| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Resolves #380
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Nettle switched prototypes for base64_encode_raw() as follows:
-base64_encode_raw(uint8_t *dst, size_t length, const uint8_t *src);
+base64_encode_raw(char *dst, size_t length, const uint8_t *src);
That means we need to cast fist param to void if we want to avoid
warnings on different platforms.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
| |
Resolves #372
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
| |
Resolves #376
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
| |
In addition include chacha20-poly1305 into the tests.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
| |
Ensure that we restrict the GCM counter to the 4 bytes assigned to it.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
| |
Previously we assumed that the nettle GCM internal functions
will use the provided ECB function for single block encryption.
Newer versions no longer operate that way. Ensure that we
are compatible with them.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
| |
Previously we assumed that the nettle GCM internal functions
will use the provided ECB function for single block encryption.
Newer versions no longer operate that way. Ensure that we
are compatible with them.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
| |
That allows sessions with longer parameters to be able
to be resumed.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
We don't support any other compression methods than the null compression,
nor any other certificate types.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This fixes a problem in _gnutls_version_is_supported() where we want to
use preprocessing directives in the loop body. Doing this within a macro
argument is undefined behaviour according to the C standard, and not
supported by the system compiler on AIX.
Signed-off-by: Jay Foad <jay.foad@gmail.com>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
| |
That option is duplicate since --pubkey-info can provide the same
information.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
| |
Resolves #368
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
| |
Although there is no explicit RFC mentioning the SubjectPublicKeyInfo
encoding, this structure is a subset of the X.509 certificate's structure
and as such it is expected to be in DER form.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
| |
Previously initialization of PIN callbacks would only happen during listing
of objects, which happened only in non-batch mode.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
| |
It would enable batch mode accidentally.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
| |
That is, verify that gnutls_dtls_set_data_mtu() value would be
reflected into gnutls_dtls_get_data_mtu(), as well as the
gnutls_dtls_set_mtu() to gnutls_dtls_get_mtu().
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The data MTU calculation under CBC ciphersuites takes into
account that the overhead of these ciphersuites is constant (IV +
hash + 1 byte padding), though the capacity varies due to the padding
block. That is, on 16-byte padding block, one padding byte is the
overhead but the rest 15 bytes are accounted for data MTU.
That also has the side effect that setting a data MTU using
gnutls_dtls_set_data_mtu(), is not definite, and the actual
MTU may be larger for these ciphersuites --i.e., the
return value of gnutls_dtls_get_data_mtu().
Resolves #360
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
That was detected by oss-fuzz in:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4930
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
That leak would be triggered if GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED
flag was used and the input data would exceed the maximum limit.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
| |
That eliminates the 'make syntax-check' error.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
| |
Relates #347
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
|
| |
That is, ignore issuer when checking the issuer's parameters strength. That
resolves the issue of marking self-signed certificates as with insecure
parameters during verification.
Resolves #347
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
| |
Previously when a request for a specific self check on GNUTLS_PK_EC
was done, only ECDH tests would be run. This change includes the ECDSA
tests as well (GNUTLS_PK_EC and GNUTLS_PK_ECDSA are an alias to each other).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
This allows to rely on the assert() macro being functional on
the test suite.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
| |
key operation
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
| |
This not only creates a trust list with the system certificates, but
also attempts to verify a certificate, increasing the number of calls
to PKCS#11 verification API (and thus ensuring there are no calls
which may trigger the load of other modules).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE
That is, make sure that all our calls to PKCS#11 subsystem for verification
will only trigger the trust module initialization, and not the generic
PKCS#11 initialization.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
| |
That is always utilize the same flags (GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE)
to determine whether to initialize trusted modules only or
proceed with general initialization.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The init_level_t for PKCS#11 modules, was incorrectly handled as a
linear state transition, causing few cases in the transition to be
incorrectly handled. Define precisely the state transitions and
enforce them in _gnutls_pkcs11_check_init.
That addresses a regression introduced by the previous state handling
addition, which made impossible to switch from the trusted state to
the all modules.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, gnutls-serv --echo segfaulted when closing client
connection after inactivity timeout. Here is the valgrind output:
==20246== Invalid free() / delete / delete[] / realloc()
==20246== at 0x4C2FD18: free (vg_replace_malloc.c:530)
==20246== by 0x405310: listener_free (serv.c:154)
==20246== by 0x408B57: tcp_server (serv.c:1568)
==20246== by 0x407DA6: main (serv.c:1231)
==20246== Address 0x6ed4fe0 is 0 bytes inside a block of size 3 free'd
==20246== at 0x4C2FD18: free (vg_replace_malloc.c:530)
==20246== by 0x408A1D: tcp_server (serv.c:1548)
==20246== by 0x407DA6: main (serv.c:1231)
==20246== Block was alloc'd at
==20246== at 0x4C2EB6B: malloc (vg_replace_malloc.c:299)
==20246== by 0x6A64489: strdup (in /usr/lib64/libc-2.25.so)
==20246== by 0x407310: get_response (serv.c:948)
==20246== by 0x408840: tcp_server (serv.c:1492)
==20246== by 0x407DA6: main (serv.c:1231)
==20246==
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
