summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Release 3.7.03.7.0Daiki Ueno2020-12-022-3/+3
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* NEWS: update for 3.7.0 releaseDaiki Ueno2020-12-021-6/+50
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* Merge branch 'ihsinme-master-patch-42280' into 'master'Daiki Ueno2020-12-011-1/+1
|\ | | | | | | | | fix invalid unsigned arithmetic. See merge request gnutls/gnutls!1364
| * fix invalid unsigned arithmetic.ihsinme2020-12-011-1/+1
| | | | | | | | Signed-off-by: ihsinme <ihsinme@gmail.com>
* | Merge branch 'wip/dueno/fuzzer-fixes' into 'master'Daiki Ueno2020-12-016-2/+24
|\ \ | | | | | | | | | | | | fuzz: fix handshake fuzzer issues spotted by oss-fuzz See merge request gnutls/gnutls!1363
| * | fuzz: limit the retry count in handshake fuzzerDaiki Ueno2020-11-295-0/+18
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | gnutls_handshake_write: don't enqueue empty Handshake messageDaiki Ueno2020-11-291-0/+4
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | fuzz: fix undefined behavior on left shiftDaiki Ueno2020-11-291-2/+2
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | | Merge branch 'mcatanzaro/getissuer_func_docs' into 'master'Daiki Ueno2020-12-011-10/+8
|\ \ \ | |_|/ |/| | | | | | | | x509: Improve documentation of new set_getissuer_function See merge request gnutls/gnutls!1365
| * | x509: Improve documentation of new set_getissuer_functionMichael Catanzaro2020-11-301-10/+8
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since gnutls!1354, some of this information is now obsolete. The caller is no longer responsible for verifying the certificate or adding it to the trust list. GnuTLS will now handle that. Instead, the callback should always import the missing certificate and return success if the certificate was imported, or failure otherwise. Also, let's point to gnutls_x509_crt_get_authority_info_access(), since it is useful in combination with this function. Finally, since this callback is emitted once for each missing intermediate certificate, it's probably less confusing if we talk about only a single missing intermediate here. Yes, there could be multiple missing certificates, but a single invocation of this callback can only deal with one. Signed-off-by: Michael Catanzaro <mcatanzaro@gnome.org>
* | Merge branch 'wip/dueno/verify-tofu-cstore' into 'master'Daiki Ueno2020-11-261-3/+10
|\ \ | | | | | | | | | | | | | | | | | | verify-tofu: return errors from store functions if callback fails Closes #1092 See merge request gnutls/gnutls!1361
| * | verify-tofu: return errors from store functions if callback failsDaiki Ueno2020-11-241-3/+10
| |/ | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'update_openssl' into 'master'Daiki Ueno2020-11-2524-42/+220
|\ \ | |/ |/| | | | | Update openssl submodule to fix backtrace info See merge request gnutls/gnutls!1362
| * accelerated: Re-generate assembly sourcesAnderson Toshiyuki Sasaki2020-11-2423-42/+220
| | | | | | | | | | | | Re-generate assembly sources from the updated openssl submodule. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
| * devel: Update openssl submoduleAnderson Toshiyuki Sasaki2020-11-241-0/+0
|/ | | | | | | Update openssl submodule to current OpenSSL_1_1_1-stable branch (8e813c085a). Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* Merge branch 'wip/dueno/aia-api' into 'master'Daiki Ueno2020-11-2115-387/+759
|\ | | | | | | | | | | | | x509: check certificate trust status when adding CA through AIA Closes #1100 See merge request gnutls/gnutls!1354
| * x509: rework issuer callbackDaiki Ueno2020-11-199-326/+689
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The previous issuer callback API had a drawback: the callback is supposed to add CA to the trust list by itself. This was error-prone, because the callback must check the new CA is trusted by the already added CA. This instead moves the responsibility to the library. This also rewrites the chain amendment logic in a side-effect free manner. The application can assume that the trust information stored on gnutls_x509_trust_list_t shouldn't change after the verification. The missingissuer test has been extended to cover all the possible patterns exhaustively. Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * _gnutls_cert_log: assume that 'cert' is nonnullDaiki Ueno2020-11-192-2/+2
| | | | | | | | | | | | This makes static analyzers happy. Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * _gnutls_sort_clist: simplify the calling conventionDaiki Ueno2020-11-195-65/+74
| | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'wip/dueno/disable-cipher-override' into 'master'Daiki Ueno2020-11-2012-734/+62
|\ \ | | | | | | | | | | | | | | | | | | crypto-backend: remove ability of overriding ciphers Closes #790 See merge request gnutls/gnutls!1355
| * | crypto-backend: remove ability of overriding ciphersDaiki Ueno2020-11-2012-734/+62
|/ / | | | | | | | | | | | | Those functions has been deprecated in 3.6.9 as they do not have active use cases. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'wip/dueno/quic' into 'master'Daiki Ueno2020-11-1921-5/+851
|\ \ | | | | | | | | | | | | | | | | | | Add QUIC related API functions Closes #850, #849, and #826 See merge request gnutls/gnutls!1353
| * | NEWS: add entry for QUIC related API functionsDaiki Ueno2020-11-191-0/+10
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | fuzz: fuzz gnutls_handshake_writeDaiki Ueno2020-11-196-1/+313
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | alert: add callback to intercept alert messagesDaiki Ueno2020-11-199-0/+62
| | | | | | | | | | | | | | | | | | | | | This adds gnutls_alert_set_read_function(), to allow QUIC implementations to be notified when an alert message is sent. Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | handshake: add callback to get notified with traffic secret changeDaiki Ueno2020-11-198-0/+121
| | | | | | | | | | | | | | | | | | | | | | | | For the use with QUIC, the change of traffic secrets must be notified _after_ a new epoch is set up for reading or writing, and we can't simply reuse the keylog mechanism. Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | handshake: add functions to read/write handshake messages directlyDaiki Ueno2020-11-1913-4/+345
|/ / | | | | | | | | | | | | | | This adds a couple of functions, gnutls_handshake_set_read_function() and gnutls_handshake_write(), to allow QUIC implementations to directly interact with the TLS state machine. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'wip/dueno/ocsp-oid' into 'master'Daiki Ueno2020-11-195-14/+32
|\ \ | | | | | | | | | | | | | | | | | | _gnutls_x509_read_value: don't count terminating null byte for OIDs Closes #805 See merge request gnutls/gnutls!1358
| * | _gnutls_x509_read_value: don't count terminating null byte for OIDsNikos Mavrogiannopoulos2020-11-125-14/+32
| |/ | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> Co-authored-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'wip/dueno/max-pin-len' into 'master'Daiki Ueno2020-11-132-3/+10
|\ \ | | | | | | | | | | | | | | | | | | pkcs11: increase the maximum PIN length from 31 to 255 Closes #932 See merge request gnutls/gnutls!1357
| * | pkcs11: increase the maximum PIN length from 31 to 255Daiki Ueno2020-11-132-3/+10
| | | | | | | | | | | | | | | | | | | | | The maximum is chosen from the default configuration of SoftHSMv2: https://github.com/opendnssec/SoftHSMv2/blob/develop/CMakeLists.txt#L61 Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | | Merge branch 'client-hello-version' into 'master'Daiki Ueno2020-11-131-0/+1
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Use proper record version in client hello after hello retry request Closes #1053 See merge request gnutls/gnutls!1346
| * | | Use proper record version in client hello after hello retry requestTomas Mraz2020-11-131-0/+1
|/ / / | | | | | | | | | | | | | | | Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org> Fixes: #1053
* | | Merge branch 'wip/dueno/doc-fixes' into 'master'Daiki Ueno2020-11-133-8/+8
|\ \ \ | |_|/ |/| | | | | | | | | | | | | | x509: clarify how to release memory allocated for DN Closes #1110 See merge request gnutls/gnutls!1359
| * | x509: clarify how to release memory allocated for DNDaiki Ueno2020-11-123-8/+8
|/ / | | | | | | | | | | | | | | The application can assume that DNs returned from _gnutls_x509_get_dn() are allocated with gnutls_malloc() and thus shall be freed with gnutls_free(). Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'wip/dueno/revert-allow-broken-sig' into 'master'Daiki Ueno2020-11-122-10/+3
|\ \ | |/ |/| | | | | tls-sig: defer allowed sigalg check to gnutls_pubkey_verify_data2 See merge request gnutls/gnutls!1352
| * tls-sig: defer allowed sigalg check to gnutls_pubkey_verify_data2Daiki Ueno2020-11-062-10/+3
| | | | | | | | | | | | | | | | This reverts 485f2551e68d1b4ee70be2960f0a241b4a2b9fb9. After the new configuration file has been introduced, the allowed algorithms are checked after this part. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'mcatanzaro/close-session' into 'master'Daiki Ueno2020-11-121-1/+2
|\ \ | | | | | | | | | | | | pkcs11: fix session leak in error path See merge request gnutls/gnutls!1343
| * | pkcs11: fix session leak in error pathMichael Catanzaro2020-11-111-1/+2
|/ / | | | | | | | | | | | | | | | | gnutls_pkcs11_obj_set_info() fails to call pkcs11_close_session() after a successful pkcs11_open_session() if called with an invalid itype parameter. That would be programmer error, of course, but better not forget to close the session regardless. Signed-off-by: Michael Catanzaro <mcatanzaro@gnome.org>
* | Merge branch 'cert_validation' into 'master'Daiki Ueno2020-11-1011-10/+212
|\ \ | | | | | | | | | | | | | | | | | | Adds a new API gnutls_session_set_verify_output_function() that allows TLS applications Closes #1012 See merge request gnutls/gnutls!1339
| * | Adds a new API gnutls_session_set_verify_output_function() that allows TLS ↵Sahana Prasad2020-11-1011-10/+212
| | | | | | | | | | | | | | | | | | | | | | | | | | | applications to have a way to pass the gnutls_verify_output_function() as a callback so that the full path of the certificate chain to the trusted root can be avaiable as output. Signed-off-by: Sahana Prasad <sahana@redhat.com>
* | | Merge branch 'tmp-nettle-3.6' into 'master'Daiki Ueno2020-11-1025-1165/+88
|\ \ \ | |/ / |/| | | | | | | | build: hard require nettle 3.6 See merge request gnutls/gnutls!1322
| * | .gitlab-ci.yml: temporarily allow failures on Debian.cross.aarch64tmp-nettle-3.6Daiki Ueno2020-11-091-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | qemu is currently causing segmentation fault: cipher: aes-128-gcm cipher: aes-192-gcm cipher: aes-256-gcm cipher: chacha20-poly1305 qemu: uncaught target signal 11 (Segmentation fault) - core dumped Segmentation fault (core dumped) default cipher tests failed FAIL test-ciphers-openssl.sh (exit status: 139) Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | .gitlab-ci.yml: use nettle git master for FreeBSD.x86_64Daiki Ueno2020-11-091-5/+15
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | Revert ".lgtm.yml: no longer bring nettle from master"Daiki Ueno2020-11-051-3/+10
| | | | | | | | | | | | | | | | | | This reverts commit bbe93dc315009fe1f9a30426cbe20f4661b8435c. Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | gostdsa: fix memleak in _gnutls_gostdsa_unmask_keyDaiki Ueno2020-11-041-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Spotted by valgrind: ==5721== 40 bytes in 1 blocks are definitely lost in loss record 1 of 3 ==5721== at 0x4839809: malloc (vg_replace_malloc.c:307) ==5721== by 0x4DC3E59: __gmp_default_allocate (in /usr/lib64/libgmp.so.10.4.0) ==5721== by 0x4DD26A3: __gmpz_realloc (in /usr/lib64/libgmp.so.10.4.0) ==5721== by 0x4DD8B9D: __gmpz_set_str (in /usr/lib64/libgmp.so.10.4.0) ==5721== by 0x499339D: _gnutls_gostdsa_unmask_key (gostdsa-mask.c:68) Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | testcompat-openssl: use RC4-SHA instead of RC4-MD5 for testingDaiki Ueno2020-11-041-6/+6
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | .gitlab-ci.yml: use Fedora 33 with LEGACY policy for SSL 3.0 testingDaiki Ueno2020-11-041-1/+2
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | .gitlab-ci.yml: supply -fstack-protector required by latest MinGWDaiki Ueno2020-11-041-1/+19
| | | | | | | | | | | | | | | | | | https://sourceforge.net/p/mingw-w64/bugs/818/ Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | tls-fuzzer: update submodulesDaiki Ueno2020-11-043-0/+0
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
View Lorry Controller Status