+rY3fSEHSdIJYWmYkKNYqQIDAQAB\n" - "AoGADpmARG5CQxS+AesNkGmpauepiCz1JBF/JwnyiX6vEzUh0Ypd39SZztwrDxvF\n" - "PJjQaKVljml1zkJpIDVsqvHdyVdse8M+Qn6hw4x2p5rogdvhhIL1mdWo7jWeVJTF\n" - "RKB7zLdMPs3ySdtcIQaF9nUAQ2KJEvldkO3m/bRJFEp54k0CQQDYy+RlTmwRD6hy\n" - "7UtMjR0H3CSZJeQ8svMCxHLmOluG9H1UKk55ZBYfRTsXniqUkJBZ5wuV1L+pR9EK\n" - "ca89a+1VAkEA3UmBelwEv2u9cAU1QjKjmwju1JgXbrjEohK+3B5y0ESEXPAwNQT9\n" - "TrDM1m9AyxYTWLxX93dI5QwNFJtmbtjeBQJARSCWXhsoaDRG8QZrCSjBxfzTCqZD\n" - "ZXtl807ymCipgJm60LiAt0JLr4LiucAsMZz6+j+quQbSakbFCACB8SLV1QJBAKZQ\n" - "YKf+EPNtnmta/rRKKvySsi3GQZZN+Dt3q0r094XgeTsAqrqujVNfPhTMeP4qEVBX\n" - "/iVX2cmMTSh3w3z8MaECQEp0XJWDVKOwcTW6Ajp9SowtmiZ3YDYo1LF9igb4iaLv\n" - "sWZGfbnU3ryjvkb6YuFjgtzbZDZHWQCo8/cOtOBmPdk=\n" - "-----END RSA PRIVATE KEY-----\n"; -const gnutls_datum_t key = { key_pem, sizeof(key_pem) }; static void client(int sd) { @@ -136,9 +89,9 @@ static void client(int sd) /* sets the trusted cas file */ - gnutls_certificate_set_x509_trust_mem(xcred, &ca, + gnutls_certificate_set_x509_trust_mem(xcred, &ca3_cert, GNUTLS_X509_FMT_PEM); - gnutls_certificate_set_x509_key_mem(xcred, &cert, &key, + gnutls_certificate_set_x509_key_mem(xcred, &cli_ca3_cert, &cli_ca3_key, GNUTLS_X509_FMT_PEM); /* Initialize TLS session @@ -298,47 +251,6 @@ char buffer[MAX_BUF + 1]; int optval = 1; -static unsigned char server_cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" - "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" - "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" - "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" - "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" - "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" - "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" - "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" - "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" - "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" - "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" - "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" - "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; - -const gnutls_datum_t server_cert = { server_cert_pem, - sizeof(server_cert_pem) -}; - -static unsigned char server_key_pem[] = - "-----BEGIN RSA PRIVATE KEY-----\n" - "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" - "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" - "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" - "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" - "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" - "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" - "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" - "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" - "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" - "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" - "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" - "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" - "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" - "-----END RSA PRIVATE KEY-----\n"; - -const gnutls_datum_t server_key = { server_key_pem, - sizeof(server_key_pem) -}; - static void server(int sd) { /* this must be called once in the program @@ -350,11 +262,12 @@ static void server(int sd) gnutls_global_set_log_level(6); gnutls_certificate_allocate_credentials(&x509_cred); - gnutls_certificate_set_x509_trust_mem(x509_cred, &ca, + gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); - gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert, - &server_key, + gnutls_certificate_set_x509_key_mem(x509_cred, + &server_ca3_localhost_cert, + &server_ca3_key, GNUTLS_X509_FMT_PEM); if (debug) -- 2.7.4 From stefan.sorensen at spectralink.com Mon Aug 8 13:31:15 2016 From: stefan.sorensen at spectralink.com (=?UTF-8?q?Stefan=20S=C3=B8rensen?=) Date: Mon, 8 Aug 2016 13:31:15 +0200 Subject: [gnutls-devel] [PATCH 2/5] Fix gnutls_pkcs12_simple_parse to always extract the complete chain In-Reply-To: <1470655878-9651-1-git-send-email-stefan.sorensen@spectralink.com> References: <1470655878-9651-1-git-send-email-stefan.sorensen@spectralink.com> Message-ID: <1470655878-9651-2-git-send-email-stefan.sorensen@spectralink.com> gnutls_pkcs12_simple_parse was only collecting extra certificates that was possible elements of the certificate chain when the extra_certs argument was not NULL. Fix by allways collecting all the certificates, any unneeded certificates are released before returning if extra_certs is NULL anyway. Signed-off-by: Stefan S?rensen --- lib/x509/pkcs12.c | 35 +++++++++++++++-------------------- 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c index 5b072dd..e39dcde 100644 --- a/lib/x509/pkcs12.c +++ b/lib/x509/pkcs12.c @@ -1683,27 +1683,22 @@ gnutls_pkcs12_simple_parse(gnutls_pkcs12_t p12, } if (memcmp(cert_id, key_id, cert_id_size) != 0) { /* they don't match - skip the certificate */ - if (extra_certs) { - _extra_certs = - gnutls_realloc_fast - (_extra_certs, - sizeof(_extra_certs - [0]) * - ++_extra_certs_len); - if (!_extra_certs) { - gnutls_assert(); - ret = - GNUTLS_E_MEMORY_ERROR; - goto done; - } - _extra_certs - [_extra_certs_len - - 1] = this_cert; - this_cert = NULL; - } else { - gnutls_x509_crt_deinit - (this_cert); + _extra_certs = + gnutls_realloc_fast + (_extra_certs, + sizeof(_extra_certs + [0]) * + ++_extra_certs_len); + if (!_extra_certs) { + gnutls_assert(); + ret = + GNUTLS_E_MEMORY_ERROR; + goto done; } + _extra_certs + [_extra_certs_len - + 1] = this_cert; + this_cert = NULL; } else { if (chain && _chain_len == 0) { _chain = -- 2.7.4 From stefan.sorensen at spectralink.com Mon Aug 8 13:31:14 2016 From: stefan.sorensen at spectralink.com (=?UTF-8?q?Stefan=20S=C3=B8rensen?=) Date: Mon, 8 Aug 2016 13:31:14 +0200 Subject: [gnutls-devel] [PATCH 1/5] Fix invalid pointer operation in gnutls_certificate_get_x509_crt Message-ID: <1470655878-9651-1-git-send-email-stefan.sorensen@spectralink.com> The access to the allocated crt_list variable was missing a pointer dereference, leading to memory corruption for any certificate list with more than one element. Signed-off-by: Stefan S?rensen --- lib/x509.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/x509.c b/lib/x509.c index 7412557..e6d58de 100644 --- a/lib/x509.c +++ b/lib/x509.c @@ -1263,10 +1263,10 @@ gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res, } for (i = 0; i < res->certs[index].cert_list_length; ++i) { - ret = gnutls_pcert_export_x509(&res->certs[index].cert_list[i], crt_list[i]); + ret = gnutls_pcert_export_x509(&res->certs[index].cert_list[i], &(*crt_list)[i]); if (ret < 0) { while (i--) - gnutls_x509_crt_deinit(*crt_list[i]); + gnutls_x509_crt_deinit((*crt_list)[i]); gnutls_free(*crt_list); *crt_list = NULL; -- 2.7.4 From stefan.sorensen at spectralink.com Mon Aug 8 13:31:16 2016 From: stefan.sorensen at spectralink.com (=?UTF-8?q?Stefan=20S=C3=B8rensen?=) Date: Mon, 8 Aug 2016 13:31:16 +0200 Subject: [gnutls-devel] [PATCH 3/5] tests: Remove zero-termination of gnutls_datum encapsulated certificates In-Reply-To: <1470655878-9651-1-git-send-email-stefan.sorensen@spectralink.com> References: <1470655878-9651-1-git-send-email-stefan.sorensen@spectralink.com> Message-ID: <1470655878-9651-3-git-send-email-stefan.sorensen@spectralink.com> This allows for memcmp comparison with certificates after processing. Signed-off-by: Stefan S?rensen --- tests/cert-common.h | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/tests/cert-common.h b/tests/cert-common.h index f1f057c..8caab13 100644 --- a/tests/cert-common.h +++ b/tests/cert-common.h @@ -61,11 +61,11 @@ static char ecc_cert[] = "-----END CERTIFICATE-----\n"; const gnutls_datum_t server_ecc_cert = - {(void *) ecc_cert, sizeof(ecc_cert)}; + {(void *) ecc_cert, sizeof(ecc_cert)-1}; const gnutls_datum_t server_ecc_key = - {(void *) ecc_key, sizeof(ecc_key)}; + {(void *) ecc_key, sizeof(ecc_key)-1}; /* A cert-key pair */ static char pem1_cert[] = @@ -101,11 +101,11 @@ static char pem1_key[] = "-----END RSA PRIVATE KEY-----\n"; const gnutls_datum_t cert_dat = - {(void *) pem1_cert, sizeof(pem1_cert)}; + {(void *) pem1_cert, sizeof(pem1_cert)-1}; const gnutls_datum_t key_dat = - {(void *) pem1_key, sizeof(pem1_key)}; + {(void *) pem1_key, sizeof(pem1_key)-1}; /* A server cert/key pair with CA */ @@ -150,7 +150,7 @@ static unsigned char server_cert_pem[] = "-----END CERTIFICATE-----\n"; const gnutls_datum_t server_cert = { server_cert_pem, - sizeof(server_cert_pem) + sizeof(server_cert_pem)-1 }; static unsigned char server_key_pem[] = @@ -183,7 +183,7 @@ static unsigned char server_key_pem[] = "-----END RSA PRIVATE KEY-----\n"; const gnutls_datum_t server_key = { server_key_pem, - sizeof(server_key_pem) + sizeof(server_key_pem)-1 }; static unsigned char ca_cert_pem[] = @@ -207,7 +207,7 @@ static unsigned char ca_cert_pem[] = "-----END CERTIFICATE-----\n"; const gnutls_datum_t ca_cert = { ca_cert_pem, - sizeof(ca_cert_pem) + sizeof(ca_cert_pem)-1 }; /* A server cert/key pair with CA */ @@ -263,7 +263,7 @@ static unsigned char server2_cert_pem[] = "-----END CERTIFICATE-----\n"; const gnutls_datum_t server2_cert = { server2_cert_pem, - sizeof(server2_cert_pem) + sizeof(server2_cert_pem)-1 }; static unsigned char server2_key_pem[] = @@ -308,7 +308,7 @@ static unsigned char server2_key_pem[] = "-----END RSA PRIVATE KEY-----\n"; const gnutls_datum_t server2_key = { server2_key_pem, - sizeof(server2_key_pem) + sizeof(server2_key_pem)-1 }; static unsigned char ca2_cert_pem[] = @@ -338,7 +338,7 @@ static unsigned char ca2_cert_pem[] = "-----END CERTIFICATE-----\n"; const gnutls_datum_t ca2_cert = { ca2_cert_pem, - sizeof(ca2_cert_pem) + sizeof(ca2_cert_pem)-1 }; static unsigned char cert_pem[] = @@ -389,7 +389,7 @@ static char dsa_key_pem[] = "AoNBXjeBjgCGMei2m8E=\n" "-----END DSA PRIVATE KEY-----\n"; const gnutls_datum_t dsa_key = { (void*)dsa_key_pem, - sizeof(dsa_key_pem) + sizeof(dsa_key_pem)-1 }; @@ -461,11 +461,11 @@ static char ca3_key_pem[] = "-----END RSA PRIVATE KEY-----\n"; const gnutls_datum_t ca3_key = { (void*)ca3_key_pem, - sizeof(ca3_key_pem) + sizeof(ca3_key_pem)-1 }; const gnutls_datum_t ca3_cert = { (void*)ca3_cert_pem, - sizeof(ca3_cert_pem) + sizeof(ca3_cert_pem)-1 }; static char cli_ca3_cert_pem[] = @@ -537,11 +537,11 @@ static char cli_ca3_key_pem[] = "-----END RSA PRIVATE KEY-----\n"; const gnutls_datum_t cli_ca3_key = { (void*)cli_ca3_key_pem, - sizeof(cli_ca3_key_pem) + sizeof(cli_ca3_key_pem)-1 }; const gnutls_datum_t cli_ca3_cert = { (void*)cli_ca3_cert_pem, - sizeof(cli_ca3_cert_pem) + sizeof(cli_ca3_cert_pem)-1 }; static char server_ca3_key_pem[] = @@ -586,7 +586,7 @@ static char server_ca3_key_pem[] = "-----END RSA PRIVATE KEY-----\n"; const gnutls_datum_t server_ca3_key = { (void*)server_ca3_key_pem, - sizeof(server_ca3_key_pem) + sizeof(server_ca3_key_pem)-1 }; /* shares server_ca3 key */ @@ -680,7 +680,7 @@ static char unknown_ca_cert_pem[] = "-----END CERTIFICATE-----\n"; const gnutls_datum_t unknown_ca_cert = { (void*)unknown_ca_cert_pem, - sizeof(unknown_ca_cert_pem) + sizeof(unknown_ca_cert_pem)-1 }; static const char server_ca3_pkcs12_pem[] = -- 2.7.4 From nmav at gnutls.org Mon Aug 8 16:14:20 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 8 Aug 2016 16:14:20 +0200 Subject: [gnutls-devel] [PATCH 2/5] Fix gnutls_pkcs12_simple_parse to always extract the complete chain In-Reply-To: <1470655878-9651-2-git-send-email-stefan.sorensen@spectralink.com> References: <1470655878-9651-1-git-send-email-stefan.sorensen@spectralink.com> <1470655878-9651-2-git-send-email-stefan.sorensen@spectralink.com> Message-ID: Hi, Thank you for the patch set. Do you have some test that would detect and uncover this behavior that we can include in our test suite? regards, Nikos On Mon, Aug 8, 2016 at 1:31 PM, Stefan S?rensen wrote: > gnutls_pkcs12_simple_parse was only collecting extra certificates that was > possible elements of the certificate chain when the extra_certs argument was > not NULL. Fix by allways collecting all the certificates, any unneeded > certificates are released before returning if extra_certs is NULL anyway. > > Signed-off-by: Stefan S?rensen > --- > lib/x509/pkcs12.c | 35 +++++++++++++++-------------------- > 1 file changed, 15 insertions(+), 20 deletions(-) > > diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c > index 5b072dd..e39dcde 100644 > --- a/lib/x509/pkcs12.c > +++ b/lib/x509/pkcs12.c > @@ -1683,27 +1683,22 @@ gnutls_pkcs12_simple_parse(gnutls_pkcs12_t p12, > } > > if (memcmp(cert_id, key_id, cert_id_size) != 0) { /* they don't match - skip the certificate */ > - if (extra_certs) { > - _extra_certs = > - gnutls_realloc_fast > - (_extra_certs, > - sizeof(_extra_certs > - [0]) * > - ++_extra_certs_len); > - if (!_extra_certs) { > - gnutls_assert(); > - ret = > - GNUTLS_E_MEMORY_ERROR; > - goto done; > - } > - _extra_certs > - [_extra_certs_len - > - 1] = this_cert; > - this_cert = NULL; > - } else { > - gnutls_x509_crt_deinit > - (this_cert); > + _extra_certs = > + gnutls_realloc_fast > + (_extra_certs, > + sizeof(_extra_certs > + [0]) * > + ++_extra_certs_len); > + if (!_extra_certs) { > + gnutls_assert(); > + ret = > + GNUTLS_E_MEMORY_ERROR; > + goto done; > } > + _extra_certs > + [_extra_certs_len - > + 1] = this_cert; > + this_cert = NULL; > } else { > if (chain && _chain_len == 0) { > _chain = > -- > 2.7.4 > > > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/gnutls-devel From nmav at gnutls.org Mon Aug 8 18:01:37 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 8 Aug 2016 18:01:37 +0200 Subject: [gnutls-devel] [PATCH 1/5] Fix invalid pointer operation in gnutls_certificate_get_x509_crt In-Reply-To: <1470655878-9651-1-git-send-email-stefan.sorensen@spectralink.com> References: <1470655878-9651-1-git-send-email-stefan.sorensen@spectralink.com> Message-ID: On Mon, Aug 8, 2016 at 1:31 PM, Stefan S?rensen wrote: > The access to the allocated crt_list variable was missing a pointer > dereference, leading to memory corruption for any certificate list with more > than one element. Hi, I've applied patches 1-4 (I've not received patch number 5). As stated in the previous mail, a reproducer for 4 is more than welcome. regards, Nikos From nmav at gnutls.org Tue Aug 9 07:40:20 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 09 Aug 2016 07:40:20 +0200 Subject: [gnutls-devel] gnutls 3.5.3 Message-ID: <1470721220.14429.2.camel@gnutls.org> Hello,? ?I've just released gnutls 3.5.3. This is a minor enhancements and bugfix release for the 3.5.x branch. * Version 3.5.3 (released 2016-08-09) ** libgnutls: Added support for TCP fast open (RFC7413), allowing ???to reduce by one round-trip the handshake process. Based on proposal ? ?and patch by Tim Ruehsen. ** libgnutls: Adopted a simpler with less memory requirements DTLS ? ?sliding window implementation. Based on Fridolin Pokorny's ? ?implementation for AF_KTLS. ** libgnutls: Use getrandom where available via the syscall interface. ???This works around an issue of not-using getrandom even if it exists ???since glibc doesn't declare such function. ** libgnutls: Fixed DNS name constraints checking in the case of empty ???intersection of domain names in the chain. Report and fix by Martin ? ?Ukrop. ** libgnutls: Fixed name constraints checking in the case of chains ???where the higher level certificates contained different types of ???constraints than the ones present in the lower intermediate CAs. ???Report and fix by Martin Ukrop. ** libgnutls: Dropped support for the EGD random generator. ** libgnutls: Allow the decoding of raw elements (starting with #) ???in RFC4514 DN string decoding. ** libgnutls: Fixes in gnutls_x509_crt_list_import2, which was ???ignoring flags if all certificates in the list fit within the ???initially allocated memory. Patch by Tim Kosse. ** libgnutls: Corrected issue which made ? ?gnutls_certificate_get_x509_crt() to return invalid pointers when ? ?returned more than a single certificate. Report and fix by Stefan ? ?S?rensen. ** libgnutls: Fix gnutls_pkcs12_simple_parse to always extract the ? ?complete chain, even when the extra_certs was non-null. Report and ? ?fix by Stefan S?rensen. ** certtool: Added the "add_extension" and "add_critical_extension" ???template options. This allows specifying arbitrary extensions into ???certificates and certificate requests. ** gnutls-cli: Added the --fastopen option. ** API and ABI modifications: GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKE: Added gnutls_x509_crq_set_extension_by_oid: Added gnutls_x509_dn_set_str: Added gnutls_transport_set_fastopen: Added Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.3.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.3.tar.xz.sig Note that it has been signed with my openpgp key: pub???3104R/96865171 2008-05-04 [expires: 2028-04-29] uid??????????????????Nikos Mavrogiannopoulos gnutls.org> uid??????????????????Nikos Mavrogiannopoulos gmail.com> sub???2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub???2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From Stefan.Sorensen at spectralink.com Tue Aug 9 08:19:48 2016 From: Stefan.Sorensen at spectralink.com (=?utf-8?B?U8O4cmVuc2VuLCBTdGVmYW4=?=) Date: Tue, 9 Aug 2016 06:19:48 +0000 Subject: [gnutls-devel] [PATCH 1/5] Fix invalid pointer operation in gnutls_certificate_get_x509_crt In-Reply-To: References: <1470655878-9651-1-git-send-email-stefan.sorensen@spectralink.com> Message-ID: <1470723588.2433.4.camel@spectralink.com> On Mon, 2016-08-08 at 18:01 +0200, Nikos Mavrogiannopoulos wrote: > I've applied patches 1-4 (I've not received patch number 5). As > stated in the previous mail, a reproducer for 4 is more than welcome Patch 5 changes ca3 to include an intermediate CA - that causes two of the existing test cases to trigger both of the fixed bugs. The patch does a bit of certificate shuffling so it is awaiting moderator approval due to its size. Stefan From stefan.sorensen at spectralink.com Mon Aug 8 13:31:18 2016 From: stefan.sorensen at spectralink.com (=?UTF-8?q?Stefan=20S=C3=B8rensen?=) Date: Mon, 8 Aug 2016 13:31:18 +0200 Subject: [gnutls-devel] [PATCH 5/5] Change ca3 and related certificate to include an intermediate CA in the chain. In-Reply-To: <1470655878-9651-1-git-send-email-stefan.sorensen@spectralink.com> References: <1470655878-9651-1-git-send-email-stefan.sorensen@spectralink.com> Message-ID: <1470655878-9651-5-git-send-email-stefan.sorensen@spectralink.com> Also update a bunch of test-cases to support chains with an intermediate CA. Signed-off-by: Stefan S?rensen --- tests/cert-common.h | 545 ++++++++++++++++++++++++++++---------- tests/keylog-env.c | 2 +- tests/send-client-cert.c | 4 +- tests/set_x509_key.c | 14 +- tests/set_x509_key_file_der.c | 8 +- tests/set_x509_key_file_ocsp.c | 4 +- tests/set_x509_key_mem.c | 4 +- tests/x509-cert-callback-legacy.c | 12 +- tests/x509-cert-callback.c | 44 ++- tests/x509cert.c | 44 +-- 10 files changed, 483 insertions(+), 198 deletions(-) diff --git a/tests/cert-common.h b/tests/cert-common.h index 8caab13..0dcc24a 100644 --- a/tests/cert-common.h +++ b/tests/cert-common.h @@ -468,31 +468,159 @@ const gnutls_datum_t ca3_cert = { (void*)ca3_cert_pem, sizeof(ca3_cert_pem)-1 }; + +static char subca3_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIEDTCCAnWgAwIBAgIMV6MdMjWzT9C59ec8MA0GCSqGSIb3DQEBCwUAMA8xDTAL\n" + "BgNVBAMTBENBLTMwIBcNMTYwNTEwMDg0ODMwWhgPOTk5OTEyMzEyMzU5NTlaMBIx\n" + "EDAOBgNVBAMTB3N1YkNBLTMwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIB\n" + "gQCgOcNXzStOnRFoi05aMRLeMB45X4a2srSBul3ULxDSGjIP0EEl//X2WLiope/x\n" + "NL8bPCRpI1sSVXl8Hb1cK3qWNGazVmC7xW07NxL26I86e3/BVRnq8ioVtvPQwEpv\n" + "uI8F97x1vL/n+cfcdkN77NScr5C9jHMVioRvC+qKz9bUBx5DSySV66PR5+wGsJDv\n" + "kfsmjVOgqiTlSWQS5G3nMMq0Rixsc5dP5Wygkbdh9+45UCtObcnHABJrP+GtLiG0\n" + "AOUx6oPzPteZL13erWXg7zYusTarj9rTcdsgR/Im1mIzmD2i7GhJo4Gj0Sk3Rq93\n" + "JyeA+Ay5UPmqcm+dqX00b49MTTv4GtO53kLQSCXYFJ96jcMiXMzBFJD1ROsdk4WU\n" + "ed/tJMHffttDz9j3WcuX9M2nzTT2xlauokjbEAhRDRw5fxCFZh7TbmaH4vysDO9U\n" + "ZXVEXSLKonQ2Lmyso48s/G30VmlSjtPtJqRsv/oPpCO/c0D6BrkHV55B48xfmyIF\n" + "jgECAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0G\n" + "A1UdDgQWBBQtMwQbJ3+UBHzH4zVP6SWklOG3oTAfBgNVHSMEGDAWgBT5qIYZY7ak\n" + "FBNgdg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEAMii5Gx3/d/58oDRy5a0o\n" + "PvQhkU0dKa61NfjjOz9uqxNSilLJE7jGJPaG2tKtC/XU1Ybql2tqQY68kogjKs31\n" + "QC6RFkoZAFouTJt11kzbgVWKewCk3/OrA0/ZkRrAfE0Pma/NITRwTHmTsQOdv/bz\n" + "R+xIPhjKxKrKyJFMG5xb+Q0OKSbd8kDpgYWKob5x2jsNYgEDp8nYSRT45SGw7c7F\n" + "cumkXz2nA6r5NwbnhELvNFK8fzsY+QJKHaAlJ9CclliP1PiiAcl2LQo2gaygWNiD\n" + "+ggnqzy7nqam9rieOOMHls1kKFAFrWy2g/cBhTfS+/7Shpex7NK2GAiujgUV0TZH\n" + "EyEZt6um4gLS9vwUKs/R4XS9VL/bBlfAy2hAVTeUejiRBGeTJkqBu7+c4FdrCByV\n" + "haeQASMYu/lga8eaGL1zJbJe2BQWI754KDYDT9qKNqGlgysr4AVje7z1Y1MQ72Sn\n" + "frzYSQw6BB85CurB6iou3Q+eM4o4g/+xGEuDo0Ne/8ir\n" + "-----END CERTIFICATE-----\n"; + +static char subca3_key_pem[] = + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIIG5AIBAAKCAYEAoDnDV80rTp0RaItOWjES3jAeOV+GtrK0gbpd1C8Q0hoyD9BB\n" + "Jf/19li4qKXv8TS/GzwkaSNbElV5fB29XCt6ljRms1Zgu8VtOzcS9uiPOnt/wVUZ\n" + "6vIqFbbz0MBKb7iPBfe8dby/5/nH3HZDe+zUnK+QvYxzFYqEbwvqis/W1AceQ0sk\n" + "leuj0efsBrCQ75H7Jo1ToKok5UlkEuRt5zDKtEYsbHOXT+VsoJG3YffuOVArTm3J\n" + "xwASaz/hrS4htADlMeqD8z7XmS9d3q1l4O82LrE2q4/a03HbIEfyJtZiM5g9ouxo\n" + "SaOBo9EpN0avdycngPgMuVD5qnJvnal9NG+PTE07+BrTud5C0Egl2BSfeo3DIlzM\n" + "wRSQ9UTrHZOFlHnf7STB337bQ8/Y91nLl/TNp8009sZWrqJI2xAIUQ0cOX8QhWYe\n" + "025mh+L8rAzvVGV1RF0iyqJ0Ni5srKOPLPxt9FZpUo7T7SakbL/6D6Qjv3NA+ga5\n" + "B1eeQePMX5siBY4BAgMBAAECggGAW56MIBHW+L4B7VjzNcmn81tqfP4txxzK8P+D\n" + "lchQAwQtqjM4faUunW5AMVepq7Cwsr8iRuiLtCEiNaG/3QuTrn5KV7RF3jlXa6vj\n" + "cUKsXBGwjPm/t0RAYmhaZPz/04CicBQoNN74kYqYCW2qyxsyvGH8DxdX23J4phMX\n" + "S8brHhTv7iTyx7OV2nqW0YB3cDZ2eaYIsu9355Ce49qxKakR0CHsVxuF447aHbsV\n" + "NLUUCLvZ95/56IwW/DLsNh4R8Z8siEDde8imHyJOVihqrxvoQ7pL0+qB8amsMEVd\n" + "YcUr0ln56Ob5MuO5vD5lAASbOgGUcI/3OWsd2KzquNxKzZaZu+nC1Yh150E1jDEi\n" + "dZIgTtAr39sCx2EwovYwOWrVz66afzN05/0QxuXaoR5IuqbAt7mmaC5wSUGfuAyA\n" + "oy94+JEAb6bb1RPdzcLE5AC6n1zdcOwtuHAajFIppR3He4n4cODaPyqf8pqoCE7s\n" + "fqCa43LLUbPNIEh+E0jFy2lBlqRNAoHBAMY4REQIAUP9PEVtGKi+fvqlBjEn2hzx\n" + "7GuVscvro2U4xk7ZwM1ZffDM9Skuf10+QK15fT4sC4WknJ5MNDY6lkkuPAAaE+Wh\n" + "O6w9Dkz264n2xiGCOEignsAbTkOOZCiWVh9xq4N3o6C9uWUWPOW5bnBx9BzMRi59\n" + "SK5qLTOlJur8fczV/1/sFTUEwBiahERUFqGlOD3t4/z5YuWdFjoXhOh3s60hro8C\n" + "57E4mDuk5sgIh2/i0L9Aob1fnN/Hkl89hwKBwQDO7kNJcRgzbtnK4bX3QWiZVI42\n" + "91YfWtHGqJuqymi8a/4oNBzlBqJECtd0fYcCudadXGtjmf68/BbfwZjZzPOVrnpM\n" + "3XvMgvJgwuppW+Uovvk7eStUGqz1YzEZQZlVSc6p3sB0Lv9EGU5hCejnJmzF36s2\n" + "+KWuzyjkBg4o7fqYAeE2y4tZzGOwRjlOLJQQKQANTv24fOHXCaWBwrkgPloFqkrx\n" + "QPe6Dm7iWdi4xGB3zFZxSZbr0rZ1SmSTn3kbejcCgcEAvoTwYG9NQBsTpitA61gF\n" + "1kVtWSvTwcRpl9KOzNCVAUJ7oOg9H2Ln4N4uucFeW7HtGo/N6EcPYAmjG6dk+8Z+\n" + "EqKkuvhVrX22TEt3BlTCeZ2+PBDcpjnzu/PC2r3u2O/+oURxNPB2TpZsrpOcPrVn\n" + "SB7PIirZPe/fPv0Aq0YOzQeYppv9VCYnEAmb1UoW3VHxWrbiAuw3GTxeaRH+fiGC\n" + "9qmvAjaAgCarqTQbZiCOTS+dddYNC/ZEPy+6KYC52F7bAoHBAJLp5EnDCpyRif0Z\n" + "jLhz7tBVkPaDWdi/AQqa8JIsTHnh7jsa7JzJvfCzBc7FxFHyIOXuFKxNS+deztqj\n" + "t2KCuTm++0ORR/Cl03FRUV3mCWeJVqeb2mBG5B8AAn7c7QD5esltxZN3PnJZySTq\n" + "BTn/NOCzcPqBRBg9KdniVrFGbFD5nKzrjA8AJpKi+NKAocprYYcRWt9dgnXKeoAL\n" + "AKZcvkshYT2xk2+8CYuYoF5lxdun7oNV7NmW60WQwKFyamhQtwKBwE6OM6v8BOL2\n" + "8SkAd0qj0UFMyzJCOhlW5cypdcvvEpiR4H/8m2c8U4iemful3YJ/Hc+KH165KeQM\n" + "3ZBX1w2rwei6cQNtIptMYFBapUzE1Wd0Uyh8OjpHnCYvv/53cZYNSrVtqCD5GE87\n" + "c/snzezAEzWGNm5wl0X+Y3g/mZaYX2rXUgr/dxVGhNHzOodEMz3Sk/Z8ER5n8m5N\n" + "CLo/c/+F0N4e0F7P+haq+Ccj6MNM99HnuJALc1Ke9971YxrNfniGvA==\n" + "-----END RSA PRIVATE KEY-----\n"; + +const gnutls_datum_t subca3_key = { (void*)subca3_key_pem, + sizeof(subca3_key_pem)-1 +}; + +const gnutls_datum_t subca3_cert = { (void*)subca3_cert_pem, + sizeof(subca3_cert_pem)-1 +}; + + static char cli_ca3_cert_pem[] = "-----BEGIN CERTIFICATE-----\n" - "MIIEPzCCAqegAwIBAgIIVzGiRh5+VCgwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n" - "AxMEQ0EtMzAgFw0xNjA1MTAwODU2MzlaGA85OTk5MTIzMTIzNTk1OVowFjEUMBIG\n" - "A1UEAxMLVGVzdCBjbGllbnQwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIB\n" - "gQDhAB7O8se421OVNBKfW81pgGtnn4LNLz+0HYvkb7BbLdiqqqHWQH6BxY30W2q/\n" - "bUHVaBFa2OufitMmDGX6iAuIuAshnqIb9h7U84UrHFVhjE9cjuykBhoJbr/5CNL/\n" - "Xwzo0IAey+EkQyQ5jpyUioSoKktPJpbMlQsEHC2kDzimRwtOI2mZ8glaiz06xgfS\n" - "FIrbET/mq74OSRoqt9LYLKnrXB2FRGtfV92WQFQG31cfxLkDZta5ARjzYaBfGXwe\n" - "l6GQHZEuCmRlDPGinOGiobY/whkVCa07JLNE9a12nLRElu+Yt9mpoTCyreDWNkVe\n" - "GpSNznLe9se1rZeDn/PHRf8UHr2PYpmyBSaSVhUUb217tS1JUODPdTr153XoBQvE\n" - "2oAXYsaG4gQjn7g+KRdv5DFo7H+HDUG0SozMsxs2mEgtI8FEj42lNnY8JJ50axDP\n" - "GyCez+JosHurUAisotRCVWnL4k19q5irO+Uw1fAxqg1BkN/2g6gWR1M/k/y3+AaT\n" - "auUCAwEAAaOBlTCBkjAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMC\n" - "MBwGA1UdEQQVMBOBEWhlbGxvQGV4YW1wbGUub3JnMA8GA1UdDwEB/wQFAwMHgAAw\n" - "HQYDVR0OBBYEFF1eiuHfWOLdXHTtObu72NkxsoFqMB8GA1UdIwQYMBaAFPmohhlj\n" - "tqQUE2B2DwGaNTbv8bSvMA0GCSqGSIb3DQEBCwUAA4IBgQA/eaenR+0i8lTpzQlJ\n" - "djl5CZfeY11oH3WH7rM6dDaBaZjz7VIG1ETBByMy/B+2hXOlBGGkbGwtKO01sAH8\n" - "B91UOXvPkxIyofrhEBuGOQ3oN3eyAO48JxT9v6LSgzd82LPhtGErMbFkm/pFBjl4\n" - "F0bBKdMEoPsV/hHnIswkLpefaZ9po5eOrihC3oYPoHhuizSfIn0kzmvyPElduBBN\n" - "OcMPY26XF9tPSa3LKXA0UJo4mhpiVrWh9jbKLquaD+n/qKKV3mS++oytn4d2gdB6\n" - "dcrQTNY74U7bUXutRqDNNlrAxIQ7Qh+stAiZ7CCm143GQBESRiqqKFpxdvVhpwDL\n" - "H/buEo9I6ikYpwPAyIPfL9iMg13M/6NHg0s7C9psv0lInDCS2nFJG8L1Qp0Z6/Wt\n" - "9yEjTuCSyfEdk/1Ar/jaAkKcdXRFptQuLtqFHYaBmXrWPqK4b6H0vKhvOUhXliZc\n" - "0b7e0ldn20vEIdN3Qnoxf+7QVayrzKd7irovD8Xdg+R/E3s=\n" + "MIIERjCCAq6gAwIBAgIMV6MdMjZaLvmhsFpSMA0GCSqGSIb3DQEBCwUAMBIxEDAO\n" + "BgNVBAMTB3N1YkNBLTMwIBcNMTYwNTEwMDg1NjM5WhgPOTk5OTEyMzEyMzU5NTla\n" + "MBYxFDASBgNVBAMTC1Rlc3QgY2xpZW50MIIBojANBgkqhkiG9w0BAQEFAAOCAY8A\n" + "MIIBigKCAYEA4QAezvLHuNtTlTQSn1vNaYBrZ5+CzS8/tB2L5G+wWy3Yqqqh1kB+\n" + "gcWN9Ftqv21B1WgRWtjrn4rTJgxl+ogLiLgLIZ6iG/Ye1POFKxxVYYxPXI7spAYa\n" + "CW6/+QjS/18M6NCAHsvhJEMkOY6clIqEqCpLTyaWzJULBBwtpA84pkcLTiNpmfIJ\n" + "Wos9OsYH0hSK2xE/5qu+DkkaKrfS2Cyp61wdhURrX1fdlkBUBt9XH8S5A2bWuQEY\n" + "82GgXxl8HpehkB2RLgpkZQzxopzhoqG2P8IZFQmtOySzRPWtdpy0RJbvmLfZqaEw\n" + "sq3g1jZFXhqUjc5y3vbHta2Xg5/zx0X/FB69j2KZsgUmklYVFG9te7UtSVDgz3U6\n" + "9ed16AULxNqAF2LGhuIEI5+4PikXb+QxaOx/hw1BtEqMzLMbNphILSPBRI+NpTZ2\n" + "PCSedGsQzxsgns/iaLB7q1AIrKLUQlVpy+JNfauYqzvlMNXwMaoNQZDf9oOoFkdT\n" + "P5P8t/gGk2rlAgMBAAGjgZUwgZIwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggr\n" + "BgEFBQcDAjAcBgNVHREEFTATgRFoZWxsb0BleGFtcGxlLm9yZzAPBgNVHQ8BAf8E\n" + "BQMDB4AAMB0GA1UdDgQWBBRdXorh31ji3Vx07Tm7u9jZMbKBajAfBgNVHSMEGDAW\n" + "gBQtMwQbJ3+UBHzH4zVP6SWklOG3oTANBgkqhkiG9w0BAQsFAAOCAYEAPjXZC89d\n" + "2lkc33p5qBTneqXAAZeseBZlSF9Rd798NofXTw0oi235UWCdmPOS4l0z8PBh0ICA\n" + "MY7iUrv5MJeEcvGOq1NFZObsEP+gcpDi3s1otSif9n3ZSR9gDqG1kAlvwOxDW1As\n" + "KuGgwE2vRZN3T20USkcSXvtJ3QD+tIroD9z/Auh2H6LsqOMwSwBo9Alzj7DWLk8G\n" + "mdpQtQU+l/+3pa5MY4MBQM3T3PpK4TdjMVKzKc8lMUeFH/VJSbyQ2kgL7OqavMsH\n" + "jGrm0JCWi2M188EobKVqt2nhQQA7SIogYe4cqx8Q2/7v6RDXZ11QifFKupQ2vXLb\n" + "DZxa4j7YQz4F2m7+PbYbSAs1y4/oiJ32O3BjQC7Oa3OaGFpkipUtrozaa1TM4tab\n" + "kZSyKmSvKG2RxDphl71OZ28tgWjjzJbyG3dbnI3HF1L7YVwHUGFUPhUGuiS7H/b4\n" + "6Zd8Y0P6Cxn/4rUEZZPDpCVt92cjQsWXL45JXpmqwDlaRdSXXoIB2l2D\n" + "-----END CERTIFICATE-----\n"; + +static char cli_ca3_cert_chain_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIERjCCAq6gAwIBAgIMV6MdMjZaLvmhsFpSMA0GCSqGSIb3DQEBCwUAMBIxEDAO\n" + "BgNVBAMTB3N1YkNBLTMwIBcNMTYwNTEwMDg1NjM5WhgPOTk5OTEyMzEyMzU5NTla\n" + "MBYxFDASBgNVBAMTC1Rlc3QgY2xpZW50MIIBojANBgkqhkiG9w0BAQEFAAOCAY8A\n" + "MIIBigKCAYEA4QAezvLHuNtTlTQSn1vNaYBrZ5+CzS8/tB2L5G+wWy3Yqqqh1kB+\n" + "gcWN9Ftqv21B1WgRWtjrn4rTJgxl+ogLiLgLIZ6iG/Ye1POFKxxVYYxPXI7spAYa\n" + "CW6/+QjS/18M6NCAHsvhJEMkOY6clIqEqCpLTyaWzJULBBwtpA84pkcLTiNpmfIJ\n" + "Wos9OsYH0hSK2xE/5qu+DkkaKrfS2Cyp61wdhURrX1fdlkBUBt9XH8S5A2bWuQEY\n" + "82GgXxl8HpehkB2RLgpkZQzxopzhoqG2P8IZFQmtOySzRPWtdpy0RJbvmLfZqaEw\n" + "sq3g1jZFXhqUjc5y3vbHta2Xg5/zx0X/FB69j2KZsgUmklYVFG9te7UtSVDgz3U6\n" + "9ed16AULxNqAF2LGhuIEI5+4PikXb+QxaOx/hw1BtEqMzLMbNphILSPBRI+NpTZ2\n" + "PCSedGsQzxsgns/iaLB7q1AIrKLUQlVpy+JNfauYqzvlMNXwMaoNQZDf9oOoFkdT\n" + "P5P8t/gGk2rlAgMBAAGjgZUwgZIwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggr\n" + "BgEFBQcDAjAcBgNVHREEFTATgRFoZWxsb0BleGFtcGxlLm9yZzAPBgNVHQ8BAf8E\n" + "BQMDB4AAMB0GA1UdDgQWBBRdXorh31ji3Vx07Tm7u9jZMbKBajAfBgNVHSMEGDAW\n" + "gBQtMwQbJ3+UBHzH4zVP6SWklOG3oTANBgkqhkiG9w0BAQsFAAOCAYEAPjXZC89d\n" + "2lkc33p5qBTneqXAAZeseBZlSF9Rd798NofXTw0oi235UWCdmPOS4l0z8PBh0ICA\n" + "MY7iUrv5MJeEcvGOq1NFZObsEP+gcpDi3s1otSif9n3ZSR9gDqG1kAlvwOxDW1As\n" + "KuGgwE2vRZN3T20USkcSXvtJ3QD+tIroD9z/Auh2H6LsqOMwSwBo9Alzj7DWLk8G\n" + "mdpQtQU+l/+3pa5MY4MBQM3T3PpK4TdjMVKzKc8lMUeFH/VJSbyQ2kgL7OqavMsH\n" + "jGrm0JCWi2M188EobKVqt2nhQQA7SIogYe4cqx8Q2/7v6RDXZ11QifFKupQ2vXLb\n" + "DZxa4j7YQz4F2m7+PbYbSAs1y4/oiJ32O3BjQC7Oa3OaGFpkipUtrozaa1TM4tab\n" + "kZSyKmSvKG2RxDphl71OZ28tgWjjzJbyG3dbnI3HF1L7YVwHUGFUPhUGuiS7H/b4\n" + "6Zd8Y0P6Cxn/4rUEZZPDpCVt92cjQsWXL45JXpmqwDlaRdSXXoIB2l2D\n" + "-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\n" + "MIIEDTCCAnWgAwIBAgIMV6MdMjWzT9C59ec8MA0GCSqGSIb3DQEBCwUAMA8xDTAL\n" + "BgNVBAMTBENBLTMwIBcNMTYwNTEwMDg0ODMwWhgPOTk5OTEyMzEyMzU5NTlaMBIx\n" + "EDAOBgNVBAMTB3N1YkNBLTMwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIB\n" + "gQCgOcNXzStOnRFoi05aMRLeMB45X4a2srSBul3ULxDSGjIP0EEl//X2WLiope/x\n" + "NL8bPCRpI1sSVXl8Hb1cK3qWNGazVmC7xW07NxL26I86e3/BVRnq8ioVtvPQwEpv\n" + "uI8F97x1vL/n+cfcdkN77NScr5C9jHMVioRvC+qKz9bUBx5DSySV66PR5+wGsJDv\n" + "kfsmjVOgqiTlSWQS5G3nMMq0Rixsc5dP5Wygkbdh9+45UCtObcnHABJrP+GtLiG0\n" + "AOUx6oPzPteZL13erWXg7zYusTarj9rTcdsgR/Im1mIzmD2i7GhJo4Gj0Sk3Rq93\n" + "JyeA+Ay5UPmqcm+dqX00b49MTTv4GtO53kLQSCXYFJ96jcMiXMzBFJD1ROsdk4WU\n" + "ed/tJMHffttDz9j3WcuX9M2nzTT2xlauokjbEAhRDRw5fxCFZh7TbmaH4vysDO9U\n" + "ZXVEXSLKonQ2Lmyso48s/G30VmlSjtPtJqRsv/oPpCO/c0D6BrkHV55B48xfmyIF\n" + "jgECAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0G\n" + "A1UdDgQWBBQtMwQbJ3+UBHzH4zVP6SWklOG3oTAfBgNVHSMEGDAWgBT5qIYZY7ak\n" + "FBNgdg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEAMii5Gx3/d/58oDRy5a0o\n" + "PvQhkU0dKa61NfjjOz9uqxNSilLJE7jGJPaG2tKtC/XU1Ybql2tqQY68kogjKs31\n" + "QC6RFkoZAFouTJt11kzbgVWKewCk3/OrA0/ZkRrAfE0Pma/NITRwTHmTsQOdv/bz\n" + "R+xIPhjKxKrKyJFMG5xb+Q0OKSbd8kDpgYWKob5x2jsNYgEDp8nYSRT45SGw7c7F\n" + "cumkXz2nA6r5NwbnhELvNFK8fzsY+QJKHaAlJ9CclliP1PiiAcl2LQo2gaygWNiD\n" + "+ggnqzy7nqam9rieOOMHls1kKFAFrWy2g/cBhTfS+/7Shpex7NK2GAiujgUV0TZH\n" + "EyEZt6um4gLS9vwUKs/R4XS9VL/bBlfAy2hAVTeUejiRBGeTJkqBu7+c4FdrCByV\n" + "haeQASMYu/lga8eaGL1zJbJe2BQWI754KDYDT9qKNqGlgysr4AVje7z1Y1MQ72Sn\n" + "frzYSQw6BB85CurB6iou3Q+eM4o4g/+xGEuDo0Ne/8ir\n" "-----END CERTIFICATE-----\n"; static char cli_ca3_key_pem[] = @@ -544,6 +672,10 @@ const gnutls_datum_t cli_ca3_cert = { (void*)cli_ca3_cert_pem, sizeof(cli_ca3_cert_pem)-1 }; +const gnutls_datum_t cli_ca3_cert_chain = { (void*)cli_ca3_cert_chain_pem, + sizeof(cli_ca3_cert_chain_pem)-1 +}; + static char server_ca3_key_pem[] = "-----BEGIN RSA PRIVATE KEY-----\n" "MIIG5AIBAAKCAYEA2T14maos98C7s/geGZybgqYSxF+5NeTXKWpi9/vXmuIF8n3h\n" @@ -592,68 +724,180 @@ const gnutls_datum_t server_ca3_key = { (void*)server_ca3_key_pem, /* shares server_ca3 key */ static char server_localhost6_ca3_cert_pem[] = "-----BEGIN CERTIFICATE-----\n" - "MIIEMDCCApigAwIBAgIIVzGhKhP99McwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n" - "AxMEQ0EtMzAgFw0xNjA1MTAwODUxNTVaGA85OTk5MTIzMTIzNTk1OVowADCCAaIw\n" - "DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBANk9eJmqLPfAu7P4Hhmcm4KmEsRf\n" - "uTXk1ylqYvf715riBfJ94VIdtJqKE9q4FRwMxVsv/B+SHFiIlEJfvCociQkrgSfl\n" - "oTNIMNrqkj8IjmVJuJd00MZsUuHlvwa6+F/PLLyUOMU03LdpuR9TbvS2fMVjmaRj\n" - "BiCO439GA+qHRvwxxP7FR433Hg+5JdeYwLWve/vLgm4zETxnMYOFbZpArkizpBi/\n" - "RYQtLmFW8HwZ0/ldDBMnDgcfmL9gRLtMQ1XZEHLNFjyEVD1JsrlgccaizNUkiUi7\n" - "Gbm/w3YiDVxbq3u3cee5lsNhEMIREyISKAHPy8RlnIWwwuDlnsmI0pIb9/4RH0LM\n" - "MlceDEFy1X0QRzYqZFPU/0l4j/FlQ6X2UqWNz63ybRSbcCzHl25abi1xmbsV5ydo\n" - "mJNcP+0QbripMpa0O6gjv5f0yMd7mW9/aAglPcKgpbbhGfo7V9z2gIKdUCLRXoUs\n" - "zhdobnRf00LrrpFUQWReKHxMcDWAL2b00kysPQIDAQABo4GcMIGZMAwGA1UdEwEB\n" - "/wQCMAAwIwYDVR0RBBwwGoIKbG9jYWxob3N0NoIMd3d3Lm5vbmUub3JnMBMGA1Ud\n" - "JQQMMAoGCCsGAQUFBwMBMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFDOd4SfT\n" - "i9X86wX8tceBaU9eO9nWMB8GA1UdIwQYMBaAFPmohhljtqQUE2B2DwGaNTbv8bSv\n" - "MA0GCSqGSIb3DQEBCwUAA4IBgQBeG1Mj+13pX+4qcbZIlcLqsrRjCFeF/3XpbL7f\n" - "bUNaa+DYOOKy8d8/PHpS5uZHxwYOOK13+YOGr8hFBbXiGtl4uKbCmPd23kMfUzbI\n" - "iTuu0DvuENtl6zjY44bjuXxhg9vBC3b2CygF8IWOHuXSVCgNMLzMDEA71uOzpgAT\n" - "OQv+oDAURkWwMZWsGyb30YdoYb2QCqRLdMtVdoGkWq9CniE8rgHmrggSxkdCSOSY\n" - "rPwjCCwCxXQqtZMvZYUws+vrXvPOvZHauQFhvuw6EHV62lQnY9JD8nqtimwuskWw\n" - "hgcyhy4hgvmx7MRF1E+dc/lWSvNSHS6u8n4cTsHeHv2IOPl87y2jXR5lEoMItjZf\n" - "D9B6K0w488yvj1+aheV0mbQDMgR0pzWOVH0oJ6RCM1AFgNU+7/d9ztqBusYJhuL7\n" - "/MT4qYlyaZ3OzkIcD2kfmPLfX6FV5FCfVfNvKeCwvctisKsuJZ1/CIsjpoYJk7uu\n" - "YeI3wIhmivXBor8p5hUzrWqT2y0=\n" + "MIIENzCCAp+gAwIBAgIMV6MdMjdkWPp7Um/XMA0GCSqGSIb3DQEBCwUAMBIxEDAO\n" + "BgNVBAMTB3N1YkNBLTMwIBcNMTYwNTEwMDg1MTU1WhgPOTk5OTEyMzEyMzU5NTla\n" + "MAAwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDZPXiZqiz3wLuz+B4Z\n" + "nJuCphLEX7k15NcpamL3+9ea4gXyfeFSHbSaihPauBUcDMVbL/wfkhxYiJRCX7wq\n" + "HIkJK4En5aEzSDDa6pI/CI5lSbiXdNDGbFLh5b8Guvhfzyy8lDjFNNy3abkfU270\n" + "tnzFY5mkYwYgjuN/RgPqh0b8McT+xUeN9x4PuSXXmMC1r3v7y4JuMxE8ZzGDhW2a\n" + "QK5Is6QYv0WELS5hVvB8GdP5XQwTJw4HH5i/YES7TENV2RByzRY8hFQ9SbK5YHHG\n" + "oszVJIlIuxm5v8N2Ig1cW6t7t3HnuZbDYRDCERMiEigBz8vEZZyFsMLg5Z7JiNKS\n" + "G/f+ER9CzDJXHgxBctV9EEc2KmRT1P9JeI/xZUOl9lKljc+t8m0Um3Asx5duWm4t\n" + "cZm7FecnaJiTXD/tEG64qTKWtDuoI7+X9MjHe5lvf2gIJT3CoKW24Rn6O1fc9oCC\n" + "nVAi0V6FLM4XaG50X9NC666RVEFkXih8THA1gC9m9NJMrD0CAwEAAaOBnDCBmTAM\n" + "BgNVHRMBAf8EAjAAMCMGA1UdEQQcMBqCCmxvY2FsaG9zdDaCDHd3dy5ub25lLm9y\n" + "ZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQW\n" + "BBQzneEn04vV/OsF/LXHgWlPXjvZ1jAfBgNVHSMEGDAWgBQtMwQbJ3+UBHzH4zVP\n" + "6SWklOG3oTANBgkqhkiG9w0BAQsFAAOCAYEALXeJO70urguPXDXTPPfqOVZb9NOh\n" + "+1rHRtt1LIr6WxGMLDIuUwwjhExSR/XDnhzgy1G6Zxodsm1FV5aEmDhU9cz0MpkF\n" + "G1ndhGK+Y3Qey9L/8x7yuHoqLfcqiqe5Kxpq9zVfy87M1JC8FuFpRXgnXkbjnPRm\n" + "rDA7d0KtJfU93mmoI1yPDqYcJK6I62waIfRn5AcgGiMr8tT5oreIXPhjxiU15Say\n" + "ETqT0nSx3kB1VTm0K4mByIueGclnb5epUQ/suq9S++QW7Z9DD/8bfehXZaB1lb7r\n" + "jTMFQAzmrR7x53ZwKWry5iu6MXxFnWKTpBdGcgztbj34NM4VLqrdC15c0lj+OJ/3\n" + "0sbJ1YU3XCh6GZ96t3RPevSvimxMZfVquoBrr7/79PKxOnBY+amJYILqjzqvqIvr\n" + "LoPj0OuKmN7XiWINFAgz5/oj8Bq/4vu8Bsu4fwbgMeHt5Z0eIo8XtqblxnCASFDZ\n" + "yrRp0uKt24DKjSiJWnoqc+VjuvFECgGUzdts\n" + "-----END CERTIFICATE-----\n"; + +static char server_localhost6_ca3_cert_chain_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIENzCCAp+gAwIBAgIMV6MdMjdkWPp7Um/XMA0GCSqGSIb3DQEBCwUAMBIxEDAO\n" + "BgNVBAMTB3N1YkNBLTMwIBcNMTYwNTEwMDg1MTU1WhgPOTk5OTEyMzEyMzU5NTla\n" + "MAAwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDZPXiZqiz3wLuz+B4Z\n" + "nJuCphLEX7k15NcpamL3+9ea4gXyfeFSHbSaihPauBUcDMVbL/wfkhxYiJRCX7wq\n" + "HIkJK4En5aEzSDDa6pI/CI5lSbiXdNDGbFLh5b8Guvhfzyy8lDjFNNy3abkfU270\n" + "tnzFY5mkYwYgjuN/RgPqh0b8McT+xUeN9x4PuSXXmMC1r3v7y4JuMxE8ZzGDhW2a\n" + "QK5Is6QYv0WELS5hVvB8GdP5XQwTJw4HH5i/YES7TENV2RByzRY8hFQ9SbK5YHHG\n" + "oszVJIlIuxm5v8N2Ig1cW6t7t3HnuZbDYRDCERMiEigBz8vEZZyFsMLg5Z7JiNKS\n" + "G/f+ER9CzDJXHgxBctV9EEc2KmRT1P9JeI/xZUOl9lKljc+t8m0Um3Asx5duWm4t\n" + "cZm7FecnaJiTXD/tEG64qTKWtDuoI7+X9MjHe5lvf2gIJT3CoKW24Rn6O1fc9oCC\n" + "nVAi0V6FLM4XaG50X9NC666RVEFkXih8THA1gC9m9NJMrD0CAwEAAaOBnDCBmTAM\n" + "BgNVHRMBAf8EAjAAMCMGA1UdEQQcMBqCCmxvY2FsaG9zdDaCDHd3dy5ub25lLm9y\n" + "ZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQW\n" + "BBQzneEn04vV/OsF/LXHgWlPXjvZ1jAfBgNVHSMEGDAWgBQtMwQbJ3+UBHzH4zVP\n" + "6SWklOG3oTANBgkqhkiG9w0BAQsFAAOCAYEALXeJO70urguPXDXTPPfqOVZb9NOh\n" + "+1rHRtt1LIr6WxGMLDIuUwwjhExSR/XDnhzgy1G6Zxodsm1FV5aEmDhU9cz0MpkF\n" + "G1ndhGK+Y3Qey9L/8x7yuHoqLfcqiqe5Kxpq9zVfy87M1JC8FuFpRXgnXkbjnPRm\n" + "rDA7d0KtJfU93mmoI1yPDqYcJK6I62waIfRn5AcgGiMr8tT5oreIXPhjxiU15Say\n" + "ETqT0nSx3kB1VTm0K4mByIueGclnb5epUQ/suq9S++QW7Z9DD/8bfehXZaB1lb7r\n" + "jTMFQAzmrR7x53ZwKWry5iu6MXxFnWKTpBdGcgztbj34NM4VLqrdC15c0lj+OJ/3\n" + "0sbJ1YU3XCh6GZ96t3RPevSvimxMZfVquoBrr7/79PKxOnBY+amJYILqjzqvqIvr\n" + "LoPj0OuKmN7XiWINFAgz5/oj8Bq/4vu8Bsu4fwbgMeHt5Z0eIo8XtqblxnCASFDZ\n" + "yrRp0uKt24DKjSiJWnoqc+VjuvFECgGUzdts\n" + "-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\n" + "MIIEDTCCAnWgAwIBAgIMV6MdMjWzT9C59ec8MA0GCSqGSIb3DQEBCwUAMA8xDTAL\n" + "BgNVBAMTBENBLTMwIBcNMTYwNTEwMDg0ODMwWhgPOTk5OTEyMzEyMzU5NTlaMBIx\n" + "EDAOBgNVBAMTB3N1YkNBLTMwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIB\n" + "gQCgOcNXzStOnRFoi05aMRLeMB45X4a2srSBul3ULxDSGjIP0EEl//X2WLiope/x\n" + "NL8bPCRpI1sSVXl8Hb1cK3qWNGazVmC7xW07NxL26I86e3/BVRnq8ioVtvPQwEpv\n" + "uI8F97x1vL/n+cfcdkN77NScr5C9jHMVioRvC+qKz9bUBx5DSySV66PR5+wGsJDv\n" + "kfsmjVOgqiTlSWQS5G3nMMq0Rixsc5dP5Wygkbdh9+45UCtObcnHABJrP+GtLiG0\n" + "AOUx6oPzPteZL13erWXg7zYusTarj9rTcdsgR/Im1mIzmD2i7GhJo4Gj0Sk3Rq93\n" + "JyeA+Ay5UPmqcm+dqX00b49MTTv4GtO53kLQSCXYFJ96jcMiXMzBFJD1ROsdk4WU\n" + "ed/tJMHffttDz9j3WcuX9M2nzTT2xlauokjbEAhRDRw5fxCFZh7TbmaH4vysDO9U\n" + "ZXVEXSLKonQ2Lmyso48s/G30VmlSjtPtJqRsv/oPpCO/c0D6BrkHV55B48xfmyIF\n" + "jgECAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0G\n" + "A1UdDgQWBBQtMwQbJ3+UBHzH4zVP6SWklOG3oTAfBgNVHSMEGDAWgBT5qIYZY7ak\n" + "FBNgdg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEAMii5Gx3/d/58oDRy5a0o\n" + "PvQhkU0dKa61NfjjOz9uqxNSilLJE7jGJPaG2tKtC/XU1Ybql2tqQY68kogjKs31\n" + "QC6RFkoZAFouTJt11kzbgVWKewCk3/OrA0/ZkRrAfE0Pma/NITRwTHmTsQOdv/bz\n" + "R+xIPhjKxKrKyJFMG5xb+Q0OKSbd8kDpgYWKob5x2jsNYgEDp8nYSRT45SGw7c7F\n" + "cumkXz2nA6r5NwbnhELvNFK8fzsY+QJKHaAlJ9CclliP1PiiAcl2LQo2gaygWNiD\n" + "+ggnqzy7nqam9rieOOMHls1kKFAFrWy2g/cBhTfS+/7Shpex7NK2GAiujgUV0TZH\n" + "EyEZt6um4gLS9vwUKs/R4XS9VL/bBlfAy2hAVTeUejiRBGeTJkqBu7+c4FdrCByV\n" + "haeQASMYu/lga8eaGL1zJbJe2BQWI754KDYDT9qKNqGlgysr4AVje7z1Y1MQ72Sn\n" + "frzYSQw6BB85CurB6iou3Q+eM4o4g/+xGEuDo0Ne/8ir\n" "-----END CERTIFICATE-----\n"; const gnutls_datum_t server_ca3_localhost6_cert = { (void*)server_localhost6_ca3_cert_pem, sizeof(server_localhost6_ca3_cert_pem)-1 }; +const gnutls_datum_t server_ca3_localhost6_cert_chain = { + (void*)server_localhost6_ca3_cert_chain_pem, + sizeof(server_localhost6_ca3_cert_chain_pem)-1 +}; /* shares server_ca3 key */ static char server_localhost_ca3_cert_pem[] = "-----BEGIN CERTIFICATE-----\n" - "MIIEITCCAomgAwIBAgIIVzGhBTuLU+swDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n" - "AxMEQ0EtMzAgFw0xNjA1MTAwODUxMThaGA85OTk5MTIzMTIzNTk1OVowADCCAaIw\n" - "DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBANk9eJmqLPfAu7P4Hhmcm4KmEsRf\n" - "uTXk1ylqYvf715riBfJ94VIdtJqKE9q4FRwMxVsv/B+SHFiIlEJfvCociQkrgSfl\n" - "oTNIMNrqkj8IjmVJuJd00MZsUuHlvwa6+F/PLLyUOMU03LdpuR9TbvS2fMVjmaRj\n" - "BiCO439GA+qHRvwxxP7FR433Hg+5JdeYwLWve/vLgm4zETxnMYOFbZpArkizpBi/\n" - "RYQtLmFW8HwZ0/ldDBMnDgcfmL9gRLtMQ1XZEHLNFjyEVD1JsrlgccaizNUkiUi7\n" - "Gbm/w3YiDVxbq3u3cee5lsNhEMIREyISKAHPy8RlnIWwwuDlnsmI0pIb9/4RH0LM\n" - "MlceDEFy1X0QRzYqZFPU/0l4j/FlQ6X2UqWNz63ybRSbcCzHl25abi1xmbsV5ydo\n" - "mJNcP+0QbripMpa0O6gjv5f0yMd7mW9/aAglPcKgpbbhGfo7V9z2gIKdUCLRXoUs\n" - "zhdobnRf00LrrpFUQWReKHxMcDWAL2b00kysPQIDAQABo4GNMIGKMAwGA1UdEwEB\n" - "/wQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMB\n" - "MA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFDOd4SfTi9X86wX8tceBaU9eO9nW\n" - "MB8GA1UdIwQYMBaAFPmohhljtqQUE2B2DwGaNTbv8bSvMA0GCSqGSIb3DQEBCwUA\n" - "A4IBgQAAS3T2uhrGl99HErgOFyGLX6c/+moBjJDtMckBW8T3ajxOHzw7XI6I821a\n" - "MPVXaXXHmnTUFhAHZrjpn5UYIwEJUaimtCviumHcK0h/yWnHdbxs+aglu66aJ5V0\n" - "uvPdtLNBtS1y3SryTtskbZ3RPjHiON+brrVH0KcoT+t92T3CDtv0r37k92QKZlRK\n" - "K/wnqTOBUEhvpSztFai5vPy8QWv/RSHb2vFZeJkdiXybcedmLLmp56rWbzzCvfzj\n" - "mfOAFD0oGD8BTDTz55IrAfMvth7OYVqF0Se530c1GRxZwqYrEcfDJAc8QqfnYzkR\n" - "6KRXCVCbJ5CKi3grTzqcAJYsy9sxE2afaa/hh/XnMwYtHgIE1xfrcDnnBuNyYWHZ\n" - "GJaVdRTPtaRXUAJZtGLpy6SBEWGMP7wyhoFdbA3IWYbfypyM/t/LpQHtLzM3N7s8\n" - "oXG/Pucnsyp8fJ3LEJW0STMsWBoPPdfJFdTxK5i+bcmKq3OFPIGfXgw1Jf5vGfgM\n" - "MTK0U84=\n" + "MIIEKDCCApCgAwIBAgIMV6MdMjbIDKHKsL32MA0GCSqGSIb3DQEBCwUAMBIxEDAO\n" + "BgNVBAMTB3N1YkNBLTMwIBcNMTYwNTEwMDg1MTE4WhgPOTk5OTEyMzEyMzU5NTla\n" + "MAAwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDZPXiZqiz3wLuz+B4Z\n" + "nJuCphLEX7k15NcpamL3+9ea4gXyfeFSHbSaihPauBUcDMVbL/wfkhxYiJRCX7wq\n" + "HIkJK4En5aEzSDDa6pI/CI5lSbiXdNDGbFLh5b8Guvhfzyy8lDjFNNy3abkfU270\n" + "tnzFY5mkYwYgjuN/RgPqh0b8McT+xUeN9x4PuSXXmMC1r3v7y4JuMxE8ZzGDhW2a\n" + "QK5Is6QYv0WELS5hVvB8GdP5XQwTJw4HH5i/YES7TENV2RByzRY8hFQ9SbK5YHHG\n" + "oszVJIlIuxm5v8N2Ig1cW6t7t3HnuZbDYRDCERMiEigBz8vEZZyFsMLg5Z7JiNKS\n" + "G/f+ER9CzDJXHgxBctV9EEc2KmRT1P9JeI/xZUOl9lKljc+t8m0Um3Asx5duWm4t\n" + "cZm7FecnaJiTXD/tEG64qTKWtDuoI7+X9MjHe5lvf2gIJT3CoKW24Rn6O1fc9oCC\n" + "nVAi0V6FLM4XaG50X9NC666RVEFkXih8THA1gC9m9NJMrD0CAwEAAaOBjTCBijAM\n" + "BgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDATBgNVHSUEDDAKBggr\n" + "BgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBQzneEn04vV/OsF/LXH\n" + "gWlPXjvZ1jAfBgNVHSMEGDAWgBQtMwQbJ3+UBHzH4zVP6SWklOG3oTANBgkqhkiG\n" + "9w0BAQsFAAOCAYEASbEdRkK44GUb0Y+80JdYGFV1YuHUAq4QYSwCdrT0hwJrFYI2\n" + "s8+9/ncyzeyY00ryg6tPlKyE5B7ss29l8zcj0WJYsUk5kjV6uCWuo9/rqqPHK6Lc\n" + "Qx1cONR4Vt+gD5TX0nRNuKaHVbBJARZ3YOl2F3nApcR/8boq+WNKGhGkzFMaKV+i\n" + "IDpB0ziBUcb+q257lQGKrBuXl5nCd+PZswB//pZCsIkTF5jFdjeXvOvGDjYAr8rG\n" + "KpoMTskNcBqgi59sJc8djWMbNt+15qH4mSvTUW1caukeJAr4mwHfrSK5k9ezSSp1\n" + "EpbQ2Rp3xpbCgklhtsKHSJZ43sghZvCOxk8G3bRZ1/lW6sXvIPmLkvoeetTLvqYq\n" + "t/+gfv4NJuyZhzuJHbxrxBJ3C9QjqTbpiUumeRQHXLa+vZJUKX7ak1KVubKiOC+x\n" + "wyfgmq6quk5jPgOgMJWLwpA2Rm30wqX4OehXov3stSXFb+qASNOHlEtQdgKzIEX/\n" + "6TXY44pCGHMFO6Kr\n" + "-----END CERTIFICATE-----\n"; + +static char server_localhost_ca3_cert_chain_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIEKDCCApCgAwIBAgIMV6MdMjbIDKHKsL32MA0GCSqGSIb3DQEBCwUAMBIxEDAO\n" + "BgNVBAMTB3N1YkNBLTMwIBcNMTYwNTEwMDg1MTE4WhgPOTk5OTEyMzEyMzU5NTla\n" + "MAAwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDZPXiZqiz3wLuz+B4Z\n" + "nJuCphLEX7k15NcpamL3+9ea4gXyfeFSHbSaihPauBUcDMVbL/wfkhxYiJRCX7wq\n" + "HIkJK4En5aEzSDDa6pI/CI5lSbiXdNDGbFLh5b8Guvhfzyy8lDjFNNy3abkfU270\n" + "tnzFY5mkYwYgjuN/RgPqh0b8McT+xUeN9x4PuSXXmMC1r3v7y4JuMxE8ZzGDhW2a\n" + "QK5Is6QYv0WELS5hVvB8GdP5XQwTJw4HH5i/YES7TENV2RByzRY8hFQ9SbK5YHHG\n" + "oszVJIlIuxm5v8N2Ig1cW6t7t3HnuZbDYRDCERMiEigBz8vEZZyFsMLg5Z7JiNKS\n" + "G/f+ER9CzDJXHgxBctV9EEc2KmRT1P9JeI/xZUOl9lKljc+t8m0Um3Asx5duWm4t\n" + "cZm7FecnaJiTXD/tEG64qTKWtDuoI7+X9MjHe5lvf2gIJT3CoKW24Rn6O1fc9oCC\n" + "nVAi0V6FLM4XaG50X9NC666RVEFkXih8THA1gC9m9NJMrD0CAwEAAaOBjTCBijAM\n" + "BgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDATBgNVHSUEDDAKBggr\n" + "BgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBQzneEn04vV/OsF/LXH\n" + "gWlPXjvZ1jAfBgNVHSMEGDAWgBQtMwQbJ3+UBHzH4zVP6SWklOG3oTANBgkqhkiG\n" + "9w0BAQsFAAOCAYEASbEdRkK44GUb0Y+80JdYGFV1YuHUAq4QYSwCdrT0hwJrFYI2\n" + "s8+9/ncyzeyY00ryg6tPlKyE5B7ss29l8zcj0WJYsUk5kjV6uCWuo9/rqqPHK6Lc\n" + "Qx1cONR4Vt+gD5TX0nRNuKaHVbBJARZ3YOl2F3nApcR/8boq+WNKGhGkzFMaKV+i\n" + "IDpB0ziBUcb+q257lQGKrBuXl5nCd+PZswB//pZCsIkTF5jFdjeXvOvGDjYAr8rG\n" + "KpoMTskNcBqgi59sJc8djWMbNt+15qH4mSvTUW1caukeJAr4mwHfrSK5k9ezSSp1\n" + "EpbQ2Rp3xpbCgklhtsKHSJZ43sghZvCOxk8G3bRZ1/lW6sXvIPmLkvoeetTLvqYq\n" + "t/+gfv4NJuyZhzuJHbxrxBJ3C9QjqTbpiUumeRQHXLa+vZJUKX7ak1KVubKiOC+x\n" + "wyfgmq6quk5jPgOgMJWLwpA2Rm30wqX4OehXov3stSXFb+qASNOHlEtQdgKzIEX/\n" + "6TXY44pCGHMFO6Kr\n" + "-----END CERTIFICATE-----\n" + "-----BEGIN CERTIFICATE-----\n" + "MIIEDTCCAnWgAwIBAgIMV6MdMjWzT9C59ec8MA0GCSqGSIb3DQEBCwUAMA8xDTAL\n" + "BgNVBAMTBENBLTMwIBcNMTYwNTEwMDg0ODMwWhgPOTk5OTEyMzEyMzU5NTlaMBIx\n" + "EDAOBgNVBAMTB3N1YkNBLTMwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIB\n" + "gQCgOcNXzStOnRFoi05aMRLeMB45X4a2srSBul3ULxDSGjIP0EEl//X2WLiope/x\n" + "NL8bPCRpI1sSVXl8Hb1cK3qWNGazVmC7xW07NxL26I86e3/BVRnq8ioVtvPQwEpv\n" + "uI8F97x1vL/n+cfcdkN77NScr5C9jHMVioRvC+qKz9bUBx5DSySV66PR5+wGsJDv\n" + "kfsmjVOgqiTlSWQS5G3nMMq0Rixsc5dP5Wygkbdh9+45UCtObcnHABJrP+GtLiG0\n" + "AOUx6oPzPteZL13erWXg7zYusTarj9rTcdsgR/Im1mIzmD2i7GhJo4Gj0Sk3Rq93\n" + "JyeA+Ay5UPmqcm+dqX00b49MTTv4GtO53kLQSCXYFJ96jcMiXMzBFJD1ROsdk4WU\n" + "ed/tJMHffttDz9j3WcuX9M2nzTT2xlauokjbEAhRDRw5fxCFZh7TbmaH4vysDO9U\n" + "ZXVEXSLKonQ2Lmyso48s/G30VmlSjtPtJqRsv/oPpCO/c0D6BrkHV55B48xfmyIF\n" + "jgECAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0G\n" + "A1UdDgQWBBQtMwQbJ3+UBHzH4zVP6SWklOG3oTAfBgNVHSMEGDAWgBT5qIYZY7ak\n" + "FBNgdg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEAMii5Gx3/d/58oDRy5a0o\n" + "PvQhkU0dKa61NfjjOz9uqxNSilLJE7jGJPaG2tKtC/XU1Ybql2tqQY68kogjKs31\n" + "QC6RFkoZAFouTJt11kzbgVWKewCk3/OrA0/ZkRrAfE0Pma/NITRwTHmTsQOdv/bz\n" + "R+xIPhjKxKrKyJFMG5xb+Q0OKSbd8kDpgYWKob5x2jsNYgEDp8nYSRT45SGw7c7F\n" + "cumkXz2nA6r5NwbnhELvNFK8fzsY+QJKHaAlJ9CclliP1PiiAcl2LQo2gaygWNiD\n" + "+ggnqzy7nqam9rieOOMHls1kKFAFrWy2g/cBhTfS+/7Shpex7NK2GAiujgUV0TZH\n" + "EyEZt6um4gLS9vwUKs/R4XS9VL/bBlfAy2hAVTeUejiRBGeTJkqBu7+c4FdrCByV\n" + "haeQASMYu/lga8eaGL1zJbJe2BQWI754KDYDT9qKNqGlgysr4AVje7z1Y1MQ72Sn\n" + "frzYSQw6BB85CurB6iou3Q+eM4o4g/+xGEuDo0Ne/8ir\n" "-----END CERTIFICATE-----\n"; #define server_ca3_cert server_ca3_localhost_cert +#define server_ca3_cert_chain server_ca3_localhost_cert_chain const gnutls_datum_t server_ca3_localhost_cert = { (void*)server_localhost_ca3_cert_pem, sizeof(server_localhost_ca3_cert_pem)-1}; +const gnutls_datum_t server_ca3_localhost_cert_chain = { + (void*)server_localhost_ca3_cert_chain_pem, + sizeof(server_localhost_ca3_cert_chain_pem)-1 +}; + static char unknown_ca_cert_pem[] = "-----BEGIN CERTIFICATE-----\n" "MIID4DCCAkigAwIBAgIIVyG62RARjncwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE\n" @@ -685,76 +929,99 @@ const gnutls_datum_t unknown_ca_cert = { (void*)unknown_ca_cert_pem, static const char server_ca3_pkcs12_pem[] = "-----BEGIN PKCS12-----\n" - "MIINAAIBAzCCDMgGCSqGSIb3DQEHAaCCDLkEggy1MIIMsTCCBPcGCSqGSIb3DQEH\n" - "BqCCBOgwggTkAgEAMIIE3QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIZf8h\n" - "dWt3jYQCAhR5gIIEsDYZE567naoZuAymtn/M3ML4kR817j0chfbqja51b8BdXnk+\n" - "ZXjSEqgO0LWUuwlJNtyCe8bWxl8Tx6FUKKh+ul0elVzn12vko4sfJT48YjCrDm03\n" - "rYYl2sd5vKGRCegDpQtT2nCJYn0NPrlZggsewmP4uDHrSPV+VZu4pL4GM3nKyg7V\n" - "cA3xG68blXUXKuil9woL+Yd3TFI66XKaRFRi+k6xXeAn9mOMYhUE9/tLRKOVPdOy\n" - "OITn3dhBqXr/zcywUHVkrWLeFd9ODJ2qZmkEp/yJznoshne+hbjU3qt+4pUwCAnb\n" - "k8SAqcn4cOl2FM29Wk6LmcBLqDGvYXO6zeeXd2Ln+0iseyWRWt0xWo9KiqbZYEN0\n" - "7Eq2J8QG030a4JplVI2dgw907/pWcNNdz9LgnYF1wH7+GcpGPSPBzFM4n+dn3hRz\n" - "WFQMhpOjdcfJhA8f1A52SmAA6xgR+XCcqqSdcUAosv+z1nIVfDnnnxMmXq4uoVDj\n" - "44vf9pCsOKN+AL+DW2OAdDT7yxHk/aIWElmf7/iJzyihzky+8+GTCY6DQ7chbrVw\n" - "/sQ4F2OhZLMe1RggEmnEpwDz07mfR/qzySF4ssosY0K3rlO4qKEwQ9Jy6igQ+BMC\n" - "erbrN1yFskDK50BmvI3gv59z4ZTf+xL2Vx2Z0ZXmOKbfbYTITxOtyS/aYR9PaUXz\n" - "Y7Lgp0MeOx7BhooheASLasEnSsZEj/3HX/LJEJ4UHFQQ3mRn4wqD9duRJo/2sQJ5\n" - "9J6Fv6oWkgQ0KU5snZMVHi9OvGY5GUaMoDhL/ZsbhM9U1mW8v6QYOPf1ZQGxXSSv\n" - "Ehpkr2B5+/0JIYCaGwnBDw9Ggmtw5qbYXa37hAtas0eNDXndnqfr/3scjU0SIxjs\n" - "Ot027t2nSvls3NZ41Rmh381NF2LsoPWt1NWIZLaX1OBj8xuTh7QNWmgHbA6UWwhA\n" - "oxKUVC0Lbg0eYXC8nejaswNSclk9yIQJuT+P7Aj1dU42lsBOvTAUTQc4GHZtzO4J\n" - "ewy88nZLPgvO9W5KhcBTX8dfmWO/ItSl0ze0fxXOtfMMgF2QH1IoSz84gUG2Kjkf\n" - "hS1EOCeQ4meHciI4/v5S5aA2ZYdwTwgHyz6Z7a/6MgK9Nuh3doX7cdOqYCJVxbKa\n" - "ro/Zp8jVldSBRTfdgu6zmwVQJGtsur5SM+I+wVeFw+9+g6GkYGWqkNPeFAGHHX0H\n" - "gcGxloS5t4rbnC5g9Q3EEU6XpEVwPYQSrtV2U2uu/9ijYPmU60VciFfx26wLnQiw\n" - "gXJQkG7U584jWaX4mbx7nk/XKeQkNi3jX31xa/xx8VTP3NfE+44lNsn+ArLZtqAn\n" - "Zml54SnHTfPfYTsApDbcji+RyXj/L5IDP99kLTSHF8gAUkqAl3vkzI5jRPzZ8BuN\n" - "l529NDLhPZ57SBO4OJP9AuMJG62qiahMg3l34zej/2q/MsLlP8JXbjn8nDa0j8HB\n" - "Jgdz6QNj3fklJEvGaZ7HLKsbCxk4f2Qb02pIgEMN0+VUphmU8LUR7T7cej0mKXeT\n" - "JNBtQK3LE5riVgW7rPHGkcO8CD3PIshmaDt9CeUQMwo6SNVJcpFfKixwR9uHhNk4\n" - "1PGUD5Dk3S9JYy0C2jCCB7IGCSqGSIb3DQEHAaCCB6MEggefMIIHmzCCB5cGCyqG\n" - "SIb3DQEMCgECoIIHLjCCByowHAYKKoZIhvcNAQwBAzAOBAhIMXotmNiA5QICFPkE\n" - "ggcIsF73w/XBwRjSD6+0aYpzcEpgkIfACXekV/3S83CygZlXgqyxrWw0MR+ZfYC9\n" - "66AkSW26XdSjXnmdAyGgVjPxsmb8v5GT9ZwTLuKbUGUOweGTUvZlxwie0Pkry2vX\n" - "XXep5apVxBICituydeFkZLaGgeISgOqoCd9sCL2qKDo+bWD/WUc8feNJtBqrmXhO\n" - "N0R0tP7GF8q5j4oily5jbR9bZtorL6w2xlfXEzydAndrxclHZ4IlND56WDYvNTpN\n" - "EpUNddshpR5Opm8ED9KEaNVcdgVUQzP9epNczEvnb4NVyQrKfp9bcCDoscmNVNsc\n" - "WF8jYeZmz3S3iRhL6wkEihkLnMy7AXVgUEGRyvumM+qw8BlQlb7jyZpHw8wwZPAv\n" - "xCzgpMfJ6Ec17tJ6FoyY+pgx1xFntFv/S9Za1xcTtcKZx7m3VGneElK9uAV9oAbW\n" - "Otx+OliKbcCGit2vjXv3ev/K4T8NyQ2RDZL5A7/JarczHsX9Ju0JLta1+Nmf8Ayc\n" - "figqPF3LTrGewI94wLvqw3l7oFK2m2BmG4Sp1dHGjNdNsnZ3wkDG+jqPX7O2zJlt\n" - "i35x9xlzAvUAWk/MC1hZpuP48N/hOYMryIcM9Xs0TW+JcfpgmszEKTVNlx3zOP+Z\n" - "mtCKFH5ZoUTmBslUeWbwP8t3KMUPfj/B+T9gm/UV1yx9wy1/d4iPeixHO2dbs/KV\n" - "34i8X5++HHOyoksWkYhoSVPg1WaD7kQPj3uuCl7Y7zRCCu24fTiNupJwsTt6gjwA\n" - "uDedwk9KUaNx2AsmcwJOHENEr7ecXFlL00ULuTvS8haqSX7sbzIlpbqTPHL5oxmB\n" - "WAswCPHJg5NHnMc2yGhgGb/2WZEjQ47CCumYKiqkur9GtVfEeIJbUyNk2klwEKSl\n" - "qS452GHVBlsHjTzSkyzb+igqU6uy0S75sf1tYPMLP/FZ+xnqnNMAoBpWg1AKHDdj\n" - "JC3FbzLNNtmqQ1c9YNgllgRp9qu2z+XCRBLdChRfjm2E/CywwmchahrFv2LeeDSW\n" - "eUlJsNAvW0EO2xM0jGETwUhRIkGTxnjGwY8GvL4v7/lj23Tcrw4aZiw8XEDnKXMV\n" - "nHeOE9d/kJXru/bhGl90VbHCFJbyIwV32tl8NiClx0P5z4uAm5w9NiQ4gqVLyHem\n" - "nYeUF1r0nlHkTR2CubXe4OnczD80r3AEYRJjFfC+GmYIzflcctayzuwWoda8Hrcd\n" - "aT4arrzHe43/I6WajAcL+9oV5owdP9bksvZSwqgEFJuF9+zDttoncQHeS4MhHogc\n" - "HxqoTkMGlddogUQWim+ujY94b08Ov8mIEjzXbOm2Ts2LwFzAm/E+duBBX9E3E9g9\n" - "TBDYvY2NsnQsRlLNs8+g+sDa9LZTppqtKo7JED9atgTITiKYpkoqmipObE2vAl83\n" - "Nc2JarRzeYkt4iyyZN3pkmEKQa4KvWL+bCpZ6Vueb+uts8HCIHAuExGD8rC3GMwg\n" - "KCbULQ2R4gQK5HSvoFb4dGoFiouv810mvbY3RLlDEWlmvZ8IIVZ955ureae62si1\n" - "cgsVlqswrmlD5gdDyNNKW+A5saTDJ1eMuyS7+2TEXNXlJo88W5qb2CR4C5dG7thE\n" - "Kbrr1KuEq61ipq86sLnZkV1VveRodf9B5NOsTOOEmIBk0gfRd3jGWxCfFDyOnq1M\n" - "win67CkpkodFvwyjes8yiTHtHkpp63FocuJJflwi9JOWh8eAzLlHTQP+2qV72KIX\n" - "vDPJz6pCo6Houen71MfpSoAEJ7ITREyFZrdH0iebW5nheMJn7r0zlKBqyqivkjCh\n" - "CUQj4c+CJiG3SXU0Rb1kAllhyeW65+Mw1wXszLuVZjFjLP+pV/w3vvQQQ+vR87vK\n" - "2W4np13fSZUaqBl3aLtzoyZMEivudtGkSzmZ2s+wxqozh1hkjowMH7PPkpTufila\n" - "68OD5csm4cV0Sa2WWD1chZ+qRrbrThZ5aSN9C4ixHA1NE+8OGYCPutHOO/jeg5Dx\n" - "ygjRowOHuuh666LYjUj9ZGslsJPLrS8UCpBnCvkGVshP3pf8DwrZd5ixS515DlyL\n" - "CFfsl0sIVrKC/RLbj8GDuGNi2EppDs3WusfDVB0UM3fI7BaZtsBTLISaYfJtc970\n" - "2+lmOgZQfalECCXeNRo5eAfO+QVEiuGBIQP5k+ityKXsuHqN5aming2/3X1QR7Gr\n" - "kHNepPIqf+4CwhTE5Gn88dpP2RLvS1Cj0XHsLYxZkDcOXC4DmMgH2OqLi7N/Mrnm\n" - "51o64JEbpNTQKSjOkQd9ew6bouSM+ehgnV4Hi75SZZ/oa5/EJYn6v2fEcAxd4/9X\n" - "3XWlLsMQktQzaXiWm6Aj6iH0xspgqaJsSkV+pDq/VLDIF9E6Sh3yH3P1GZVZIuwJ\n" - "6TfJ5DQnIja2UqrU90xBgDBiqrKgHZPQVo+ZMVYwIwYJKoZIhvcNAQkVMRYEFDOd\n" - "4SfTi9X86wX8tceBaU9eO9nWMC8GCSqGSIb3DQEJFDEiHiAAcwBlAHIAdgBlAHIA\n" - "LQBsAG8AYwBhAGwAaABvAHMAdDAvMB8wBwYFKw4DAhoEFNkQm49TDWC2lR1GyKaU\n" - "wVWVn1UTBAjIzPZeicMLMAICKAA=\n" + "MIIRSgIBAzCCERAGCSqGSIb3DQEHAaCCEQEEghD9MIIQ+TCCCT8GCSqGSIb3DQEH\n" + "BqCCCTAwggksAgEAMIIJJQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI0Bv/\n" + "MLNNeX0CAggAgIII+PugAg+ZArNedgnhMh2kM1tVj1os+8i0BPh9kQMT4h7qes6e\n" + "Z6c+W4xCnL89p7Bz35riiK2KlJ6YzcTYXzONnmVR8gIEHsvYWwRSB++IE/jx9pCq\n" + "TxN5GIH1tt467EKdc+Y+f4WBXmtk5hF4gTmHG2t3o4HoniNXzcRd+ZSsFj4HGE/c\n" + "iXQY8lXN2PD1/XJsuwpYssKhJ+gI9iLREoyFdd+vG6KhzDvdgdvjWBQY/X5Q5pgF\n" + "kepe9jjokbLqLj+S8eHBQ8KF9B2FKB+RTyYep9zqn5qbN7TOt3+yMH+u+/Jj/GzH\n" + "ZjJNpee45G9CtPgjVS1t2fKjz9SaaKfOjHsH9WD5Sci9aqLRqFs84FlilRl6PyiG\n" + "5g89MiXL5Iu6WFoTM41eIezcyQf0ndakj2clVEfX2pX+e1bXWFzvnc5a933N2loK\n" + "OqJElti6h+T30M2CKEUX6FT5ihaowo5DwCXU3jTFcPMY0htvc4QuZQjBfyb/hGqf\n" + "UqjLGh+VZCmNPSmSkoqZScl8N2Db/DPvIu+cga2jSkFtvMEZVd9O5lN53drU8ONE\n" + "GMgdmJO43j/cnlICy+XpUyPrv055TXUo1gouyg5T1G/imtt0L265VTCxIqRVEsjR\n" + "EQdacLCOPvMohukJAbUTADh/vd3vf/qMINse/y/fPMoLpmtmmZsnZnr1zmIcIXLg\n" + "fLLBVhOz3Vl9RRl1qGbZQBleUUVAabYXbsK1UQHpZ7h2dSWF6ibm13DWRGkJRAVl\n" + "R1dvpwAzR1bhb7rOgTMhmxqADCWh8lcqFt/4ReZofdHmWoxZEopW4m3CghZQM+Ee\n" + "Kz4dYtLGk7W1rg8jnycAtxDwVGh9jMVsvCGypxkgEx+aQ7R+y9t0nu7l61GEnZBt\n" + "uP2EVrChWdFVyH9+YnRRCNaX7lbDtCdOnIrgGeEtNYwzbxUq/kSzllljrkYWQItK\n" + "W+vvMf9NVjTxyJr4kIXenm9ojPO3i485RWECIupdasel2YnPZYjcAKJc4p6nFGVB\n" + "YDs/U32f1BVEXp7pPZOuuzU+ocTswSluwQ0NskuYnDT9w8+LauaqpILRQpCtIIZC\n" + "TEqa7aS7S+f85Jeyt3yGsTNwUuQJZaG5D3Eh7iOB+rJaq3wEwoPlVLURVd8f6Z4H\n" + "t1i0fM2iQA9+FXVkj2B5zr19no0Q8hr/Bb20u9YTT48CfXA7I2IwXSprb8kql0M8\n" + "JmBv6FIDWzXLbGyRR39fX9kKlYMy0eq0ZxXKLLKEnZ1GUwtIeHTYKXG7ezliNaUl\n" + "7UEp3V+bYOddL6uRafEsemdskHtl10RIi3Q3ZX2OksPueMQ5YSOVh4CSPpHsHYGA\n" + "9KWt/PSja+zRGHsGEPX1jic2vHUTxOxI2sOZssnYCYWj/4MDk0xs7M0zdSXEEl5L\n" + "97i5Qx+zv5MPM3yLexG+FllSD6nbPswzG8rHelfRSaK/+AHd0gigrUHqGFOp8B/P\n" + "ml8obqs/LroKVzA109u3LfFlm+JFYeJgqsuoSuLYmJwFe6LNFkmhgGPwhyntqKEx\n" + "zSxgZl91XrgYYuJwn7+CgQx6Dkv7I+SCfJGLBNeAp0Rr+hpYqk0OU9yHBrTLe8T+\n" + "AQhHs4/ScZzRXu5F3dbjZ0PFwOYLo4t/NwUqkL8rCDtn45c1z5oyWhwk7nZMDCT3\n" + "gIpVLf5XDD9f6eXV216oNIL1vxOw0B5GXXsT1KIKTCbBrNl920+GBu3xB44AN7Ik\n" + "A+FhVKT1ZiaoEUKkUIy6I410GprvqDjRGp+Qs2Xitfk/E/3aoZ97cDBLEQOnF/lZ\n" + "mqsczn9XnI+Jp+E8rhTxOMACR2Oa3XuL0+um7Qk+rkS2jcmJy9WniedO2E1EUHoj\n" + "FRwWNjTQQR04Spv3qAc6IP1i8otUzKFkSx6SxH0a5zcm0ERNa6ZyU/jYvRrIGgZC\n" + "kUxtTZbNNIggP3xqU+meRdRUeiOpqL8W3WCJ2FcjpR1FhXZ1sU1/u8pAgMMOhTBZ\n" + "ICHmSjOGZ24kGgWNcLxYQG+qtIH7r6ihd9x/dv0s/Q9DAISv6G8z2YXcBb5EMZW4\n" + "/59z0XL8HFx0/esjB9mHUD/4/Kzp169sJQOvDdmijNaZcDanUa8niBhruuS2KnUB\n" + "iW2SrV6DBx32bjVIPbDJoDmcQWRDsuwpMqRAVtAWrmY5JeNp3zgII0Nr4rUAojWE\n" + "x937fOdIMJu8K1Nst+78DVA4h6jdnUHv5bvOcsVKejjRvSot5vQ/XQPppHlQ73v6\n" + "+Jro0bstYkMpfsbBXHt8tsB6nmZ9i5bv2x7P1nISKgMA4NzzdHFSpwFCmxrBaJen\n" + "XmkoTdQId1O6YlYHJS7fMntNbi60E01bReAVjtY5Q77kqVab/LQI6yJHz01/1KjH\n" + "2MiLixUV6a58FhKOI8Ea/yWSJti549Dqs+AMnwUu56GGT7lBLdT3x4r+SwThUWN2\n" + "aCQoy6rJ5wrsa2OGoO6I5CWHzIov1zlP+oWdKueuGRGTwJdnWm9ZQxTbDJ3QHeBn\n" + "OQXcWNcnQm2lcNfm297EGsClrrKTqmHBR8awpnnMdqzp0+vKiTzrfzGMVWQKoMM/\n" + "74bzAts3+a+sBa5Y34YY+VLPqpXcVR9gY5+xxgYTzI7Ppggn5pNI+lng8B0hjFUU\n" + "o2GNw8uKDVbjWf+ewULWKcCgAaBXXCAOo291TrURABmyR6XnybZwsg9a4yh/kcyk\n" + "aXYLsrmEhfW17ChcGE5LLMzHEeSCUgy+z3yiiP6tD0g/6RFt9Nt57bVndJFqMVcS\n" + "78VdEtQEI11Ty2oeN/+e8XhkZeicvgqgdrDb5jmfGN/F1la0FBnXnJG1fG8qnMMv\n" + "C8V/eRxYanKWr/UwpsC6r/pn+1iTOO3hByg9rWgGSALbgnUFvIfQiSccVoD/lkbh\n" + "TZlsuxhdKXnimi22RO50+0L99TnECu0psQXBDvCzzHSwi3MjPcvrQSPb/ZPSPqd2\n" + "ock7nRDXFn+E04XAOFEuF1Bb5SfEbWHLx0d7uCSieAF9YMBZWvETTOOnDgH3Pe93\n" + "+46a0tp4IdWrZEdUcU+/UpwuKyMGCCAfwKMFCA6i/In/cJAcrpRQJGWVsBERMaVQ\n" + "6Ke/ZwIwggeyBgkqhkiG9w0BBwGgggejBIIHnzCCB5swggeXBgsqhkiG9w0BDAoB\n" + "AqCCBy4wggcqMBwGCiqGSIb3DQEMAQMwDgQIT0kvLiNCahwCAggABIIHCM453Rnc\n" + "ggHPk7un7VHebwwtckSBn7qntGhILQfJ+0xoPHPMHMUoDQ7DRbkcyuqtP0+VoZKa\n" + "yLb2WDpyir/f8cyhZdDSnlb/WK16UaBguYmw8ppN09Lsok9KKNJxdWaHz65kABAh\n" + "pHAX6BpdVFv8dOiWuE/+v0TGsaPpvRvwAy1qNNlErcIgGFs2GCgdVadblKw0lR3p\n" + "t/6lhTRF4xqaPtUx4am2cQlmJyUCxy/XSetSFYaKIUdP5pEbesmYs5SuosCwokkB\n" + "q3fzstm94dIzjoPz/XJp2Ek5lpmoHUO0SOGfSDdmMuCPoICQN+xcR0oD6Kso5MrS\n" + "PepHrrG6KqX9fIR2Y2stEJsuaRYA/1h5CEnHnOWEbr2DBbuXB3HY6a5CrwV3xSCK\n" + "Ek0LcWe6c/+ceBcpIUjte8oaM6jPO0WeknNtDQLz+YNnvIqiT/3u3P8pA6DomJrw\n" + "0NoTm/SNMaKPz5IIBBNIzjMXWopgJ9+/bktwbENA/lO5gQvxLGRuaAZpvQpEbmhB\n" + "9W5ofFelsN/BF0zminlL8w8rFc8AKMKEBg85z/EqDkl02cUQa5XDKe3i0Td04xeZ\n" + "KOzsVqBm42rvCh2OgbNcbXBPqUTklRRKzzCgL/Ej645oTkzRfZxUmLaly5bkjyDm\n" + "vXdLdp2doVQlXboCZDK5hmxkirviYPsrjNzAPd5Uz+4rVB5qrxYTsY+0Rtdpb+J0\n" + "RqM2XFqJnA8ElIljsx7wugEEXt1wwey1JhS/+qybnDCP4f6OCaM5t8TTql2o6Eoh\n" + "DntWfAiq8A8mP43HP3FrGyI/3cpgOEF67Q/nLJFnaf6vwfm15xdq20iOIDZtoGJ7\n" + "VahRpOXNed2Xnv/HFwfPvGZM3lInEOEkC6vKWWDoOrE6kAu739X9lm+lLR0l1ihE\n" + "X8gtilgYU5xzM0ZmRjepLn19jdb18nGEUg2pMNkhEakiDyxLmYBBU43IDRzdYgTe\n" + "GJzakTDw/gNO6buVy+emr+IIW0f8hRSbXFHuw5/lpLZoXNCXuHRyEcGa4RhubrVe\n" + "ycuauZYFSp0JhJe+0OtKkBUHSTkoj1aaOByylq8b38ovbFTZ/JiCsYGsmwOfDiSu\n" + "21Fe1mv8+GtFf+t+H+IQBDv2/SHHWwVExW8hwYwXXZ8wodfpLrF7FWQvEa62/DvN\n" + "nQ4sy+z3IJtoPoGBfKMgLSJaNyuavRpbhy1fYuhUwhnbrH1M3YVgi+CnW8lIn44e\n" + "KoSPf11qTlgXBNVezXPYh6cw0FOObkiiuqSL7/ax34Lbz8vWs1yDs6ni9M7l8VUa\n" + "j0MhBEQDTinzz2L7U/uRGkcHYVNsCAIOaStbKxNx2bnEmFL2TShs6eH1kPAyDJ9N\n" + "SFuqmrboF92KNM1wKjIcthbJxPVJVlI1M0B8HVuU00QTIaJyJoQZuNQ6lyzTudwS\n" + "5F69zmQCaRIN2b04m/237Z4/SXuUwFDdDojoFxJ6m1yA86uUigyOzKGavtZz4tgw\n" + "BTCYcxaoCB2ebqNl3L4oE+gaAweAjtivNbAJswCkQF+LPEbAt8m2BZDo1bI4wAg+\n" + "Mjzs83PkzE3bn6q6Rk8HslnOCS55M6gTPu2zvz/FSaLY29X/5D7QtKJPAw30xUA1\n" + "Wjm3K0tkY/wqWntmJW9zVAaLzvW4iA61D9EuRoY/NChyF6HsLL8BjUEktNBItQ/h\n" + "2kUQnrJeoaaW4nIZz/apiryaFekWWpjudO8zxhxHquK8KpwdXK4c6LCMycTio42J\n" + "rw0/Tbe4noTfxPTJoaG9CaJXTq0rIMWxQprUONdjVih3cADI9V6/aO7/fSU+awFG\n" + "0inoNW6HmAT9ztYsUgRJ+JfiZCc7+h8WY/rrDb15Jj0Jjl4pe2B3S57c5zJ7TgHd\n" + "Zm8ED5uagqAcUIsBIlkNABAuia78tLewFFfCV5mYQUp3fHT6MU9EmPFI3YOuwvhk\n" + "NhscLr0qGIdxK9fS190Al3W5VZiCZ3g6bTwRLkjVChNC6e8u2gxGy6Rx0uxW3c73\n" + "/Spk4oYJ4PAT8GAgO4DJyRg52dFMBSBz4ZLAVR1eVVvPRbV7CSSaGLBLvAp/GFbz\n" + "pZ7sfEeGuiSb0GzcdU7anf+xvmSK/rxHfQPjqZ5EcGG3xhONG/SYwUlrp4GlP6Qs\n" + "ZlRSxsfy9YdIzmf3JhDvVtqK5Uj/wGXlX29NDh+X7mhvCOxCPM19AynXtGWgGFkb\n" + "zd8oaGXbIt/FldsQidEx9UINjtmozl/pB03lFL8wbEF/wBuLx+E1Ite2NCspOJTk\n" + "unw8CZJdUXmdVGo23iOrAziQFrlyPKawoX5iOYot47PQ6vcKiV2fnE5XHUqU2l6K\n" + "DHZbSGfz8vjC9LsAJzhhyZvjxi0LIDwxyt+RqV24cxcz7Qecu4DEy0E/xmYIkdyZ\n" + "SW97f3kIsAgQlku1LesNIk4dyzFWMCMGCSqGSIb3DQEJFTEWBBT9j7rrTvF9BQIR\n" + "akEUSP09N/PaYzAvBgkqhkiG9w0BCRQxIh4gAHMAZQByAHYAZQByAC0AbABvAGMA\n" + "YQBsAGgAbwBzAHQwMTAhMAkGBSsOAwIaBQAEFNeGPUIUl4cjhFet09N6VSCxmfSY\n" + "BAjXfJCHoHZI2QICCAA=\n" "-----END PKCS12-----\n"; const gnutls_datum_t server_ca3_pkcs12 = { (void*)server_ca3_pkcs12_pem, diff --git a/tests/keylog-env.c b/tests/keylog-env.c index 4d52ef1..2b0d166 100644 --- a/tests/keylog-env.c +++ b/tests/keylog-env.c @@ -99,7 +99,7 @@ static void run(const char *env, const char *filename) assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); - ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost_cert, + ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost_cert_chain, &server_ca3_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { diff --git a/tests/send-client-cert.c b/tests/send-client-cert.c index d9074c5..048628b 100644 --- a/tests/send-client-cert.c +++ b/tests/send-client-cert.c @@ -78,7 +78,7 @@ static void try(unsigned expect, unsigned ca_type) /* Init server */ gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key_mem(serverx509cred, - &server_ca3_cert, &server_ca3_key, + &server_ca3_cert_chain, &server_ca3_key, GNUTLS_X509_FMT_PEM); gnutls_dh_params_init(&dh_params); @@ -119,7 +119,7 @@ static void try(unsigned expect, unsigned ca_type) exit(1); ret = gnutls_certificate_set_x509_key_mem(clientx509cred, - &cli_ca3_cert, &cli_ca3_key, + &cli_ca3_cert_chain, &cli_ca3_key, GNUTLS_X509_FMT_PEM); if (ret < 0) exit(1); diff --git a/tests/set_x509_key.c b/tests/set_x509_key.c index fb1b6a3..51177ed 100644 --- a/tests/set_x509_key.c +++ b/tests/set_x509_key.c @@ -151,7 +151,7 @@ static void auto_parse(void) gnutls_certificate_credentials_t x509_cred, clicred; gnutls_pcert_st pcert_list[16]; gnutls_privkey_t key; - gnutls_pcert_st second_pcert; + gnutls_pcert_st second_pcert[2]; gnutls_privkey_t second_key; unsigned pcert_list_size; int ret; @@ -177,7 +177,7 @@ static void auto_parse(void) pcert_list_size = sizeof(pcert_list)/sizeof(pcert_list[0]); ret = gnutls_pcert_list_import_x509_raw(pcert_list, &pcert_list_size, - &server_ca3_localhost_cert, GNUTLS_X509_FMT_PEM, 0); + &server_ca3_localhost_cert_chain, GNUTLS_X509_FMT_PEM, 0); if (ret < 0) { fail("error in gnutls_pcert_list_import_x509_raw: %s\n", gnutls_strerror(ret)); } @@ -197,9 +197,9 @@ static void auto_parse(void) /* set the ECC key */ assert(gnutls_privkey_init(&second_key)>=0); - pcert_list_size = 1; - ret = gnutls_pcert_list_import_x509_raw(&second_pcert, &pcert_list_size, - &server_ca3_localhost6_cert, GNUTLS_X509_FMT_PEM, 0); + pcert_list_size = 2; + ret = gnutls_pcert_list_import_x509_raw(second_pcert, &pcert_list_size, + &server_ca3_localhost6_cert_chain, GNUTLS_X509_FMT_PEM, 0); if (ret < 0) { fail("error in gnutls_pcert_list_import_x509_raw: %s\n", gnutls_strerror(ret)); } @@ -209,8 +209,8 @@ static void auto_parse(void) fail("error in key import: %s\n", gnutls_strerror(ret)); } - ret = gnutls_certificate_set_key(x509_cred, NULL, 0, &second_pcert, - 1, second_key); + ret = gnutls_certificate_set_key(x509_cred, NULL, 0, second_pcert, + 2, second_key); if (ret < 0) { fail("error in gnutls_certificate_set_key: %s\n", gnutls_strerror(ret)); exit(1); diff --git a/tests/set_x509_key_file_der.c b/tests/set_x509_key_file_der.c index eab1944..1628b39 100644 --- a/tests/set_x509_key_file_der.c +++ b/tests/set_x509_key_file_der.c @@ -91,15 +91,15 @@ void doit(void) assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); - ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca2_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); assert(get_tmpname(certfile)!=NULL); assert(get_tmpname(keyfile)!=NULL); - write_der(certfile, "CERTIFICATE", (char*)server_localhost_ca3_cert_pem); - write_der(keyfile, "RSA PRIVATE KEY", (char*)server_ca3_key_pem); + write_der(certfile, "CERTIFICATE", (char*)server2_cert_pem); + write_der(keyfile, "RSA PRIVATE KEY", (char*)server2_key_pem); ret = gnutls_certificate_set_x509_key_file2(xcred, certfile, keyfile, GNUTLS_X509_FMT_DER, NULL, 0); @@ -113,7 +113,7 @@ void doit(void) exit(1); } - compare(&tcert, server_localhost_ca3_cert_pem); + compare(&tcert, server2_cert_pem); remove(certfile); remove(keyfile); diff --git a/tests/set_x509_key_file_ocsp.c b/tests/set_x509_key_file_ocsp.c index 9aae722..99be433 100644 --- a/tests/set_x509_key_file_ocsp.c +++ b/tests/set_x509_key_file_ocsp.c @@ -95,7 +95,7 @@ void doit(void) fp = fopen(certfile, "wb"); if (fp == NULL) fail("error in fopen\n"); - assert(fwrite(server_localhost_ca3_cert_pem, 1, strlen(server_localhost_ca3_cert_pem), fp)>0); + assert(fwrite(server_localhost_ca3_cert_chain_pem, 1, strlen(server_localhost_ca3_cert_chain_pem), fp)>0); assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0); fclose(fp); @@ -108,7 +108,7 @@ void doit(void) fp = fopen(certfile, "wb"); if (fp == NULL) fail("error in fopen\n"); - assert(fwrite(server_localhost6_ca3_cert_pem, 1, strlen(server_localhost6_ca3_cert_pem), fp)>0); + assert(fwrite(server_localhost6_ca3_cert_chain_pem, 1, strlen(server_localhost6_ca3_cert_chain_pem), fp)>0); assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0); fclose(fp); diff --git a/tests/set_x509_key_mem.c b/tests/set_x509_key_mem.c index e3d5e24..5bb1145 100644 --- a/tests/set_x509_key_mem.c +++ b/tests/set_x509_key_mem.c @@ -89,7 +89,7 @@ void doit(void) gnutls_certificate_allocate_credentials(&x509_cred); gnutls_certificate_set_flags(x509_cred, GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH); - ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost6_cert, + ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost6_cert_chain, &server_ca3_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { @@ -97,7 +97,7 @@ void doit(void) exit(1); } - ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost_cert, + ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost_cert_chain, &server_ca3_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { diff --git a/tests/x509-cert-callback-legacy.c b/tests/x509-cert-callback-legacy.c index 257dbaa..caf515f 100644 --- a/tests/x509-cert-callback-legacy.c +++ b/tests/x509-cert-callback-legacy.c @@ -63,7 +63,7 @@ cert_callback(gnutls_session_t session, st->cert_type = GNUTLS_CRT_X509; - ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &cli_ca3_cert, GNUTLS_X509_FMT_PEM, + ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &cli_ca3_cert_chain, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) { fail("error: %s\n", gnutls_strerror(ret)); @@ -105,7 +105,7 @@ server_cert_callback(gnutls_session_t session, st->cert_type = GNUTLS_CRT_X509; - ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &server_ca3_cert, GNUTLS_X509_FMT_PEM, + ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &server_ca3_cert_chain, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) { fail("error: %s\n", gnutls_strerror(ret)); @@ -217,7 +217,7 @@ void doit(void) gnutls_x509_crt_init(&crt); ret = - gnutls_x509_crt_import(crt, &server_ca3_localhost_cert, + gnutls_x509_crt_import(crt, &server_ca3_localhost_cert_chain, GNUTLS_X509_FMT_PEM); if (ret < 0) { fail("gnutls_x509_crt_import: %s\n", @@ -255,7 +255,7 @@ void doit(void) gnutls_x509_crt_init(&crt); ret = - gnutls_x509_crt_import(crt, &cli_ca3_cert, + gnutls_x509_crt_import(crt, &cli_ca3_cert_chain, GNUTLS_X509_FMT_PEM); if (ret < 0) { fail("gnutls_x509_crt_import: %s\n", @@ -295,7 +295,7 @@ void doit(void) data[1].data = (void *)GNUTLS_KP_TLS_WWW_SERVER; gnutls_certificate_get_peers(client, &cert_list_size); - if (cert_list_size != 1) { + if (cert_list_size != 2) { fprintf(stderr, "received a certificate list of %d!\n", cert_list_size); exit(1); @@ -321,7 +321,7 @@ void doit(void) data[1].data = (void *)GNUTLS_KP_TLS_WWW_CLIENT; gnutls_certificate_get_peers(client, &cert_list_size); - if (cert_list_size != 1) { + if (cert_list_size != 2) { fprintf(stderr, "received a certificate list of %d!\n", cert_list_size); exit(1); diff --git a/tests/x509-cert-callback.c b/tests/x509-cert-callback.c index dde39dd..6fe3d61 100644 --- a/tests/x509-cert-callback.c +++ b/tests/x509-cert-callback.c @@ -57,22 +57,30 @@ cert_callback(gnutls_session_t session, int ret; gnutls_pcert_st *p; gnutls_privkey_t lkey; + gnutls_x509_crt_t *certs; + unsigned certs_size, i; if (gnutls_certificate_client_get_request_status(session) == 0) { fail("gnutls_certificate_client_get_request_status failed\n"); return -1; } - p = gnutls_malloc(sizeof(*p)); + p = gnutls_malloc(2 * sizeof(*p)); if (p == NULL) return -1; if (g_pkey == NULL) { - ret = - gnutls_pcert_import_x509_raw(p, &cli_ca3_cert, - GNUTLS_X509_FMT_PEM, 0); + ret = gnutls_x509_crt_list_import2(&certs, &certs_size, + &cli_ca3_cert_chain, + GNUTLS_X509_FMT_PEM, 0); + if (ret < 0) + return -1; + ret = gnutls_pcert_import_x509_list(p, certs, &certs_size, 0); if (ret < 0) return -1; + for (i = 0; i < certs_size; i++) + gnutls_x509_crt_deinit(certs[i]); + gnutls_free(certs); ret = gnutls_privkey_init(&lkey); if (ret < 0) @@ -89,11 +97,11 @@ cert_callback(gnutls_session_t session, g_pkey = lkey; *pcert = p; - *pcert_length = 1; + *pcert_length = 2; *pkey = lkey; } else { *pcert = g_pcert; - *pcert_length = 1; + *pcert_length = 2; if (gnutls_certificate_client_get_request_status(session) == 0) { fail("gnutls_certificate_client_get_request_status failed\n"); return -1; @@ -117,17 +125,25 @@ server_cert_callback(gnutls_session_t session, int ret; gnutls_pcert_st *p; gnutls_privkey_t lkey; + gnutls_x509_crt_t *certs; + unsigned certs_size, i; - p = gnutls_malloc(sizeof(*p)); + p = gnutls_malloc(2 * sizeof(*p)); if (p == NULL) return -1; if (server_pkey == NULL) { - ret = - gnutls_pcert_import_x509_raw(p, &server_ca3_localhost_cert, - GNUTLS_X509_FMT_PEM, 0); + ret = gnutls_x509_crt_list_import2(&certs, &certs_size, + &server_ca3_localhost_cert_chain, + GNUTLS_X509_FMT_PEM, 0); + if (ret < 0) + return -1; + ret = gnutls_pcert_import_x509_list(p, certs, &certs_size, 0); if (ret < 0) return -1; + for (i = 0; i < certs_size; i++) + gnutls_x509_crt_deinit(certs[i]); + gnutls_free(certs); ret = gnutls_privkey_init(&lkey); if (ret < 0) @@ -144,11 +160,11 @@ server_cert_callback(gnutls_session_t session, server_pkey = lkey; *pcert = p; - *pcert_length = 1; + *pcert_length = 2; *pkey = lkey; } else { *pcert = server_pcert; - *pcert_length = 1; + *pcert_length = 2; *pkey = server_pkey; } @@ -317,7 +333,7 @@ void doit(void) data[1].data = (void *)GNUTLS_KP_TLS_WWW_SERVER; gnutls_certificate_get_peers(client, &cert_list_size); - if (cert_list_size != 1) { + if (cert_list_size != 2) { fprintf(stderr, "received a certificate list of %d!\n", cert_list_size); exit(1); @@ -343,7 +359,7 @@ void doit(void) data[1].data = (void *)GNUTLS_KP_TLS_WWW_CLIENT; gnutls_certificate_get_peers(client, &cert_list_size); - if (cert_list_size != 1) { + if (cert_list_size != 2) { fprintf(stderr, "received a certificate list of %d!\n", cert_list_size); exit(1); diff --git a/tests/x509cert.c b/tests/x509cert.c index ba03f82..32360bd 100644 --- a/tests/x509cert.c +++ b/tests/x509cert.c @@ -68,7 +68,7 @@ void doit(void) gnutls_x509_privkey_t get_key; gnutls_x509_crt_t *get_crts; unsigned n_get_crts; - gnutls_datum_t get_datum; + gnutls_datum_t get_datum, chain_datum[2] = {server_ca3_cert, subca3_cert}; gnutls_x509_trust_list_t trust_list; gnutls_x509_trust_list_iter_t trust_iter; gnutls_x509_crt_t get_ca_crt; @@ -86,7 +86,7 @@ void doit(void) gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); - gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_cert, + gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_cert_chain, &server_ca3_key, GNUTLS_X509_FMT_PEM); @@ -105,19 +105,19 @@ void doit(void) list_size = LIST_SIZE; ret = - gnutls_x509_crt_list_import(list, &list_size, &cli_ca3_cert, + gnutls_x509_crt_list_import(list, &list_size, &cli_ca3_cert_chain, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) fail("gnutls_x509_crt_list_import"); ret = - gnutls_certificate_get_issuer(x509_cred, list[0], &issuer, 0); + gnutls_certificate_get_issuer(x509_cred, list[list_size-1], &issuer, 0); if (ret < 0) fail("gnutls_certificate_get_isser"); ret = - gnutls_certificate_get_issuer(x509_cred, list[0], &issuer, GNUTLS_TL_GET_COPY); + gnutls_certificate_get_issuer(x509_cred, list[list_size-1], &issuer, GNUTLS_TL_GET_COPY); if (ret < 0) fail("gnutls_certificate_get_isser"); @@ -163,25 +163,27 @@ void doit(void) gnutls_certificate_get_x509_crt(x509_cred, 0, &get_crts, &n_get_crts); if (ret < 0) fail("gnutls_certificate_get_x509_crt"); - if (n_get_crts != 1) - fail("gnutls_certificate_get_x509_crt: n_crts != 1"); + if (n_get_crts != 2) + fail("gnutls_certificate_get_x509_crt: n_crts != 2"); - ret = - gnutls_x509_crt_export2(get_crts[0], - GNUTLS_X509_FMT_PEM, - &get_datum); - if (ret < 0) - fail("gnutls_x509_crt_export2"); + for (i = 0; i < n_get_crts; i++) { + ret = + gnutls_x509_crt_export2(get_crts[i], + GNUTLS_X509_FMT_PEM, + &get_datum); + if (ret < 0) + fail("gnutls_x509_crt_export2"); - if (get_datum.size != server_ca3_cert.size || - memcmp(get_datum.data, server_ca3_cert.data, get_datum.size) != 0) { - fail( - "exported certificate %u vs. %u\n\n%s\n\nvs.\n\n%s", - get_datum.size, server_ca3_cert.size, - get_datum.data, server_ca3_cert.data); - } + if (get_datum.size != chain_datum[i].size || + memcmp(get_datum.data, chain_datum[i].data, get_datum.size) != 0) { + fail( + "exported certificate %u vs. %u\n\n%s\n\nvs.\n\n%s", + get_datum.size, chain_datum[i].size, + get_datum.data, chain_datum[i].data); + } - gnutls_free(get_datum.data); + gnutls_free(get_datum.data); + } gnutls_certificate_get_trust_list(x509_cred, &trust_list); -- 2.7.4 From nmav at gnutls.org Tue Aug 9 15:32:57 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 9 Aug 2016 15:32:57 +0200 Subject: [gnutls-devel] [PATCH 1/5] Fix invalid pointer operation in gnutls_certificate_get_x509_crt In-Reply-To: <1470723588.2433.4.camel@spectralink.com> References: <1470655878-9651-1-git-send-email-stefan.sorensen@spectralink.com> <1470723588.2433.4.camel@spectralink.com> Message-ID: On Tue, Aug 9, 2016 at 8:19 AM, S?rensen, Stefan wrote: > On Mon, 2016-08-08 at 18:01 +0200, Nikos Mavrogiannopoulos wrote: >> I've applied patches 1-4 (I've not received patch number 5). As >> stated in the previous mail, a reproducer for 4 is more than welcome > Patch 5 changes ca3 to include an intermediate CA - that causes two of > the existing test cases to trigger both of the fixed bugs. The patch > does a bit of certificate shuffling so it is awaiting moderator > approval due to its size. All the patches were applied. Thank you. From n.mavrogiannopoulos at gmail.com Tue Aug 9 16:27:44 2016 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Tue, 9 Aug 2016 16:27:44 +0200 Subject: [gnutls-devel] what about a final gnutls 2.12.24 release? Message-ID: Hi, I have been updating the gnutls 2.12.x branch to address some of the issues we need to fix at Red Hat, and I realized that this version has quite some interoperability issues with TLS 1.2 today. To allow future implementations connecting to servers using that version, would it make sense to have a "final" 2.12.24 release fixing all these issues I've found, as well as any other important or critical fixes I receive? Let me know whether such a release would be helpful to you (reply on list or private), since this branch is terrible to work with, and I'd prefer not to touch it unless necessary. regards, Nikos From ametzler at bebt.de Sun Aug 14 18:55:59 2016 From: ametzler at bebt.de (Andreas Metzler) Date: Sun, 14 Aug 2016 18:55:59 +0200 Subject: [gnutls-devel] [Patch] Fix cipher_openssl_compat linkage Message-ID: <20160814165559.3bouksvfl3udobvl@argenau.bebt.de> Hello, the linker line for cipher-openssl-compat currently liooks like this: libtool: link: gcc -g -O2 /usr/lib/x86_64-linux-gnu/libcrypto.so -Wl,-rpath -Wl,/usr/lib/x86_64-linux-gnu -Wl,-z -Wl,relro -Wl,-z -Wl,now -o .libs/cipher-openssl-compat cipher-openssl-compat.o -L/usr/lib/x86_64-linux-gnu ../.libs/libutils.a /tmp/GNUTLS/gnutls-3.5.3/lib/.libs/libgnutls.so -lz -lp11-kit -lidn -ltasn1 -lnettle -lhogweed -lgmp ../../gl/.libs/libgnu.a ../../lib/.libs/libgnutls.so There is no ?-Wl,-rpath -Wl,/tmp/GNUTLS/gnutls-3.5.3/lib/.libs? and when the test is run a locally installed gnutls library in /usr/lib/ will be used (if available), resulting in test failures if the version differs. Find attached a patch to fix this. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-tests-Fix-cipher_openssl_compat-linkage.patch Type: text/x-diff Size: 1082 bytes Desc: not available URL: From ametzler at bebt.de Sun Aug 14 19:04:20 2016 From: ametzler at bebt.de (Andreas Metzler) Date: Sun, 14 Aug 2016 19:04:20 +0200 Subject: [gnutls-devel] [Patch] Fix cipher_openssl_compat linkage In-Reply-To: <20160814165559.3bouksvfl3udobvl@argenau.bebt.de> References: <20160814165559.3bouksvfl3udobvl@argenau.bebt.de> Message-ID: <20160814170420.pp7k7zppngcnis2u@argenau.bebt.de> On 2016-08-14 Andreas Metzler wrote: > Hello, > the linker line for cipher-openssl-compat currently liooks like this: [...] > There is no ?-Wl,-rpath -Wl,/tmp/GNUTLS/gnutls-3.5.3/lib/.libs? and when > the test is run a locally installed gnutls library in /usr/lib/ will be > used (if available), resulting in test failures if the version differs. [...] On re-reading the Ubuntu bug I see that Gianfranco has come up with the same patch. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From ametzler at bebt.de Sun Aug 14 19:28:45 2016 From: ametzler at bebt.de (Andreas Metzler) Date: Sun, 14 Aug 2016 19:28:45 +0200 Subject: [gnutls-devel] [Patch] Fix cipher_openssl_compat linkage In-Reply-To: <20160814165559.3bouksvfl3udobvl@argenau.bebt.de> References: <20160814165559.3bouksvfl3udobvl@argenau.bebt.de> Message-ID: <20160814172845.4nslpdz7gqmvlbbf@argenau.bebt.de> On 2016-08-14 Andreas Metzler wrote: [...] > Find attached a patch to fix this. [...] please do not apply yet, needs further investigation. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From aggarwal.s at samsung.com Fri Aug 19 11:58:39 2016 From: aggarwal.s at samsung.com (=?UTF-8?B?U1VNSVQgQUdHQVJXQUw=?=) Date: Fri, 19 Aug 2016 09:58:39 +0000 Subject: [gnutls-devel] =?utf-8?q?=5BPATCH=5D_Fix_HANDLE=5FLEAK_and_memory?= =?utf-8?q?_leak_issues=2E?= References: Message-ID: <2093776308.252105.1471600719476.JavaMail.weblogic@epwas3p4> Signed-off-by: Sumit Aggarwal --- src/benchmark-cipher.c | 5 ++++- src/srptool.c | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/benchmark-cipher.c b/src/benchmark-cipher.c index 636ab2a..15ae615 100644 --- a/src/benchmark-cipher.c +++ b/src/benchmark-cipher.c @@ -66,8 +66,11 @@ static void cipher_mac_bench(int algo, int mac_algo, int size) memset(_key, 0xf0, keysize); _iv = malloc(ivsize); - if (_iv == NULL) + if (_iv == NULL) { + if (_key) + free(_key); return; + } memset(_iv, 0xf0, ivsize); iv.data = _iv; diff --git a/src/srptool.c b/src/srptool.c index 5d60cde..8260f15 100644 --- a/src/srptool.c +++ b/src/srptool.c @@ -114,11 +114,13 @@ static int generate_create_conf(const char *tpasswd_conf) if (gnutls_srp_base64_encode_alloc(&n, &str_n) < 0) { fprintf(stderr, "Could not encode\n"); + fclose(fd); return -1; } if (gnutls_srp_base64_encode_alloc(&g, &str_g) < 0) { fprintf(stderr, "Could not encode\n"); + fclose(fd); return -1; } -- 1.9.1 From ametzler at bebt.de Sat Aug 20 14:32:42 2016 From: ametzler at bebt.de (Andreas Metzler) Date: Sat, 20 Aug 2016 14:32:42 +0200 Subject: [gnutls-devel] gnutls-bin and Emacs lisp TLS binding Message-ID: <20160820123242.oilz4kni356gxnqo@argenau.bebt.de> Hello, I have received the following report from Adam Sj?gren in : ---------------------------- After upgrading gnutls-bin from 3.5.2 to 3.5.3 Gnus hangs when fetching email from imaps. This is because gnutls-cli has stopped printing "- Handshake was completed", which Gnus looks for. It can be worked around by changing the variable tls-success in Gnus, which may be the correct solution - I am reporting this bug in case the removal of the text was unintended. The printf was removed in https://gitlab.com/gnutls/gnutls.git in this commit: commit 7e051ae28c288c218584f75dbc6c097a3b2564c9 Author: Nikos Mavrogiannopoulos Date: Tue Jul 26 10:33:24 2016 +0200 tools: TLS handling has been incorporated into socket_open() This is of particular usage to the server IP address loop, since we can detect fast open errors and retry handshake to the next IP address. [...] Just noticed that the tls-success variable in Emacs lives in lisp/net/tls.el, so the change affects all elisp applications/libraries using it - besides Gnus? at least jabber.el?. ? http://gnus.org/ ? http://emacs-jabber.sourceforge.net/ ---------------------------- cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From ametzler at bebt.de Sat Aug 20 14:44:56 2016 From: ametzler at bebt.de (Andreas Metzler) Date: Sat, 20 Aug 2016 14:44:56 +0200 Subject: [gnutls-devel] gnutls-cli STARTTLS support broken in 3.5.3 Message-ID: <20160820124456.j6bxogyrrupfdwwb@argenau.bebt.de> Hello, it looks like starttls support is broken in 3.5.3. 3.5.2: ametzler at argenau:~$ gnutls-cli -p 25 -s mx1.hotmail.com Processed 173 CA certificate(s). Resolving 'mx1.hotmail.com:25'... Connecting to '65.55.37.88:25'... - Simple Client Mode: 220 COL004-MC2F53.hotmail.com [...] 3.5.3 (sid)ametzler at argenau:~$ gnutls-cli -s -p 25 mx1.hotmail.com Processed 173 CA certificate(s). Resolving 'mx1.hotmail.com:25'... Connecting to '65.55.92.168:25'... |<1>| Received record packet of unknown type 50 *** Fatal error: An unexpected TLS packet was received. *** handshake has failed: An unexpected TLS packet was received. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From ametzler at bebt.de Sun Aug 21 11:34:08 2016 From: ametzler at bebt.de (Andreas Metzler) Date: Sun, 21 Aug 2016 11:34:08 +0200 Subject: [gnutls-devel] gnutls-cli STARTTLS support broken in 3.5.3 In-Reply-To: <20160820124456.j6bxogyrrupfdwwb@argenau.bebt.de> References: <20160820124456.j6bxogyrrupfdwwb@argenau.bebt.de> Message-ID: <20160821093408.oz7ljxsb6tilctzz@argenau.bebt.de> On 2016-08-20 Andreas Metzler wrote: > it looks like starttls support is broken in 3.5.3. [...] Unsurprisingly this broke at 7e051ae28c288c218584f75dbc6c097a3b2564c9. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From nmav at gnutls.org Mon Aug 22 08:26:07 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 22 Aug 2016 08:26:07 +0200 Subject: [gnutls-devel] gnutls-bin and Emacs lisp TLS binding In-Reply-To: <20160820123242.oilz4kni356gxnqo@argenau.bebt.de> References: <20160820123242.oilz4kni356gxnqo@argenau.bebt.de> Message-ID: On Sat, Aug 20, 2016 at 2:32 PM, Andreas Metzler wrote: > Hello, > > I have received the following report from Adam Sj?gren in > : > ---------------------------- > After upgrading gnutls-bin from 3.5.2 to 3.5.3 Gnus hangs when fetching email > from imaps. > This is because gnutls-cli has stopped printing "- Handshake was completed", > which Gnus looks for. Thanks for reporting that. It makes sense to keep that message intact. I've made this message being printed unconditionally: https://gitlab.com/gnutls/gnutls/commit/12f5166d46db1459455b33b32c01b1fde5c73701 regards, Nikos From nmav at gnutls.org Mon Aug 22 09:48:58 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 22 Aug 2016 09:48:58 +0200 Subject: [gnutls-devel] gnutls-cli STARTTLS support broken in 3.5.3 In-Reply-To: <20160820124456.j6bxogyrrupfdwwb@argenau.bebt.de> References: <20160820124456.j6bxogyrrupfdwwb@argenau.bebt.de> Message-ID: On Sat, Aug 20, 2016 at 2:44 PM, Andreas Metzler wrote: > Hello, > it looks like starttls support is broken in 3.5.3. Thanks. It seems there were not any automatic tests for this functionality. I've committed a fix as well as included some basic testing at: https://gitlab.com/gnutls/gnutls/merge_requests/45 If there are better ideas on how to easily test starttls upgrade, I'd be glad to include. regards, Nikos From nmav at gnutls.org Mon Aug 22 11:26:59 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 22 Aug 2016 11:26:59 +0200 Subject: [gnutls-devel] [PATCH] Fix HANDLE_LEAK and memory leak issues. In-Reply-To: <2093776308.252105.1471600719476.JavaMail.weblogic@epwas3p4> References: <2093776308.252105.1471600719476.JavaMail.weblogic@epwas3p4> Message-ID: Applied. Thank you. On Fri, Aug 19, 2016 at 11:58 AM, SUMIT AGGARWAL wrote: > Signed-off-by: Sumit Aggarwal > --- > src/benchmark-cipher.c | 5 ++++- > src/srptool.c | 2 ++ > 2 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/src/benchmark-cipher.c b/src/benchmark-cipher.c > index 636ab2a..15ae615 100644 > --- a/src/benchmark-cipher.c > +++ b/src/benchmark-cipher.c > @@ -66,8 +66,11 @@ static void cipher_mac_bench(int algo, int mac_algo, int size) > memset(_key, 0xf0, keysize); > > _iv = malloc(ivsize); > - if (_iv == NULL) > + if (_iv == NULL) { > + if (_key) > + free(_key); > return; > + } > memset(_iv, 0xf0, ivsize); > > iv.data = _iv; > diff --git a/src/srptool.c b/src/srptool.c > index 5d60cde..8260f15 100644 > --- a/src/srptool.c > +++ b/src/srptool.c > @@ -114,11 +114,13 @@ static int generate_create_conf(const char *tpasswd_conf) > > if (gnutls_srp_base64_encode_alloc(&n, &str_n) < 0) { > fprintf(stderr, "Could not encode\n"); > + fclose(fd); > return -1; > } > > if (gnutls_srp_base64_encode_alloc(&g, &str_g) < 0) { > fprintf(stderr, "Could not encode\n"); > + fclose(fd); > return -1; > } > > -- > 1.9.1 > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/gnutls-devel From ametzler at bebt.de Fri Aug 26 19:18:46 2016 From: ametzler at bebt.de (Andreas Metzler) Date: Fri, 26 Aug 2016 19:18:46 +0200 Subject: [gnutls-devel] Problem with proxied connections on 3.5.3 Message-ID: <20160826171846.hdyq5vbo42wdoybq@argenau.bebt.de> Hello, this is https://bugs.debian.org/835342 reported by marcelomendes at gmail.com: -------------------------------- >> Trying to git clone a github repo using libgnutls30 3.5.3-2 throw the >> following error: > >> fatal: unable to access 'https://github.com/xxx/yyy/': gnutls_handshake() >> failed: Public key signature verification has failed. > >> Same happens for curl: > >> curl https://duckduckgo.com >> curl: (35) gnutls_handshake() failed: Public key signature verification has >> failed. > Are you able to reproduce either of these errors with gnutls-cli? First, let me say I'm behind a proxy server. Both versions of gnutls-bin (3.5.3-3 and the old 3.5.2-3) have the same behavior: gnutls-cli -V --port 443 duckduckgo.com Processed 173 CA certificate(s). Resolving 'duckduckgo.com:443'... Connecting to '107.21.1.61:443'... Connecting to '184.72.106.52:443'... Connecting to '184.72.115.86:443'... and stay there for some quit some time until I ctrl+c But, with the old version of libgnutls30 (3.5.2-3) got from here: http://snapshot.debian.org/package/gnutls28/3.5.2-3/#libgnutls30_3.5.2-3 commands like git clone/pull works and curl -I https://... works too. I tried from my vps and this issue doesn't happen with either version, thats a weird thing :) Out of curiosity, the commands worked from inside a ubuntu-xenial vagrant box (virtualbox vms) with older versions of libgnutls30 (3.4.x) -------------------------------- cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From nmav at gnutls.org Sun Aug 28 00:04:20 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 28 Aug 2016 00:04:20 +0200 Subject: [gnutls-devel] Problem with proxied connections on 3.5.3 In-Reply-To: <20160826171846.hdyq5vbo42wdoybq@argenau.bebt.de> References: <20160826171846.hdyq5vbo42wdoybq@argenau.bebt.de> Message-ID: On Fri, Aug 26, 2016 at 7:18 PM, Andreas Metzler wrote: > Hello, > > this is https://bugs.debian.org/835342 reported by > marcelomendes at gmail.com: > -------------------------------- >>> Trying to git clone a github repo using libgnutls30 3.5.3-2 throw the >>> following error: >> >>> fatal: unable to access 'https://github.com/xxx/yyy/': gnutls_handshake() >>> failed: Public key signature verification has failed. >> >>> Same happens for curl: >> >>> curl https://duckduckgo.com >>> curl: (35) gnutls_handshake() failed: Public key signature verification has >>> failed. >> Are you able to reproduce either of these errors with gnutls-cli? > First, let me say I'm behind a proxy server. > Both versions of gnutls-bin (3.5.3-3 and the old 3.5.2-3) have the > same behavior: > gnutls-cli -V --port 443 duckduckgo.com > Processed 173 CA certificate(s). > Resolving 'duckduckgo.com:443'... > Connecting to '107.21.1.61:443'... > Connecting to '184.72.106.52:443'... > Connecting to '184.72.115.86:443'... > and stay there for some quit some time until I ctrl+c > But, with the old version of libgnutls30 (3.5.2-3) got from here: > http://snapshot.debian.org/package/gnutls28/3.5.2-3/#libgnutls30_3.5.2-3 > commands like git clone/pull works and curl -I https://... works too. Something is wrong there. I don't see any changes in gnutls code that could result to it. Could the user bisect since 3.5.2 and try to figure out the change that causes that issue? Is there a reproducer? regards, Nikos From nmav at gnutls.org Sun Aug 28 15:08:45 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 28 Aug 2016 15:08:45 +0200 Subject: [gnutls-devel] Speedup idea... In-Reply-To: <2649316.ZQDDIFLkro@blitz-lx> References: <7742688.hTZLG4inon@blitz-lx> <2649316.ZQDDIFLkro@blitz-lx> Message-ID: <1472389725.1988.2.camel@gnutls.org> On Wed, 2016-08-03 at 10:19 +0200, Tim Ruehsen wrote: > > This violates the rule that the credentials must be read only after > > being > > set on a session, but on client side they are only used during > > verification. An alternative approach is to verify the peers > > certificates > > using a trust list. > My goal is to only load that CA cert(s) that really have to be > checked? > against. I need to create a hash from the server certs which 'point' > to the CA? > cert files on disk, like OpenSSL already does. Well, we talked about > that in? > the past and you pointed me to p11kit... but in fact, I so far do not > really? > have a 'big picture' - the p11kit docs are mostly technical details, > no? > understandable explanation what 's it all about. I just realized, do you really need all of that? You can cache verification outputs and that would be much more performant than any optimization we discussed. You could for example save the certificate/hostname pair once verified for limited time and rely on that verification result instead. Pretty much similar to the trust on first use, but here you will only be adding to the trusted store once successfully verified, and for limited time. regards, Nikos