| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
Previously we were assuming a fixed amount of length bytes which
is not correct for all possible lengths. Use libtasn1 to decode
the length field.
Resolves: #223
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Normally when attempting to match the 'Responder Key ID' in an OCSP response
against the issuer certificate we check (according to RFC6960) against the
hash of the SPKI field. However, in few certificates (see commit:
"added ECDSA OCSP response verification"), that may not be the case. In that
certificate, that value matches the Subject Public Key identifier field
but not the hash.
To account for these certificates, we enhance the matching to also consider
the Subject Public Key identifier field.
Relates: #223
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
| |
brew install seems to fail on several occasions when a newer package
is available than the installed. Ignore those errors rather than
failing build.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
| |
That ensures that we always save the OCSP response, even when certificate
verification fails.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
They are not required for TLS 1.3, and are deprecated for TLS 1.2.
We eliminate them in order to reduce the complexity in the record
packet handling.
Resolves #212
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
Previously we were reporting "No issuer found" if any certificate
in a chain could not be verified. That was confusing information
and not strictly necessary. No longer print that.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
This utilizes the provided chain to find the signer of the
OCSP response.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
| |
This allows verification to succeed even when broken algorithms are
involved.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
| |
This option allows to directly verify all the members of a certificate
chain.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
| |
They are not widely enabled by web servers, and they provide no
advantage over X25519.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
| |
Use pkcs11_rv_to_err() to return the right error code map after
PKCS#11 calls; separate checks for already log in status for SO and
user login.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
| |
That is, for the MOCK_FLAG_SAFENET_ALWAYS_AUTH flag we ensure that
GetSessionInfo() will return the right state when authentication
is required for the first time.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
| |
That is, when the HSM returns CKR_USER_NOT_LOGGED_IN, switch
to CKU_USER, instead of relying to a fallback within pkcs11_login().
That simplifies login logic.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
| |
That is, detect whether the absence of C_Login will fallback to CKU_USER
after CKU_CONTEXT_SPECIFIC is tried.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
| |
By cleanups, as well as including the reauth flag in the flags option.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
That is, even in tokens which do not have a CKF_LOGIN_REQUIRED flag
a login will be forced. This allows operation on the safenet HSMs
which do not set that flag.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
These HSMs do not support CKA_ALWAYS_AUTHENTICATE, nor understand CKU_CONTEXT_SPECIFIC,
but rather return CKR_USER_NOT_LOGGED_IN on the first private key operation.
Try to discover that state by calling C_Login when CKR_USER_NOT_LOGGED_IN
is seen, and retrying with CKU_USER after CKU_CONTEXT_SPECIFIC login fails.
See discussion in https://github.com/OpenSC/libp11/issues/160
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
Resolves #178
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
This relates to handshakes with support for RSA-PSS.
Found with oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2132
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
Backport the upstream fix from:
https://git.lysator.liu.se/nettle/nettle/commit/b1252fedf6ee1dbb8468d1d3f177711a16e83e52
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|