| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|
|
|
|
|
|
| |
_gnutls_set_datum(): Do not change output 'dat' on error
_gnutls_set_strdatum: Likewise, cleanup code
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|
|
|
|
|
|
| |
It compicates the 'make dist' phase and does not add much
value as the files are available from the web site.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\
| |
| |
| |
| |
| |
| | |
Do not add libraries in the global LIBS in configure
Closes #735
See merge request gnutls/gnutls!1008
|
| |
| |
| |
| |
| |
| |
| |
| | |
We do not use this variable as it is global and applies to all of
tests, applications and library, and when it is set it is usually due to
bugs in configure.ac.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|/
|
|
|
|
|
|
|
| |
This ensures that libraries are linked with the programs
requiring them.
Resolves: #735
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\
| |
| |
| |
| | |
tests: prf-early fixes the global version
See merge request gnutls/gnutls!1009
|
| |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|/
|
|
|
|
|
|
| |
This allows having fixed data in the hello message involved.
That required exposing the variable holding the global gnutls
version number for testing.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
|
| |
In order to make the CI functional again. The version number update
seems to conflict with tests/tls13/prf-early.sh
This reverts commit d34d93b8713cf10235ce7016fd69b6932b0752c0.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
| |
This eliminates unexpected failures of the test in slower systems.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
These are mersenne primes so q = (p - 1) / 2
We check that p = (q * 2) + 1
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
In FIPS mode do an extra check that we did have Q, but it is always
passed into the tls13 derive function from the callers.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
This test ensures that public keys are properly tested for validity
before a ECDH exchange is computed.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
This test ensures that public keys are properly tested for validity
before a DH exchange is computed.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This is for NIST SP800-56A requirements and FIPS CAVS testing.
GnuTLS never passes in a non-empty Q for normal operations, but tests will
and if Q is passed in it needs to be checked.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|\
| |
| |
| |
| |
| |
| | |
Fix handling of malformed KeyUpdate messages
Closes #699
See merge request gnutls/gnutls!1005
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The limit was too small when testing the capability of handling
multiple KeyUpdate messages with tlsfuzzer.
This requires a change in the rate limit logic, as previously it
doesn't count the KeyUpdate messages despite the name of
KEY_UPDATES_PER_SEC.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
The function checks if a Handshake message is interleaved with an
Application Data, but the check was insuffient because it assumed that
a complete header is received in the buffer.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \
| | |
| | |
| | |
| | | |
priority: add new option to allow small records (>= 64)
See merge request gnutls/gnutls!1006
|
| | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There is a mismatch in the lower limit of record sizes in RFC
8449 (64) and our default (512). If the server advertises a smaller
limit than our default, the client has no way to keep communicating
with the server.
This patch adds a new priority string option %ALLOW_SMALL_RECORDS to
set the limit to 64.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
pubkey: remove deprecated OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA
Closes #754
See merge request gnutls/gnutls!1004
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The gnutls_certificate_verify_flags comparisons against
OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA conflicts with
GNUTLS_VERIFY_DISABLE_CA_SIGN and no longer seems to be used in calls to
both gnutls_pubkey_verify_data2 and gnutls_pubkey_verify_hash2 as it
seems to have been fully replaced by GNUTLS_VERIFY_USE_TLS1_RSA.
Resolves: #754
Signed-off-by: Kenneth J. Miller <ken@miller.ec>
|
|\ \ \
| |_|/
|/| |
| | |
| | |
| | |
| | | |
server auth: disable TLS 1.3 if no signature algorithm is usable
Closes #731
See merge request gnutls/gnutls!987
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This implements the errata for RFC 7919 eliminating the requirement to
reply with an insufficient_security alert when we have negotiated an
FFDHE group, but cannot find common ciphersuite:
https://www.rfc-editor.org/errata/eid4908
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is a server side counterpart of
005a4d04145707daad9588acedfdb5f6cd97c80c.
Instead of signalling an error when no algorithm is usable in TLS 1.3,
it downgrades the session to TLS 1.2 with a warning.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \ \
| |_|/
|/| |
| | |
| | | |
Mark second argument of function gnutls_x509_crt_equals2 as const
See merge request gnutls/gnutls!1000
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This will allow using this function with certificates
returned by function gnutls_certificate_get_peers
without casts dropping const qualifier or
making temporary copies out of retrieved data.
Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\ \ \
| |_|/
|/| |
| | |
| | |
| | |
| | | |
Few minor bug fixes for the next release
Closes #770 and #767
See merge request gnutls/gnutls!1003
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change ensures that all certificates will contain the digital
signature key usage flag if that's specified in the template.
Resolves: #767
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It seems that the FUTURE security level parameter was added
without a corresponding verification profile. This patch address
the issue by introducing it.
Resolves: #770
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|