summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
| * | tests: tls13/key_share: rewrite as single processDaiki Ueno2021-08-041-159/+57
|/ / | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'wip/dueno/cppcheck' into 'master'Daiki Ueno2021-08-0413-47/+54
|\ \ | | | | | | | | | | | | devel: suppress cppcheck 2.5 false-positives See merge request gnutls/gnutls!1456
| * | .gitlab-ci.yml: cppcheck: disable style checksDaiki Ueno2021-08-041-1/+1
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | devel: suppress cppcheck 2.5 false-positivesDaiki Ueno2021-08-0412-46/+53
|/ / | | | | | | | | | | | | This fixes errors and warnings as well as some style issues spotted by cppcheck 2.5. Others are recorded in the suppressions file. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'fix-ocsp-signer-check' into 'master'Daiki Ueno2021-07-147-9/+124
|\ \ | | | | | | | | | | | | | | | | | | gnutls_ocsp_resp_verify: Check key purpose if signer not on trust list Closes #1254 See merge request gnutls/gnutls!1452
| * | gnutls_ocsp_resp_verify: Check key purpose if signer not on trust listFiona Klute2021-07-147-9/+124
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | According to [1] the id-kp-OCSPSigning key purpose is only needed for delegated signers, not signers explicitly set as trusted. The previous code would reject a signature directly from a CA on the trust list (without delegation) because the CA certificate didn't contain the id-kp-OCSPSigning key purpose. The tests included in this commit check: 1. Is a signature directly from a CA on the trust list accepted? 2. Is a signature from a delegated signer issued by a CA on the trust list accepted? 3. Is a signature from a certificate without id-kp-OCSPSigning issued by a CA on the trust list rejected? Note that the CA in these tests is also the one that issued the certificate the OCSP response is for, but the code (current and previous) doesn't enforce this. [1] https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.2.2 Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
* | Merge branch 'wip/dueno/sh-tests' into 'master'Daiki Ueno2021-06-282-0/+2
|\ \ | | | | | | | | | | | | tests: set SH_LOG_COMPILER so sh tests run under $(SHELL) See merge request gnutls/gnutls!1450
| * | tests: set SH_LOG_COMPILER so sh tests run under $(SHELL)Daiki Ueno2021-06-282-0/+2
|/ / | | | | | | | | | | This omits the need of setting executable bits on shell script tests. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'wip/dueno/kshare-x25519-x448' into 'master'Daiki Ueno2021-06-252-3/+24
|\ \ | | | | | | | | | | | | | | | | | | key_share: treat X25519 and X448 as same PK type when advertising Closes #1249 See merge request gnutls/gnutls!1449
| * | key_share: treat X25519 and X448 as same PK type when advertisingDaiki Ueno2021-06-252-3/+24
|/ / | | | | | | | | | | | | | | | | | | Previously, if both X25519 and X448 groups were enabled in the priority string, the client sent both algorithms in a key_share extension, while it was only capable of handling one algorithm from the same (Edwards curve) category. This adds an extra check so the client should send either X25519 or X448. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'mcatanzaro/set-trust-list-return' into 'master'Daiki Ueno2021-06-241-2/+0
|\ \ | | | | | | | | | | | | Fix gnutls_certificate_set_trust_list() return value documentation See merge request gnutls/gnutls!1448
| * | Fix gnutls_certificate_set_trust_list() return value documentationMichael Catanzaro2021-06-221-2/+0
|/ / | | | | | | | | | | | | This function is documented to return an error code, but in fact it has no return value and never fails. Fix this. Signed-off-by: Michael Catanzaro <mcatanzaro@redhat.com>
* | Merge branch 'guile-egain-eintr' into 'master'Daiki Ueno2021-06-192-3/+19
|\ \ | | | | | | | | | | | | guile: Writes to record ports handle EAGAIN/EINTR transparently. See merge request gnutls/gnutls!1417
| * | guile: Writes to record ports handle EAGAIN/EINTR transparently.Ludovic Courtès2021-06-162-3/+19
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reported at <https://issues.guix.gnu.org/47867> by Florian Pelz <pelzflorian@pelzflorian.de>. This is a followup to a229bb36c9592b151f6feb277238c41ab39f40a9. * guile/src/core.c (write_to_session_record_port) [USING_GUILE_BEFORE_2_2]: Keep looping upon GNUTLS_E_AGAIN and GNUTLS_E_INTERRUPTED. (write_to_session_record_port) [!USING_GUILE_BEFORE_2_2]: Loop on GNUTLS_E_INTERRUPTED and return -1 on GNUTLS_E_AGAIN if C_SESSION is backed by a file descriptor. * NEWS: Update. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* | Merge branch 'wip/dueno/pkcs11-reuse-key-id' into 'master'Daiki Ueno2021-06-111-2/+3
|\ \ | | | | | | | | | | | | doc: p11tool: mention how CKA_IDs of certs are calculated upon --write See merge request gnutls/gnutls!1446
| * | p11tool: mention how CKA_IDs of certs are calculated upon --writeDaiki Ueno2021-06-111-2/+3
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | | Merge branch 'wip/dueno/config-sigalgs' into 'master'Daiki Ueno2021-06-115-5/+249
|\ \ \ | |/ / |/| | | | | | | | priority: reflect system wide config when constructing sigalgs See merge request gnutls/gnutls!1447
| * | priority: reflect system wide config when constructing sigalgsDaiki Ueno2021-06-115-5/+249
|/ / | | | | | | | | | | | | | | | | | | Otherwise the client would advertise signature algorithms which it cannot use and cause handshake to fail. Reported by Philip Schaten in: https://lists.gnupg.org/pipermail/gnutls-help/2021-June/004711.html Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'wip/dueno/release-3.7.2' into 'master'3.7.2Daiki Ueno2021-05-296-17/+19
|\ \ | | | | | | | | | | | | Release 3.7.2 See merge request gnutls/gnutls!1445
| * | Release 3.7.2Daiki Ueno2021-05-293-5/+5
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | release-steps: remove unnecessary stepsDaiki Ueno2021-05-291-6/+4
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | AUTHORS: take into account of Co-authored-by:Daiki Ueno2021-05-291-6/+8
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | .mailmap: updateDaiki Ueno2021-05-291-0/+2
|/ / | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'wip/dueno/version-deps' into 'master'Daiki Ueno2021-05-291-2/+2
|\ \ | | | | | | | | | | | | build: fix interface version dependencies in libgnutls.map See merge request gnutls/gnutls!1444
| * | build: fix interface version dependencies in libgnutls.mapDaiki Ueno2021-05-281-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, the predecessor of GNUTLS_3_7_0 was mistakenly set to GNUTLS_3_4 instead of GNUTLS_3_6_14. This fix shouldn't have any impact on ABI, given the dynamic loader doesn't take into account of ordering of versions. See also the first paragraph on: https://www.akkadia.org/drepper/dsohowto.pdf#page=38 Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | | Merge branch 'order-dn' into 'master'Daiki Ueno2021-05-2927-265/+272
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | certtool: order DN components by scale. Closes #1243 See merge request gnutls/gnutls!1438
| * | | certtool: order DN components by scale.Daniel Kahn Gillmor2021-05-2827-265/+272
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | DN components are expected to be ordered by scale, with the wire format representing larger-scale components (like country or organization) before smaller-scale components (like state or organizationalUnit). The bulk of the changes here of course are changes to the target certificates in the test suite. Note that a change was necessary in tests/cert-tests/crq.sh because it tests the "interactive" mode of certtool. If any user is scripting certtool in this way, this change will cause a backwards-incompatible break. However, I think this is OK -- the supported scripted/batch mode for certtool should use a template file, and I don't think it's important to maintain a strict api on the interactive mode. The main change here is to order the DN from least-specific-to-most, in particular: country, state, locality, org, orgunit, cn, uid But I've also made an additional arbitrary choice, which is that DC (domain component) comes *after* uid. This was already the case in certificate generation, but in *request* generation, it was the other way around. I've changed request generation to match this ordering from certificate generation. Closes: #1243 Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* | | Merge branch 'wip/dueno/libkcapi-1.3.0' into 'master'Daiki Ueno2021-05-281-1/+1
|\ \ \ | |/ / |/| | | | | | | | build: require libkcapi 1.3.0 or later if --enable-afalg See merge request gnutls/gnutls!1443
| * | build: require libkcapi 1.3.0 or later if --enable-afalgDaiki Ueno2021-05-281-1/+1
|/ / | | | | | | | | | | | | | | | | The libkcapi 1.3.0 brings a couple of changes needed for GnuTLS: * fix: remove prctl PR_SET_DUMPABLE to allow library to be debugged * fix: ensure that sendmsg is always used as fallback when vmsplice cannot be used Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'wip/dueno/update-gnulib' into 'master'Daiki Ueno2021-05-287-26/+5
|\ \ | | | | | | | | | | | | Update git submodules for gnulib, nettle, and tlsfuzzer See merge request gnutls/gnutls!1442
| * | tlsfuzzer: update git submodulesDaiki Ueno2021-05-283-0/+0
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | nettle: update git submodule to 3.7.2 releaseDaiki Ueno2021-05-281-0/+0
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * | gnulib: update git submoduleDaiki Ueno2021-05-283-26/+5
|/ / | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'wip/dueno/update-libtasn1' into 'master'Daiki Ueno2021-05-272-2/+3
|\ \ | | | | | | | | | | | | | | | | | | devel: update libtasn1 submodule Closes #1078 and #1144 See merge request gnutls/gnutls!1441
| * | devel: update libtasn1 submoduleDaiki Ueno2021-05-272-2/+3
|/ / | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | Merge branch 'wip/dueno/earlydata-server' into 'master'Daiki Ueno2021-05-265-11/+403
|\ \ | | | | | | | | | | | | | | | | | | pre_shared_key: limit 0-RTT to resumption connections Closes #1239 See merge request gnutls/gnutls!1436
| * | pre_shared_key: limit 0-RTT to resumption connectionsDaiki Ueno2021-05-175-11/+403
| | | | | | | | | | | | | | | | | | | | | | | | | | | While RFC 8446 allows 0-RTT data in a non-resumption connection established with external PSK, it requires a mechanism to associate encryption parameters with PSK. Until we provide a new API for that, let's limit the 0-RTT use to resumption connections only. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | | Merge branch 'warn_fixes' into 'master'Daiki Ueno2021-05-2140-339/+339
|\ \ \ | | | | | | | | | | | | | | | | Fix some warnings See merge request gnutls/gnutls!1439
| * | | guile: Fix implicit conversion warningLeonardo Bras2021-05-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When building, the following warning may be printing: CC guile_gnutls_v_2_la-utils.lo core.c: In function 'scm_gnutls_set_server_session_certificate_request_x': core.c:545:13: warning: implicit conversion from 'gnutls_certificate_request_t' to 'gnutls_certificate_status_t' [-Wenum-conversion] 545 | c_request = scm_to_gnutls_certificate_request (request, 2, FUNC_NAME); | ^ core.c:547:53: warning: implicit conversion from 'gnutls_certificate_status_t' to 'gnutls_certificate_request_t' [-Wenum-conversion] 547 | gnutls_certificate_server_set_request (c_session, c_request); | Fix this warning by changing c_request type to gnutls_certificate_request_t. Signed-off-by: Leonardo Bras <leobras.c@gmail.com>
| * | | ASN1 : Remove warnings related to old libtasn1 namingsLeonardo Bras2021-05-2139-338/+338
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While compiling gnutls, some warnings related to deprecated names can be printed, such as: ./../x509/x509_int.h:392:13: warning: 'ASN1_TYPE' macro is deprecated, use 'asn1_node' instead. 392 | int _gnutls_x509_write_key_int_le(ASN1_TYPE node, const char *value, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To avoid that, rename types as show in devel/libtasn1/NEWS (release 3.1): ASN1_DATA_NODE -> asn1_data_node_st ASN1_ARRAY_TYPE -> asn1_static_node (was asn1_static_node_t) ASN1_TYPE -> asn1_node ASN1_TYPE_EMPTY -> NULL static_struct_asn -> asn1_static_node_st node_asn_struct -> asn1_node_st node_asn -> asn1_node_st Signed-off-by: Leonardo Bras <leobras.c@gmail.com>
* | | Merge branch 'omit-empty-policy-qualifiers' into 'master'Daiki Ueno2021-05-185-2/+116
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | x509: Omit empty sequences of policyQualifiers. Closes #1238 See merge request gnutls/gnutls!1435
| * | | tests/cert-tests: test a policy without any policyQualifiers.Daniel Kahn Gillmor2021-05-174-2/+106
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure that a policy without policyQualifiers gets created with an omitted sequence of qualifiers, rather than an empty sequence of qualifiers. We use NIST's test policy OID for this test. This tests the fix for #1238. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
| * | | x509: Omit empty sequences of policyQualifiers.Daniel Kahn Gillmor2021-05-171-0/+10
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | When a certificate has a policy attached but no policyQualifiers, `certtool` should omit the policyQualifiers sequence entirely, rather than emitting an empty sequence. Closes: #1238 Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* | | Merge branch 'avoid-matching-templates' into 'master'Daiki Ueno2021-05-181-1/+1
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | git: Do not ignore certtool templates. Closes #1242 See merge request gnutls/gnutls!1437
| * | | git: Do not ignore certtool templates.Daniel Kahn Gillmor2021-05-171-1/+1
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | This effectively reverts part of dc85966364994006f9337e4749d1487e4b8e16a1 in order to ensure that tests/cert-tests/templates/*.tmpl are not ignored by git. Closes: #1242 Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* | | Merge branch 'wip/dueno/tls12-cert-type' into 'master'Daiki Ueno2021-05-172-6/+89
|\ \ \ | |/ / |/| | | | | | | | cert auth: filter out unsupported cert types from TLS 1.2 CR See merge request gnutls/gnutls!1434
| * | cert auth: filter out unsupported cert types from TLS 1.2 CRDaiki Ueno2021-05-172-6/+89
| | | | | | | | | | | | | | | | | | | | | | | | When the server is advertising signature algorithms in TLS 1.2 CertificateRequest, it shouldn't send certificate_types not backed by any of those algorithms. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | | Merge branch 'minimal-key-usage' into 'master'Daiki Ueno2021-05-1531-264/+291
|\ \ \ | |/ / |/| | | | | | | | | | | | | | x509: Write keyUsage extension with minimal BIT STRING Closes #1236 See merge request gnutls/gnutls!1431
| * | x509: Write keyUsage extension with minimal BIT STRINGDaniel Kahn Gillmor2021-05-1431-264/+291
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | Avoid embedding trailing cleared bits in the BIT STRING for the keyUsage extension. The overwhelming majority of this changeset is correcting the artifacts in the test suite, most of which had keyUsage with a non-minimal encoding. The only functional code change is in lib/x509/x509_ext.c. Closes: #1236 Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* | Merge branch 'wip/dueno/addrconfig' into 'master'Daiki Ueno2021-05-141-5/+1
|\ \ | | | | | | | | | | | | | | | | | | serv: stop setting AI_ADDRCONFIG on getaddrinfo Closes #1007 See merge request gnutls/gnutls!1433
View Lorry Controller Status