summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* certtool: eliminated unused variableNikos Mavrogiannopoulos2017-08-082-7/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added negative tests in provable-privkeyNikos Mavrogiannopoulos2017-08-081-0/+30
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_pk_params_st: separate flags/qbits and curveNikos Mavrogiannopoulos2017-08-0817-63/+69
| | | | | | | | | | Previously we were using the field flags to store the size of q in case of GNUTLS_PK_DH, some key generation flags in case of GNUTLS_PK_RSA, and the curve in case of elliptic curve key. Separate this into multiple fields to reduce confusion on the field. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: check whether validation parameters are lost on key re-importNikos Mavrogiannopoulos2017-08-071-0/+9
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: improved documentation on --provable optionNikos Mavrogiannopoulos2017-08-071-2/+11
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* certtool: create mapping between --load-x and --info optionsNikos Mavrogiannopoulos2017-08-071-12/+31
| | | | | | | | | That allows using: certtool --certificate-info --load-certificate FILE and certtool --certificate-info --infile FILE Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* certtool: removed definitions of non-existing functionsNikos Mavrogiannopoulos2017-08-071-3/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: updated for the new provable private key formatNikos Mavrogiannopoulos2017-08-075-465/+417
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls_x509_privkey_verify_seed: improved error on missing validation parametersNikos Mavrogiannopoulos2017-08-074-3/+9
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* certtool: silence warnings related to --pkcs8Nikos Mavrogiannopoulos2017-08-071-3/+5
| | | | | | There is no reason to bug the user with such details by default. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: better print provable key validation parametersNikos Mavrogiannopoulos2017-08-071-6/+9
| | | | | | | That is, include hash in the printable set, and keep spaces from next fields. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: provable private keys are always exported in PKCS#8 formNikos Mavrogiannopoulos2017-08-073-21/+15
| | | | | | That allows the provable parameters to be included. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509: no longer emit the previous custom format for provable parametersNikos Mavrogiannopoulos2017-08-076-112/+24
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509: store and read provable seed in PKCS#8 form of keyNikos Mavrogiannopoulos2017-08-076-10/+201
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Added information on OID registryNikos Mavrogiannopoulos2017-08-071-0/+22
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pkix.asn: removed unused DomainParametersNikos Mavrogiannopoulos2017-08-072-20/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509: separated PKIX1 attributes parsing code for cert request handlingNikos Mavrogiannopoulos2017-08-074-266/+335
| | | | | | This allows other code to utilize it. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_fbase64_decode will always return non-zerotmp-base64-reject-zero-lengthNikos Mavrogiannopoulos2017-08-074-6/+5
| | | | | | | That is, document that fact and update its callers to remove checks for zero. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_base64_decode: reject all zero-length string encodings on decodingNikos Mavrogiannopoulos2017-08-061-4/+19
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* wrap_nettle_pk_fixup: added sanity check in RSA-PSS param checkingNikos Mavrogiannopoulos2017-08-061-1/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* _decode_pkcs8_rsa_key: signal error in RSA privkey decodingNikos Mavrogiannopoulos2017-08-061-0/+1
| | | | | | | Addresses oss-fuzz issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2865 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: added reproducer for private key crashNikos Mavrogiannopoulos2017-08-063-2/+3
| | | | | | | Found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2865 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: added unit test of gnutls_x509_crt_list_importtmp-added-unit-test-gnutls_x509_crt_list_importNikos Mavrogiannopoulos2017-08-062-1/+366
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: added reproducer applications for psk and srp fuzzerstmp-oss-fuzz-updatesNikos Mavrogiannopoulos2017-08-056-7/+471
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* updated auto-generated filestmp-various-cleanupsNikos Mavrogiannopoulos2017-08-043-0/+8
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls_server_fuzzer: added ed25519 key/certNikos Mavrogiannopoulos2017-08-044-0/+81
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* removed references for "new" semantics of PEM base64 encode and decodeNikos Mavrogiannopoulos2017-08-042-59/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* base64: reverted the raw semantics from the PEM encoding/decoding functionsNikos Mavrogiannopoulos2017-08-041-22/+0
| | | | | | | Keeping the complex semantics with NULL headers would most likely cause issues in the future. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* base64: test the new base64 encoding and decoding functionsNikos Mavrogiannopoulos2017-08-041-0/+125
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* base64: uniformly use GNUTLS_E_BASE64_DECODING_ERROR for decoding errorsNikos Mavrogiannopoulos2017-08-041-3/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* base64: introduced new functions for base64 encodingNikos Mavrogiannopoulos2017-08-043-1/+73
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: gnutls_x509_privkey_import: enhanced to test DER key importNikos Mavrogiannopoulos2017-08-041-1/+47
| | | | | | | It seems that this function was not tested for multiple cases of private keys in DER mode. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls_x509_privkey_import: allow importing ed25519 PKCS#8 keys in DER formNikos Mavrogiannopoulos2017-08-041-6/+10
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* sign/digest: separate "brokenness" of signatures and hash algorithmsNikos Mavrogiannopoulos2017-08-047-51/+57
| | | | | | | That is, allow digital signatures to be marked as broken irrespective of their used hash, and restrict hash brokenness to preimage resistance. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* sign: use C99 syntax for signature algorithm's tableNikos Mavrogiannopoulos2017-08-041-97/+252
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* .gitlab-ci.yml: enable multiple undefined sub-sanitizersNikos Mavrogiannopoulos2017-08-041-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* updated auto-generated filestmp-rsa-pss-detectionNikos Mavrogiannopoulos2017-08-043-0/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* p11tool: auto-generate the list of PKCS#11 mechanisms from p11-kitNikos Mavrogiannopoulos2017-08-044-216/+257
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added unit test for gnutls_x509_privkey_importNikos Mavrogiannopoulos2017-08-042-0/+175
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added TLS negotiation with various keys under PKCS#11Nikos Mavrogiannopoulos2017-08-042-1/+374
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509_privkey: handle keys which can only have PKCS#8 form transparentlyNikos Mavrogiannopoulos2017-08-041-9/+26
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: updated for errors returned due to early signature selectionNikos Mavrogiannopoulos2017-08-042-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added check for the negotiation of ext keysNikos Mavrogiannopoulos2017-08-043-1/+359
| | | | | | | | | | That is, check whether we can negotiate TLS with ext abstract key types, and whether the algorithms which cannot be used with that key type, gracefully fail. Relates #234 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* privkey: reject signing with ext keys and GNUTLS_PK_RSA_PSS or ↵Nikos Mavrogiannopoulos2017-08-041-0/+3
| | | | | | GNUTLS_PK_EDDSA_ED25519 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_check_key_cert_match: use the new API for signingNikos Mavrogiannopoulos2017-08-041-7/+9
| | | | | | | This ensures that the same signature algorithm is used for signing and verification. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* privkey: return less specific but more appropriate error on invalid pks for ↵Nikos Mavrogiannopoulos2017-08-041-1/+1
| | | | | | ext keys Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* prior to negotiating a signature check compatibility with private keyNikos Mavrogiannopoulos2017-08-048-23/+85
| | | | | | | | | | | | | That is, check if the private key can support the public key operation needed for the signature. That in particular includes, excluding the Ed25519 and RSA-PSS from being used with the 'EXT' keys as the current API cannot handle them, and RSA-PSS from being used by PKCS#11 RSA keys which do not provide the CKM_RSA_PKCS_PSS mechanism. Relates #234 Resolves #209 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pkcs11: mark RSA PKCS#11 key which can do RSA-PSSNikos Mavrogiannopoulos2017-08-041-1/+12
| | | | | | | | Also refuse to sign with RSA-PSS if the mechanism is not supported. Relates #208 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: select a signature algorithm earlyNikos Mavrogiannopoulos2017-08-043-6/+60
| | | | | | | | | | | | That is, select the signature algorithm at the point the certificate and ciphersuites are decided. Also ensure that a compatible signature algorithm with the ciphersuite and the key is selected. That prevents situations where a ciphersuite and a certificate are negotiated, but later on the handshake we figure that there are no common signature algorithms. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added basic unit test of gnutls_pkcs11_token_check_mechanismNikos Mavrogiannopoulos2017-08-041-0/+12
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status