summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Fix warn_unused_result for clang < 4tmp-fix-travisTim Rühsen2019-06-021-1/+3
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Merge branch 'tmp-fedora30' into 'master'Tim Rühsen2019-06-021-1/+1
|\ | | | | | | | | .gitlab-ci.yml: switched fedora to latest version See merge request gnutls/gnutls!1015
| * .gitlab-ci.yml: switched fedora to latest versionNikos Mavrogiannopoulos2019-06-011-1/+1
|/ | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Merge branch 'tmp-releases' into 'master'Nikos Mavrogiannopoulos2019-05-314-7/+22
|\ | | | | | | | | RELEASES.md: document the releases policy See merge request gnutls/gnutls!1011
| * RELEASES.md: document the releases policy [ci skip]tmp-releasesNikos Mavrogiannopoulos2019-05-264-7/+22
| | | | | | | | | | | | | | | | | | This adds a file to document the policy on releases based on the discussions taken place in the last face to face meeting. https://gitlab.com/gnutls/gnutls/wikis/face2face-meeting-fosdem2019 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | Merge branch 'tmp-fix-libopts' into 'master'Dmitry Eremin-Solenikov2019-05-313-1/+23
|\ \ | | | | | | | | | | | | | | | | | | Do not regenerate autogen files if --enable-local-libopts is given Closes #772 See merge request gnutls/gnutls!1010
| * | Do not regenerate autogen files if --enable-local-libopts is giventmp-fix-liboptsNikos Mavrogiannopoulos2019-05-293-1/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This addresses issue on installed systems which have autogen but use --enable-local-libopts. In these systems if the installed autogen would not match the local libopts library version compilation would fail because the auto-generated files depend on the corresponding to autogen version libopts internals. Resolves: #772 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | Merge branch 'tmp-fix-touch' into 'master'Tim Rühsen2019-05-301-1/+1
|\ \ \ | | | | | | | | | | | | | | | | Makefile.am: do not create files when it shouldn't See merge request gnutls/gnutls!1014
| * | | Makefile.am: do not create files when it shouldn'tNikos Mavrogiannopoulos2019-05-301-1/+1
|/ / / | | | | | | | | | | | | | | | | | | | | | If a pdf or html file is not distributed, previously `make dist` would create a file called '*.pdf' which did not make sense. This addresses this problem. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | Merge branch 'tmp-datum-cleanup' into 'master'Tim Rühsen2019-05-297-51/+69
|\ \ \ | |/ / |/| | | | | | | | Datum.c cleanup See merge request gnutls/gnutls!1002
| * | Remove malloc from gnutls_srp_set_server_fake_salt_seed()tmp-datum-cleanupNikos Mavrogiannopoulos2019-05-283-18/+18
| | | | | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| * | gnutls_session_set_data(): Check for allocation errorTim Rühsen2019-05-281-1/+5
| | | | | | | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
| * | _gnutls_set_[str]datum: Cleanup, add function attributesTim Rühsen2019-05-282-21/+19
| | | | | | | | | | | | | | | | | | | | | _gnutls_set_datum(): Do not change output 'dat' on error _gnutls_set_strdatum: Likewise, cleanup code Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
| * | Add nonnull, nonnull_all and warn_unusd_result attributes in lib/gnutls_int.hTim Rühsen2019-05-281-11/+27
|/ / | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | doc: do not distribute pdf filesNikos Mavrogiannopoulos2019-05-281-2/+2
| | | | | | | | | | | | | | It compicates the 'make dist' phase and does not add much value as the files are available from the web site. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | released 3.6.8Nikos Mavrogiannopoulos2019-05-281-9/+10
| | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | minor updates in the latex version of the manual [ci skip]Nikos Mavrogiannopoulos2019-05-276-6/+15
| | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | doc update [ci skip]Nikos Mavrogiannopoulos2019-05-272-4/+11
|/ | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Merge branch 'tmp-avoid-libs-in-libsvar' into 'master'Nikos Mavrogiannopoulos2019-05-242-2/+10
|\ | | | | | | | | | | | | Do not add libraries in the global LIBS in configure Closes #735 See merge request gnutls/gnutls!1008
| * .gitlab-ci.yml: ensure that the LIBS variable is empty after a configure runtmp-avoid-libs-in-libsvarNikos Mavrogiannopoulos2019-05-241-0/+1
| | | | | | | | | | | | | | | | We do not use this variable as it is global and applies to all of tests, applications and library, and when it is set it is usually due to bugs in configure.ac. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * Do not add libraries in the global LIBS in configureNikos Mavrogiannopoulos2019-05-241-2/+9
|/ | | | | | | | | This ensures that libraries are linked with the programs requiring them. Resolves: #735 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Merge branch 'tmp-version-override' into 'master'Daiki Ueno2019-05-247-5/+14
|\ | | | | | | | | tests: prf-early fixes the global version See merge request gnutls/gnutls!1009
| * bumped versiontmp-version-overrideNikos Mavrogiannopoulos2019-05-242-4/+4
| | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * tests: prf-early fixes the global versionNikos Mavrogiannopoulos2019-05-245-1/+10
|/ | | | | | | | This allows having fixed data in the hello message involved. That required exposing the variable holding the global gnutls version number for testing. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* certtool: corrected typo in manual [ci skip]Nikos Mavrogiannopoulos2019-05-231-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Revert "bumped version"Nikos Mavrogiannopoulos2019-05-232-4/+4
| | | | | | | | | In order to make the CI functional again. The version number update seems to conflict with tests/tls13/prf-early.sh This reverts commit d34d93b8713cf10235ce7016fd69b6932b0752c0. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: prf-early.sh: use the static flag of datefudgeNikos Mavrogiannopoulos2019-05-231-1/+1
| | | | | | This eliminates unexpected failures of the test in slower systems. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tlsfuzzer: reverted accidental move to incorrect versionNikos Mavrogiannopoulos2019-05-231-0/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc updateNikos Mavrogiannopoulos2019-05-231-1/+14
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* bumped versionNikos Mavrogiannopoulos2019-05-232-4/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Pass down Q for FFDHE in al pre TLS1.3 as wellSimo Sorce2019-05-232-6/+38
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Check Q for FFDHE primes in prime-checkSimo Sorce2019-05-231-13/+23
| | | | | | | These are mersenne primes so q = (p - 1) / 2 We check that p = (q * 2) + 1 Signed-off-by: Simo Sorce <simo@redhat.com>
* Always pass in and check Q in TLS 1.3Simo Sorce2019-05-234-2/+23
| | | | | | | In FIPS mode do an extra check that we did have Q, but it is always passed into the tls13 derive function from the callers. Signed-off-by: Simo Sorce <simo@redhat.com>
* Add plumbing to handle Q parameter in DH exchangesSimo Sorce2019-05-2312-47/+610
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Add test to ensure ECDH exchange behaves correctlySimo Sorce2019-05-233-1/+210
| | | | | | | This test ensures that public keys are properly tested for validity before a ECDH exchange is computed. Signed-off-by: Simo Sorce <simo@redhat.com>
* Add test to ensure DH exchange behaves correctlySimo Sorce2019-05-232-1/+156
| | | | | | | This test ensures that public keys are properly tested for validity before a DH exchange is computed. Signed-off-by: Simo Sorce <simo@redhat.com>
* Add Full Public Key Check for DHSimo Sorce2019-05-231-3/+20
| | | | | | | | This is for NIST SP800-56A requirements and FIPS CAVS testing. GnuTLS never passes in a non-empty Q for normal operations, but tests will and if Q is passed in it needs to be checked. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix Copy&Paste errorSimo Sorce2019-05-231-1/+1
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Merge branch 'tmp-keyupdate-fixes' into 'master'Nikos Mavrogiannopoulos2019-05-233-9/+23
|\ | | | | | | | | | | | | Fix handling of malformed KeyUpdate messages Closes #699 See merge request gnutls/gnutls!1005
| * tls13/key_update: increase handling limit from 1 to 8Daiki Ueno2019-05-222-8/+20
| | | | | | | | | | | | | | | | | | | | | | The limit was too small when testing the capability of handling multiple KeyUpdate messages with tlsfuzzer. This requires a change in the rate limit logic, as previously it doesn't count the KeyUpdate messages despite the name of KEY_UPDATES_PER_SEC. Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * record_add_to_buffers: check if there is an incomplete handshake headerDaiki Ueno2019-05-221-1/+3
| | | | | | | | | | | | | | | | The function checks if a Handshake message is interleaved with an Application Data, but the check was insuffient because it assumed that a complete header is received in the buffer. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Merge branch 'tmp-small-records' into 'master'Daiki Ueno2019-05-2310-8/+24
|\ \ | | | | | | | | | | | | priority: add new option to allow small records (>= 64) See merge request gnutls/gnutls!1006
| * | tlsfuzzer: use %ALLOW_SMALL_RECORDS for testingtmp-small-recordsDaiki Ueno2019-05-224-6/+3
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * | priority: add new option to allow small records (>= 64)Daiki Ueno2019-05-226-2/+21
| |/ | | | | | | | | | | | | | | | | | | | | | | There is a mismatch in the lower limit of record sizes in RFC 8449 (64) and our default (512). If the server advertises a smaller limit than our default, the client has no way to keep communicating with the server. This patch adds a new priority string option %ALLOW_SMALL_RECORDS to set the limit to 64. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Merge branch 'tmp-remove-unused-flag' into 'master'Nikos Mavrogiannopoulos2019-05-233-13/+23
|\ \ | | | | | | | | | | | | | | | | | | pubkey: remove deprecated OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA Closes #754 See merge request gnutls/gnutls!1004
| * | tests: verify functionality of GNUTLS_VERIFY_DISABLE_CA_SIGN flagtmp-remove-unused-flagNikos Mavrogiannopoulos2019-05-212-9/+21
| | | | | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | pubkey: remove deprecated TLS1_RSA flag checkKenneth J. Miller2019-05-211-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The gnutls_certificate_verify_flags comparisons against OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA conflicts with GNUTLS_VERIFY_DISABLE_CA_SIGN and no longer seems to be used in calls to both gnutls_pubkey_verify_data2 and gnutls_pubkey_verify_hash2 as it seems to have been fully replaced by GNUTLS_VERIFY_USE_TLS1_RSA. Resolves: #754 Signed-off-by: Kenneth J. Miller <ken@miller.ec>
* | | Merge branch 'tmp-privkey-tls13' into 'master'Daiki Ueno2019-05-2213-20/+434
|\ \ \ | |_|/ |/| | | | | | | | | | | | | | server auth: disable TLS 1.3 if no signature algorithm is usable Closes #731 See merge request gnutls/gnutls!987
| * | algorithms: eliminate the FFDHE alert desc requirementDaiki Ueno2019-05-225-19/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | This implements the errata for RFC 7919 eliminating the requirement to reply with an insufficient_security alert when we have negotiated an FFDHE group, but cannot find common ciphersuite: https://www.rfc-editor.org/errata/eid4908 Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * | server auth: disable TLS 1.3 if no signature algorithm is usableDaiki Ueno2019-05-209-2/+417
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a server side counterpart of 005a4d04145707daad9588acedfdb5f6cd97c80c. Instead of signalling an error when no algorithm is usable in TLS 1.3, it downgrades the session to TLS 1.2 with a warning. Signed-off-by: Daiki Ueno <dueno@redhat.com>
View Lorry Controller Status