| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|/ /
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| | |
| | |
| | |
| | | |
devel: suppress cppcheck 2.5 false-positives
See merge request gnutls/gnutls!1456
|
| | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|/ /
| |
| |
| |
| |
| |
| | |
This fixes errors and warnings as well as some style issues spotted by
cppcheck 2.5. Others are recorded in the suppressions file.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
gnutls_ocsp_resp_verify: Check key purpose if signer not on trust list
Closes #1254
See merge request gnutls/gnutls!1452
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
According to [1] the id-kp-OCSPSigning key purpose is only needed for
delegated signers, not signers explicitly set as trusted. The previous
code would reject a signature directly from a CA on the trust list
(without delegation) because the CA certificate didn't contain the
id-kp-OCSPSigning key purpose.
The tests included in this commit check:
1. Is a signature directly from a CA on the trust list accepted?
2. Is a signature from a delegated signer issued by a CA on the trust
list accepted?
3. Is a signature from a certificate without id-kp-OCSPSigning issued
by a CA on the trust list rejected?
Note that the CA in these tests is also the one that issued the
certificate the OCSP response is for, but the code (current and
previous) doesn't enforce this.
[1] https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.2.2
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
|
|\ \
| | |
| | |
| | |
| | | |
tests: set SH_LOG_COMPILER so sh tests run under $(SHELL)
See merge request gnutls/gnutls!1450
|
|/ /
| |
| |
| |
| |
| | |
This omits the need of setting executable bits on shell script tests.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
key_share: treat X25519 and X448 as same PK type when advertising
Closes #1249
See merge request gnutls/gnutls!1449
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, if both X25519 and X448 groups were enabled in the
priority string, the client sent both algorithms in a key_share
extension, while it was only capable of handling one algorithm from
the same (Edwards curve) category. This adds an extra check so the
client should send either X25519 or X448.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| | |
| | |
| | |
| | | |
Fix gnutls_certificate_set_trust_list() return value documentation
See merge request gnutls/gnutls!1448
|
|/ /
| |
| |
| |
| |
| |
| | |
This function is documented to return an error code, but in fact it has
no return value and never fails. Fix this.
Signed-off-by: Michael Catanzaro <mcatanzaro@redhat.com>
|
|\ \
| | |
| | |
| | |
| | | |
guile: Writes to record ports handle EAGAIN/EINTR transparently.
See merge request gnutls/gnutls!1417
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Reported at <https://issues.guix.gnu.org/47867>
by Florian Pelz <pelzflorian@pelzflorian.de>.
This is a followup to a229bb36c9592b151f6feb277238c41ab39f40a9.
* guile/src/core.c (write_to_session_record_port) [USING_GUILE_BEFORE_2_2]:
Keep looping upon GNUTLS_E_AGAIN and GNUTLS_E_INTERRUPTED.
(write_to_session_record_port) [!USING_GUILE_BEFORE_2_2]: Loop on
GNUTLS_E_INTERRUPTED and return -1 on GNUTLS_E_AGAIN if C_SESSION is
backed by a file descriptor.
* NEWS: Update.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
|
|\ \
| | |
| | |
| | |
| | | |
doc: p11tool: mention how CKA_IDs of certs are calculated upon --write
See merge request gnutls/gnutls!1446
|
| | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \ \
| |/ /
|/| |
| | |
| | | |
priority: reflect system wide config when constructing sigalgs
See merge request gnutls/gnutls!1447
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Otherwise the client would advertise signature algorithms which it
cannot use and cause handshake to fail.
Reported by Philip Schaten in:
https://lists.gnupg.org/pipermail/gnutls-help/2021-June/004711.html
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| | |
| | |
| | |
| | | |
Release 3.7.2
See merge request gnutls/gnutls!1445
|
| | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|/ /
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| | |
| | |
| | |
| | | |
build: fix interface version dependencies in libgnutls.map
See merge request gnutls/gnutls!1444
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously, the predecessor of GNUTLS_3_7_0 was mistakenly set to
GNUTLS_3_4 instead of GNUTLS_3_6_14. This fix shouldn't have any
impact on ABI, given the dynamic loader doesn't take into account of
ordering of versions. See also the first paragraph on:
https://www.akkadia.org/drepper/dsohowto.pdf#page=38
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
certtool: order DN components by scale.
Closes #1243
See merge request gnutls/gnutls!1438
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
DN components are expected to be ordered by scale, with the wire format
representing larger-scale components (like country or organization) before
smaller-scale components (like state or organizationalUnit).
The bulk of the changes here of course are changes to the target
certificates in the test suite.
Note that a change was necessary in tests/cert-tests/crq.sh because it
tests the "interactive" mode of certtool. If any user is scripting
certtool in this way, this change will cause a backwards-incompatible
break. However, I think this is OK -- the supported scripted/batch
mode for certtool should use a template file, and I don't think it's
important to maintain a strict api on the interactive mode.
The main change here is to order the DN from least-specific-to-most,
in particular:
country, state, locality, org, orgunit, cn, uid
But I've also made an additional arbitrary choice, which is that DC
(domain component) comes *after* uid. This was already the case in
certificate generation, but in *request* generation, it was the other
way around. I've changed request generation to match this ordering
from certificate generation.
Closes: #1243
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|\ \ \
| |/ /
|/| |
| | |
| | | |
build: require libkcapi 1.3.0 or later if --enable-afalg
See merge request gnutls/gnutls!1443
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| | |
The libkcapi 1.3.0 brings a couple of changes needed for GnuTLS:
* fix: remove prctl PR_SET_DUMPABLE to allow library to be debugged
* fix: ensure that sendmsg is always used as fallback when vmsplice cannot be used
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| | |
| | |
| | |
| | | |
Update git submodules for gnulib, nettle, and tlsfuzzer
See merge request gnutls/gnutls!1442
|
| | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|/ /
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
devel: update libtasn1 submodule
Closes #1078 and #1144
See merge request gnutls/gnutls!1441
|
|/ /
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
pre_shared_key: limit 0-RTT to resumption connections
Closes #1239
See merge request gnutls/gnutls!1436
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
While RFC 8446 allows 0-RTT data in a non-resumption connection
established with external PSK, it requires a mechanism to associate
encryption parameters with PSK. Until we provide a new API for that,
let's limit the 0-RTT use to resumption connections only.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
Fix some warnings
See merge request gnutls/gnutls!1439
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When building, the following warning may be printing:
CC guile_gnutls_v_2_la-utils.lo
core.c: In function 'scm_gnutls_set_server_session_certificate_request_x':
core.c:545:13: warning: implicit conversion from 'gnutls_certificate_request_t' to 'gnutls_certificate_status_t' [-Wenum-conversion]
545 | c_request = scm_to_gnutls_certificate_request (request, 2, FUNC_NAME);
| ^
core.c:547:53: warning: implicit conversion from 'gnutls_certificate_status_t' to 'gnutls_certificate_request_t' [-Wenum-conversion]
547 | gnutls_certificate_server_set_request (c_session, c_request);
|
Fix this warning by changing c_request type to gnutls_certificate_request_t.
Signed-off-by: Leonardo Bras <leobras.c@gmail.com>
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
While compiling gnutls, some warnings related to deprecated names can be
printed, such as:
./../x509/x509_int.h:392:13: warning: 'ASN1_TYPE' macro is deprecated, use 'asn1_node' instead.
392 | int _gnutls_x509_write_key_int_le(ASN1_TYPE node, const char *value,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To avoid that, rename types as show in devel/libtasn1/NEWS (release 3.1):
ASN1_DATA_NODE -> asn1_data_node_st
ASN1_ARRAY_TYPE -> asn1_static_node (was asn1_static_node_t)
ASN1_TYPE -> asn1_node
ASN1_TYPE_EMPTY -> NULL
static_struct_asn -> asn1_static_node_st
node_asn_struct -> asn1_node_st
node_asn -> asn1_node_st
Signed-off-by: Leonardo Bras <leobras.c@gmail.com>
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
x509: Omit empty sequences of policyQualifiers.
Closes #1238
See merge request gnutls/gnutls!1435
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Ensure that a policy without policyQualifiers gets created with an
omitted sequence of qualifiers, rather than an empty sequence of
qualifiers.
We use NIST's test policy OID for this test.
This tests the fix for #1238.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When a certificate has a policy attached but no policyQualifiers,
`certtool` should omit the policyQualifiers sequence entirely, rather
than emitting an empty sequence.
Closes: #1238
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
git: Do not ignore certtool templates.
Closes #1242
See merge request gnutls/gnutls!1437
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This effectively reverts part of
dc85966364994006f9337e4749d1487e4b8e16a1 in order to ensure that
tests/cert-tests/templates/*.tmpl are not ignored by git.
Closes: #1242
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|\ \ \
| |/ /
|/| |
| | |
| | | |
cert auth: filter out unsupported cert types from TLS 1.2 CR
See merge request gnutls/gnutls!1434
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When the server is advertising signature algorithms in TLS 1.2
CertificateRequest, it shouldn't send certificate_types not backed by
any of those algorithms.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | | |
x509: Write keyUsage extension with minimal BIT STRING
Closes #1236
See merge request gnutls/gnutls!1431
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Avoid embedding trailing cleared bits in the BIT STRING for the
keyUsage extension.
The overwhelming majority of this changeset is correcting the
artifacts in the test suite, most of which had keyUsage with a
non-minimal encoding. The only functional code change is in
lib/x509/x509_ext.c.
Closes: #1236
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
serv: stop setting AI_ADDRCONFIG on getaddrinfo
Closes #1007
See merge request gnutls/gnutls!1433
|