| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| |
| |
| | |
Release 3.6.14 [ci skip]
See merge request gnutls/gnutls!1272
|
| |/
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| | |
stek: differentiate initial state from valid time window of TOTP
See merge request gnutls/gnutls!1275
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This adds a valgrind client request for
session->key.session_ticket_key to make sure that it is not used
without initialization.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |/
|
|
|
|
|
|
|
| |
There was a confusion in the TOTP implementation in stek.c. When the
mechanism is initialized at the first time, it records the timestamp
but doesn't initialize the key. This removes the timestamp recording
at the initialization phase, so the key is properly set later.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| | |
_gnutls_pkcs11_verify_crt_status: check validity against system cert
See merge request gnutls/gnutls!1271
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN
to trigger the fallback verification path if the signer of the last
certificate is not in the trust store. Previously, it doesn't take
into account of the condition where the certificate is expired.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To verify a certificate chain, this function replaces known
certificates with the ones in the system trust store if possible.
However, if it is found, the function checks the validity of the
original certificate rather than the certificate found in the trust
store. That reveals a problem in a scenario that (1) a certificate is
signed by multiple issuers and (2) one of the issuers' certificate has
expired and included in the input chain.
This patch makes it a little robuster by actually retrieving the
certificate from the trust store and perform check against it.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| | |
| | |
| | |
| | | |
use bcrypt for the windows random generator instead of wincrypt
See merge request gnutls/gnutls!1255
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
CryptoAPI is a deprecated API [1] that is forbidden in UWP builds.
Rewrite the CryptoAPI calls in bcrypt.
bcrypt is used instead of CryptoAPI when targeting Windows Vista and above.
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptdecrypt
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>
|
| |\ \ \
| |_|/
|/| |
| | |
| | |
| | |
| | | |
configure.ac: add -fno-builtin-strcmp if valgrind is enabled
Closes #944
See merge request gnutls/gnutls!1264
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Recent GCC provides strcmp which makes Valgrind assume that it accesses
uninitialized data. Disable this optimization if Valgrind tests are
enabled.
Fixes #944
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
lib: add support for AES-192-GCM
See merge request gnutls/gnutls!1267
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add support for AES-192 in GCM mode.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
.travis.yml: use several different OSX versions
See merge request gnutls/gnutls!1269
|
| | |/ / /
| | | |
| | | |
| | | | |
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
configure: check that -no_weak_links works with FD_SET
Closes #966
See merge request gnutls/gnutls!1266
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Several Xcode/SDK versions provide FD_SET implementation that does not
work with -no_weak_links. Check that this option does not break FD_SET
usage.
Fixes #966
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |\ \ \ \
| |_|_|/
|/| | |
| | | |
| | | | |
lib: improve external file loading
See merge request gnutls/gnutls!1261
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This makes it clear that "fd" is not a file descriptor but a FILE
pointer. Suggested by Tim Rühsen.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This makes use of the RF_SENSITIVE flag newly added to read_file
function when reading potentially senstive information from a file.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This makes use of the "e" flag of fopen, provided by the Gnulib's
fopen-gnu module.
Reported by Remi Denis-Courmont in:
https://gitlab.com/gnutls/gnutls/-/issues/985
and fix suggested by Tim Rühsen.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This brings in the new fopen-gnu module and the RF_SENSITIVE flag for
fread_file and read_file. This also adds the following changes to be
consistent with the latest changes in Gnulib:
- the callers of fread_file and read_file to be adjusted for the FLAGS
argument
- "attribute.h" needs to be used extensively
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
win32: allow using ncrypt in UWP builds
See merge request gnutls/gnutls!1256
|
| | | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | | |
No functional change. The has been simply moved.
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>
|
| |\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
Allow statically linking ncrypt (win32)
See merge request gnutls/gnutls!1254
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If _WIN32_WINNT is higher or equal to 0x0600, Vista API's are allowed during
the build. We can assume that the minimum platform the code will run on is
Vista [1]
In that case there's no need to call API's (ncrypt) dynamically when it can be
done statically.
[1] https://docs.microsoft.com/en-us/cpp/porting/modifying-winver-and-win32-winnt
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>
|
| |\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
fips: make FIPS140-2 mode enablement logic simpler
See merge request gnutls/gnutls!1253
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The macro was intended to avoid non-recoverable errors during library
initialization, but the code path has been removed in commit
3963518d067a64412bbe0aa9ce5fc33ae729c15f.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Previously, to enable the FIPS140-2 mode, both /etc/system-fips and
the fips=1 kernel command line need to be set. While this was
designed to be consistent, the convention is not well followed by the
other crypto libraries and the former tends to be ignored. This
aligns the behavior to the latter, i.e. if fips=1 is set, the library
enables the FIPS140-2 mode regardless of the existence of
/etc/system-fips.
Suggested by Alexander Sosedkin.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |\ \ \ \
| |_|/ /
|/| | |
| | | |
| | | |
| | | |
| | | | |
tests: build datefudge-check during make all
Closes #920
See merge request gnutls/gnutls!1265
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Most of the tests depend on datefudge-check. Let's make it during 'make
all' stage to allow running individual tests w/o requiring to build it
separately.
Fixes #920
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |\ \ \
| |_|/
|/| |
| | |
| | | |
win32: link with crypt32
See merge request gnutls/gnutls!1257
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since 5d03564cccd2c10c41252ea468d4a098bd08e9c1 we use CertOpenStore().
To properly link it needs to be linked with the crypt32.dll.
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopenstore
This library was missing from the pkg-config library. It exists in
thirdparty_libadd to link gnutls as a DLL.
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>
|
| |\ \
| | |
| | |
| | |
| | | |
Update session_ticket.c to add support for zero length session tickets returned from the server
See merge request gnutls/gnutls!1260
|
| |/ /
| |
| |
| |
| |
| |
| |
| | |
returned from the server
check that ticket_len > 0 prior to calling gnutls_realloc_fast
Signed-off-by: Rod Rivers <5981058-rrivers2@users.noreply.gitlab.com>
|
| |\ \
| | |
| | |
| | |
| | | |
Vendor-in libtasn1 sources in a form of minitasn1
See merge request gnutls/gnutls!1247
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Instead of keeping the minitasn1 source in Git, vendor in it during
bootstrap as we do with Nettle code. This also upgrades included
minitasn1 to latest version (4.16.0).
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
GnuTLS maintains a part of libtasn1 sources in form of minitasn1 import.
Add libtasn1 submodule to ease synchronization with libtasn1.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
x509: support commonName extension
Closes #989
See merge request gnutls/gnutls!1250
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | | |
Add support for Common Name certificate extension.
Fixes #989
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | | |
x509: aki: always print authorityCert info
Closes #991
See merge request gnutls/gnutls!1249
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| | |
Always print authorityCertIssuer/SerialNumber. Currently it is output
only if keyIdentifier is not present.
Fixes #991
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |\ \
| | |
| | |
| | |
| | | |
Decode certificate policies OIDs
See merge request gnutls/gnutls!1245
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add Russian Security Class certificate policies (per
draft-deremin-rfc4491-bis).
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add ability to print names for several pre-defined Certificate policies.
Currently the list is populated with anyPolicy from X.509 and CA/B
policies.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |\ \ \
| |/ /
| | |
| | |
| | | |
PKCS7 attribute printing update
See merge request gnutls/gnutls!1246
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Use new function to remove code duplication.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
