From fc4fcc349cf1c46dadd343b9f9fae8c232e6257e Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 16 Dec 2015 12:04:41 +0000 Subject: [PATCH 1/1] Testsuite: GnuTLS version changes --- test/confs/2002 | 3 ++- test/confs/2019 | 3 ++- test/runtest | 3 +++ test/src/client.c | 58 ++++++++++++++++++++++++++++++++--------------- 4 files changed, 47 insertions(+), 20 deletions(-) diff --git a/test/confs/2002 b/test/confs/2002 index b154c82d3..7299122e8 100644 --- a/test/confs/2002 +++ b/test/confs/2002 @@ -40,7 +40,8 @@ check_recipient: DES-CBC3-SHA : \ DHE_RSA_AES_256_CBC_SHA1 : \ DHE_RSA_3DES_EDE_CBC_SHA : \ - RSA_AES_256_CBC_SHA1 + RSA_AES_256_CBC_SHA1 : \ + ECDHE_RSA_AES_256_GCM_SHA384 warn logwrite = ${if def:tls_in_ourcert \ {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \ {We did not present a cert}} diff --git a/test/confs/2019 b/test/confs/2019 index f3ddd4591..798eb73d7 100644 --- a/test/confs/2019 +++ b/test/confs/2019 @@ -39,7 +39,8 @@ check_recipient: DES-CBC3-SHA:\ DHE_RSA_AES_256_CBC_SHA1:\ DHE_RSA_3DES_EDE_CBC_SHA:\ - RSA_AES_256_CBC_SHA1 + RSA_AES_256_CBC_SHA1 :\ + ECDHE_RSA_AES_256_GCM_SHA384 accept diff --git a/test/runtest b/test/runtest index f4e6bc7a5..724ccd9ed 100755 --- a/test/runtest +++ b/test/runtest @@ -859,6 +859,9 @@ RESET_AFTER_EXTRA_LINE_READ: next if /^SSL info: SSLv3 read server key exchange A/; next if /SSL verify error: depth=0 error=certificate not trusted/; s/SSL3_READ_BYTES/ssl3_read_bytes/; + + # gnutls version variances + next if /^Error in the pull function./; } # ======== stderr ======== diff --git a/test/src/client.c b/test/src/client.c index ac9a965e0..2bd640205 100644 --- a/test/src/client.c +++ b/test/src/client.c @@ -93,15 +93,16 @@ latter needs a whole pile of tables. */ /* Local static variables for GNUTLS */ -static gnutls_dh_params dh_params = NULL; +static gnutls_dh_params_t dh_params = NULL; static gnutls_certificate_credentials_t x509_cred = NULL; -static gnutls_session tls_session = NULL; +static gnutls_session_t tls_session = NULL; static int ssl_session_timeout = 200; /* Priorities for TLS algorithms to use. */ +#if GNUTLS_VERSION_NUMBER < 0x030400 static const int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; static const int kx_priority[16] = { @@ -123,7 +124,7 @@ static const int mac_priority[16] = { 0 }; static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 }; -static const int cert_type_priority[16] = { GNUTLS_CRT_X509, 0 }; +#endif #endif /*HAVE_GNUTLS*/ @@ -356,7 +357,7 @@ init_dh(void) { int fd; int ret; -gnutls_datum m; +gnutls_datum_t m; uschar filename[200]; struct stat statbuf; @@ -449,13 +450,14 @@ if (ocsp_stapling) * Initialize a single GNUTLS session * *************************************************/ -static gnutls_session +static gnutls_session_t tls_session_init(void) { -gnutls_session session; +gnutls_session_t session; gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_NO_EXTENSIONS); +#if GNUTLS_VERSION_NUMBER < 0x030400 gnutls_cipher_set_priority(session, default_cipher_priority); gnutls_compression_set_priority(session, comp_priority); gnutls_kx_set_priority(session, kx_priority); @@ -463,6 +465,10 @@ gnutls_protocol_set_priority(session, protocol_priority); gnutls_mac_set_priority(session, mac_priority); gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); +#else +gnutls_set_default_priority(session); +gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); +#endif gnutls_dh_set_prime_bits(session, DH_BITS); gnutls_db_set_cache_expiration(session, ssl_session_timeout); @@ -794,7 +800,7 @@ tls_session = tls_session_init(); if (ocsp_stapling) gnutls_ocsp_status_request_enable_client(tls_session, NULL, 0, NULL); #endif -gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr)sock); +gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr_t)(intptr_t)sock); /* When the server asks for a certificate and the client does not have one, there is a SIGPIPE error in the gnutls_handshake() function for some reason @@ -815,24 +821,32 @@ if (tls_on_connect) { printf("Attempting to start TLS\n"); - #ifdef HAVE_OPENSSL +#ifdef HAVE_OPENSSL tls_active = tls_start(sock, &ssl, ctx); - #endif +#endif - #ifdef HAVE_GNUTLS +#ifdef HAVE_GNUTLS + { + int rc; sigalrm_seen = FALSE; alarm(timeout); - tls_active = gnutls_handshake(tls_session) >= 0; + do { + rc = gnutls_handshake(tls_session); + } while (rc < 0 && gnutls_error_is_fatal(rc) == 0); + tls_active = rc >= 0; alarm(0); - #endif + + if (!tls_active) printf("%s\n", gnutls_strerror(rc)); + } +#endif if (!tls_active) printf("Failed to start TLS\n"); - #if defined(HAVE_GNUTLS) && defined(HAVE_OCSP) +#if defined(HAVE_GNUTLS) && defined(HAVE_OCSP) else if ( ocsp_stapling && gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0) printf("Failed to verify certificate status\n"); - #endif +#endif else printf("Succeeded in starting TLS\n"); } @@ -919,10 +933,18 @@ int rc; #endif #ifdef HAVE_GNUTLS - sigalrm_seen = FALSE; - alarm(timeout); - tls_active = gnutls_handshake(tls_session) >= 0; - alarm(0); + { + int rc; + sigalrm_seen = FALSE; + alarm(timeout); + do { + rc = gnutls_handshake(tls_session); + } while (rc < 0 && gnutls_error_is_fatal(rc) == 0); + tls_active = rc >= 0; + alarm(0); + + if (!tls_active) printf("%s\n", gnutls_strerror(rc)); + } #endif if (!tls_active) -- 2.30.2