summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
| * | | | | nettle/mac: fail mac calculation if nonce is required but not providedDmitry Eremin-Solenikov2019-06-281-2/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fail _wrap_nettle_mac_set_nonce() and _wrap_nettle_mac_fast() if MAC requires nonce, but it was not supplied. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | | | | nettle/mac: in mac_fast call set_nonce after set_keyDmitry Eremin-Solenikov2019-06-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Calling set_nonce before set_key is plain incorrect. For GMAC key is not initialized. For UMAC set_key will reset nonce to empty. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | | | | lib: add support for AES-GMACDmitry Eremin-Solenikov2019-06-286-0/+208
| | |/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support for computing AES-GMAC using MAC API, as requested by Samba for SMB3 support. Resolves: #781 Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | | | | Merge branch 'tmp-fix-gnutls_x509_crt_list_import2' into 'master'Nikos Mavrogiannopoulos2019-06-282-1/+4
|\ \ \ \ \ | |/ / / / |/| | | | | | | | | | | | | | | | | | | | | | | | Fix gnutls_x509_crt_list_import2() documentation Closes #794 See merge request gnutls/gnutls!1037
| * | | | tests: gnutls_x509_crt_list_import: verify that return code is as documentedtmp-fix-gnutls_x509_crt_list_import2Nikos Mavrogiannopoulos2019-06-281-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | That checks whether the return code of gnutls_x509_crt_list_import() contains the number of loaded certificates. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | | | gnutls_x509_crt_list_import2: updated doc to reflect the actual return value ↵Nikos Mavrogiannopoulos2019-06-281-1/+1
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | options Resolves: #794 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | | Merge branch 'tmp-asm' into 'master'Nikos Mavrogiannopoulos2019-06-2771-13581/+53045
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Updated asm files to latest version under cryptogams license See merge request gnutls/gnutls!989
| * | | | Align _gnutls_x86_cpuid_s as OPENSSL_ia32cap_P would beNikos Mavrogiannopoulos2019-06-2721-586/+101
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We were not setting the third array member correctly, though this didn't have any impact to previous implementations as they did not rely on it. This also moves away from the custom implementation of cpuid (which was limited), and we now rely on the compiler's version. This effectively enables support for SHA_NI. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | | | Updated asm files to latest version under cryptogams licenseNikos Mavrogiannopoulos2019-06-2757-13003/+52952
|/ / / / | | | | | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | | Merge branch 'hmac-copy' into 'master'Dmitry Eremin-Solenikov2019-06-2625-0/+343
|\ \ \ \ | |/ / / |/| | | | | | | | | | | | | | | | | | | gnutls_hmac_copy() API Closes #787 See merge request gnutls/gnutls!1035
| * | | NEWS: document gnutls_hash/hmac_copy additionDmitry Eremin-Solenikov2019-06-261-0/+6
| | | | | | | | | | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | | gnutls_hash/hmac_copy: check its usability in all casesNikos Mavrogiannopoulos2019-06-267-6/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | During the test suite run we require that all supported MAC and hash algorithms implement the copy function. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | | accelerated ciphers: implement hmac and hash copyNikos Mavrogiannopoulos2019-06-266-0/+121
| | | | | | | | | | | | | | | | | | | | | | | | This implements the new API to all internal implementations. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | | lib: add support for gnutls_hash_copy()Dmitry Eremin-Solenikov2019-06-2612-0/+104
| | | | | | | | | | | | | | | | | | | | | | | | Add gnutls_hash_copy() function for copying message digest context. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | | crypto-selftests: add test for gnutls_hmac_copy()Dmitry Eremin-Solenikov2019-06-261-0/+28
| | | | | | | | | | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | | api: add gnutls_hmac_copy() functionDmitry Eremin-Solenikov2019-06-267-0/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add gnutls_hmac_copy() API to duplicate MAC handler state, which is necessary for SMB3 support. Resolves: #787 Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | | Add MAC copying support to nettle backendDmitry Eremin-Solenikov2019-06-241-0/+17
| | | | | | | | | | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | | Add MAC api to support copying of instancesDmitry Eremin-Solenikov2019-06-244-0/+22
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | GOST ciphersuites requires continuously computing MAC of all the previously sent or received data. The easies way to support that is to add support for copy function, that creates MAC instance with the same internal state. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | | Merge branch 'tmp-inih' into 'master'Nikos Mavrogiannopoulos2019-06-2044-6920/+9050
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Enhance the configuration file capabilities Closes #587 See merge request gnutls/gnutls!1013
| * | | updated auto-generated filesNikos Mavrogiannopoulos2019-06-205-6795/+6932
| | | | | | | | | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | | config: added ability to override and mark algorithms as disabledNikos Mavrogiannopoulos2019-06-2034-43/+1521
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows the system administrator or the distributor to use the gnutls configuration file to mark hashes, signature algorithms, TLS versions, curves, groups, ciphers KX, and MAC algorithms as insecure (the last four only in the context of a TLS session). It also allows to set a minimum profile which the applications cannot fall below. The options intentionally do not allow marking algorithms as secure so that the configuration file cannot be used as an attack vector. This change also makes sure that unsupported and disabled protocols during compile time (e.g., SSL3.0), do not get listed by gnutls-cli. The configuration file feature can be disabled at compile time with an empty --with-system-priority-file. This patch it introduces the function gnutls_get_system_config_file() allowing applications to check whether a configuration file was used. Resolves: #587 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | | Use inih to parse configuration fileNikos Mavrogiannopoulos2019-06-209-92/+607
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This introduces the inih copylib, and makes our configuration file parsing more flexible. Relates: #587 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | | Merge branch 'makefile-patch' into 'master'Nikos Mavrogiannopoulos2019-06-201-3/+3
|\ \ \ \ | |/ / / |/| | | | | | | | | | | Corrected call for updating ABI files See merge request gnutls/gnutls!1033
| * | | Corrected call for updating ABI filesKarsten Ohme2019-06-191-3/+3
| |/ / | | | | | | | | | Signed-off-by: Karsten Ohme <k_o_@users.sourceforge.net>
* | | Merge branch 'tmp-deprecate-registration-apis' into 'master'Nikos Mavrogiannopoulos2019-06-202-5/+18
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Marked the crypto backend registration APIs as deprecated Closes #789 See merge request gnutls/gnutls!1032
| * | | Marked the crypto backend registration APIs as deprecatedtmp-deprecate-registration-apisNikos Mavrogiannopoulos2019-06-202-5/+18
| |/ / | | | | | | | | | | | | | | | | | | | | | This is to warn for a future conversion of these APIs to a no-op. Resolves: #789 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | Merge branch 'tmp-small-records-tests' into 'master'Daiki Ueno2019-06-2016-26/+345
|\ \ \ | |/ / |/| | | | | | | | tests: improve record_size_limit tests See merge request gnutls/gnutls!1023
| * | gnutls-cli-debug.sh: sanity check of %ALLOW_SMALL_RECORDS testtmp-small-records-testsNikos Mavrogiannopoulos2019-06-191-0/+3
| | | | | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | tlsfuzzer: test both with and without %ALLOW_SMALL_RECORDSDaiki Ueno2019-06-199-3/+148
| | | | | | | | | | | | | | | | | | | | | The option changes the behavior of the server, it would make sense to check both with and without %ALLOW_SMALL_RECORDS. Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * | tlsfuzzer: use fixed HTTP response for record_size_limit testsDaiki Ueno2019-06-193-20/+27
| | | | | | | | | | | | | | | | | | | | | | | | Previously those tests assumed varying sizes of connection information gnutls-serv sends. This is too brittle and if the default algorithm has changed the tests need to be updated. Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * | gnutls-serv: add --httpdata option to respond with fixed sized dataDaiki Ueno2019-06-192-1/+55
| | | | | | | | | | | | | | | | | | | | | | | | By default, the gnutls-server --http responds with the connection information. While this is useful for manual testing, fixed content would be more desirable for automated testing. Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * | gnutls-cli-debug: check if %ALLOW_SMALL_RECORDS is requiredDaiki Ueno2019-06-194-2/+90
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a new test against the server to check if %ALLOW_SMALL_RECORDS is required to continue communicating with the server. The test is in two parts: one to check if the server accepts records with the default size (512 bytes) and the other is to check if %ALLOW_SMALL_RECORDS helps if the previuos test fails. Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * | gnutls-serv: add --recordsize optionDaiki Ueno2019-06-192-0/+22
| | | | | | | | | | | | | | | | | | | | | | | | This adds a means to set maximum record size to receive. If the size is less than our default (< 512), --priority with %ALLOW_SMALL_RECORDS also needs to be specified. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | | doc: updated p11-kit links [ci skip]Nikos Mavrogiannopoulos2019-06-163-4/+4
| | | | | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | Merge branch 'tmp-ametzler-doc-syntax-fix' into 'master'Nikos Mavrogiannopoulos2019-06-151-0/+1
|\ \ \ | | | | | | | | | | | | | | | | CONTRIBUTING.md: Fix syntax error [ci skip] See merge request gnutls/gnutls!1028
| * | | CONTRIBUTING.md: Fix syntax error [ci skip]Andreas Metzler2019-06-151-0/+1
|/ / / | | | | | | | | | Signed-off-by: Andreas Metzler <ametzler@bebt.de>
* | | Merge branch 'tmp-fix-raw-flag-in-newapi' into 'master'Nikos Mavrogiannopoulos2019-06-144-12/+24
|\ \ \ | |_|/ |/| | | | | | | | gnutls_privkey_sign_hash2: accept the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA flag See merge request gnutls/gnutls!1025
| * | gnutls_privkey_sign_hash2: accept the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA flagtmp-fix-raw-flag-in-newapiNikos Mavrogiannopoulos2019-06-104-12/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously this flag was ignored, although documented not to. This patch also enables the tests sign-verify-newapi and sign-verify-data-newapi which were supposed to test this interface, but were never enabled. This was caught by Andreas Metzler. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | Merge branch 'tmp-aes-cbc-selftest' into 'master'Nikos Mavrogiannopoulos2019-06-121-0/+6
|\ \ \ | | | | | | | | | | | | | | | | fips: run selftests over overridden AES-CBC algorithm See merge request gnutls/gnutls!1027
| * | | fips: run selftests over overridden AES-CBC algorithmtmp-aes-cbc-selftestDaiki Ueno2019-06-121-0/+6
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, we only tested nettle's AES-CBC in _gnutls_fips_perform_self_checks1(), which is called before the implementation is overridden. This adds an AES-CBC self-test in _gnutls_fips_perform_self_checks2() so it can test the actual implementation. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | | Merge branch 'guile-deprecate-openpgp' into 'master'Nikos Mavrogiannopoulos2019-06-122-13/+82
|\ \ \ | |/ / |/| | | | | | | | guile: Deprecate OpenPGP bindings. See merge request gnutls/gnutls!1021
| * | guile: Deprecate OpenPGP bindings.Ludovic Courtès2019-06-122-14/+83
| |/ | | | | | | | | | | | | | | * guile/modules/gnutls.in (define-deprecated): New macro. Use it for all the *openpgp* bindings. * guile/src/core.c: Rename *openpgp* bindings with a '%' prefix. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* | tests: removed debugging output from GETPORTNikos Mavrogiannopoulos2019-06-101-1/+0
| | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | .gitlab-ci.yml: include top log files in all build failures [ci skip]Nikos Mavrogiannopoulos2019-06-081-0/+2
| | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | Merge branch 'guile-remove-alloca' into 'master'Tim Rühsen2019-06-072-27/+33
|\ \ | |/ |/| | | | | | | | | Remove unbounded uses of alloca in the Guile bindings Closes #684 See merge request gnutls/gnutls!1022
| * guile: Remove unbounded uses of 'alloca'.Ludovic Courtès2019-06-072-20/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * guile/src/core.c (ALLOCA_MAX_SIZE, FAST_ALLOC): New macros. (set_certificate_file): (scm_gnutls_set_certificate_credentials_x509_key_files_x) (scm_gnutls_set_srp_server_credentials_files_x) (scm_gnutls_set_srp_client_credentials_x) (scm_gnutls_srp_base64_encode, scm_gnutls_srp_base64_decode) (scm_gnutls_set_psk_server_credentials_file_x) (scm_gnutls_pkcs8_import_x509_private_key) (scm_gnutls_x509_certificate_matches_hostname_p) (scm_gnutls_import_openpgp_private_key): Use 'FAST_ALLOC' instead of 'alloca'. * guile/src/utils.c: Remove unneeded <alloca.h> include. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
| * guile: Always provide 'scm_gc_malloc_pointerless'.Ludovic Courtès2019-06-071-7/+7
| | | | | | | | | | | | | | | | * guile/src/core.c (scm_gc_malloc_pointerless) [!HAVE_SCM_GC_MALLOC_POINTERLESS]: New macro. (make_session_record_port): Remove #ifdef HAVE_SCM_GC_MALLOC_POINTERLESS. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* | Merge branch 'tmp-keyupdate-fixes' into 'master'Daiki Ueno2019-06-064-2/+235
|\ \ | | | | | | | | | | | | tls13/key_update: ignore multiple key updates instead of error See merge request gnutls/gnutls!1019
| * | tls13/key_update: ignore multiple key updates instead of errortmp-keyupdate-fixesDaiki Ueno2019-06-054-2/+235
|/ / | | | | | | | | | | | | | | This fixes the multiple KeyUpdate messages handling in commit 65e2aa80d114d4bef095d129c2eda475e473244a, where illegal_parameter is sent even if the limit doesn't exceed. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Merge branch 'tmp-fix-travis2' into 'master'Tim Rühsen2019-06-042-11/+11
|\ \ | | | | | | | | | | | | Prefix gcc attributes with 'attr_' See merge request gnutls/gnutls!1017
View Lorry Controller Status