summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* certtool: default to yes on signing certificates for CAstmp-sign-casNikos Mavrogiannopoulos2019-07-261-2/+2
| | | | | | | | | When asking the questions for CA certificate generation, default to yes to signing certificates. This is because that's the most common type of CAs generated and defaulting to yes eliminates the need for restart on error. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* bumped version for 3.6.9gnutls_3_6_9Nikos Mavrogiannopoulos2019-07-253-4/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Merge branch 'fix-gost' into 'master'Dmitry Eremin-Solenikov2019-07-2219-5/+93
|\ | | | | | | | | nettle/gost: support building with GOST-enabled Nettle See merge request gnutls/gnutls!1044
| * nettle/backport: fix xts-backport guarding checkDmitry Eremin-Solenikov2019-07-143-5/+5
| | | | | | | | | | | | | | | | Check for nettle_xts_encrypt_message() function rather than just xts_encrypt_message(). All functions in nettle are renamed to contain `nettle_` prefix. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * nettle/gost: support building with GOST-enabled NettleDmitry Eremin-Solenikov2019-07-1417-0/+88
| | | | | | | | | | | | | | Nettle library starts to gain support for GOST algorithms. Support building GnuTLS with GOST-enabled nettle library. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | gnutls.h: mark AEAD ciphers as such in gnutls_cipher_algorithm_t descriptionNikos Mavrogiannopoulos2019-07-222-14/+16
| | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | abi-check: correctly bail-out on errorstmp-fix-abicheckNikos Mavrogiannopoulos2019-07-222-2/+42
| | | | | | | | | | | | Added suppressions for _MAX enumerator values. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Support for Generalname registeredID from RFC 5280 in subject alt nameKarsten Ohme2019-07-2210-15/+66
| | | | | | | | | | | | | | | | | | | | Added test certificates (cert10.der) with registered ID Updated Makefile for inclusion of test certificates Updated SAN unknown test certificates (cert5.der) Signed-off-by: Karsten Ohme <k_o_@users.sourceforge.net>
* | libgnutls.abignore: added comment linking to syntaxNikos Mavrogiannopoulos2019-07-211-0/+3
| | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | NEWS: updated for upcoming release [ci skip]Nikos Mavrogiannopoulos2019-07-211-14/+15
| | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | Merge branch 'tmp-tls-fuzzer' into 'master'Nikos Mavrogiannopoulos2019-07-194-2/+26
|\ \ | | | | | | | | | | | | | | | | | | Fixed alerts returned on TLS1.3 corner cases Closes #682 See merge request gnutls/gnutls!1045
| * | Fixed alerts returned on TLS1.3 corner casesNikos Mavrogiannopoulos2019-07-154-2/+26
| | | | | | | | | | | | | | | | | | | | | | | | This enables the tls-fuzzer tests 'test-tls13-certificate-verify.py'. Resolves: #682 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | Merge branch 'tmp-fix-doc-gnutls_certificate_set_retrieve_function3' into ↵Nikos Mavrogiannopoulos2019-07-171-4/+10
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | 'master' Fix documented params for gnutls_certificate_retrieve_function3() See merge request gnutls/gnutls!1047
| * | | Fix documented params for gnutls_certificate_retrieve_function3()tmp-fix-doc-gnutls_certificate_set_retrieve_function3Tim Rühsen2019-07-161-4/+10
|/ / / | | | | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | | Merge branch 'guile-reauth' into 'master'Tim Rühsen2019-07-127-29/+408
|\ \ \ | |/ / |/| | | | | | | | Support post-handshake reauthentication in the Guile bindings See merge request gnutls/gnutls!1026
| * | guile: Add support for post-handshake reauthentication.Ludovic Courtès2019-06-125-9/+199
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * guile/modules/gnutls/build/enums.scm (%connection-flag-enum): New variable. (%gnutls-enums): Add it. * guile/modules/gnutls.in: Export 'reauthenticate', 'connection-flag->string', and all the 'connection-flag/' bindings. * guile/src/core.c (scm_gnutls_make_session): Add rest arguments FLAGS and honor it. (scm_gnutls_reauthenticate): New function. * guile/tests/reauth.scm: New file. * guile/Makefile.am (TESTS): Add it. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
| * | guile: Loop or poll upon GNUTLS_E_AGAIN and GNUTLS_E_INTERRUPTED.Ludovic Courtès2019-06-121-5/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * guile/src/core.c (do_fill_port) [USING_GUILE_BEFORE_2_2]: Loop while 'gnutls_record_recv' returns GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED. (read_from_session_record_port) [!USING_GUILE_BEFORE_2_2]: Likewise, and return -1 if SCM_GNUTLS_SESSION_TRANSPORT_IS_FD and we got GNUTLS_E_AGAIN. (session_record_port_fd) [!USING_GUILE_BEFORE_2_2]: New function. (scm_init_gnutls_session_record_port_type) [!USING_GUILE_BEFORE_2_2]: Call 'scm_set_port_read_wait_fd'. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
| * | guile: Add bindings for 'gnutls_error_is_fatal'.Ludovic Courtès2019-06-123-12/+28
| | | | | | | | | | | | | | | | | | | | | | | | * guile/src/errors.c (scm_gnutls_fatal_error_p): New function. * guile/modules/gnutls.in: Export 'fatal-error?'. * guile/tests/errors.scm: test 'fatal-error?'. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
| * | guile: Update list of error values.Ludovic Courtès2019-06-122-3/+131
| | | | | | | | | | | | | | | | | | | | | | | | * guile/modules/gnutls/build/enums.scm (%error-enum): Update list of error constants. * guile/modules/gnutls.in (gnutls): Adjust exports accordingly. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* | | Merge branch 'tmp-session-ticket-valgrind' into 'master'Daiki Ueno2019-07-111-1/+5
|\ \ \ | | | | | | | | | | | | | | | | ext/session_ticket: eliminate redundant memcpy See merge request gnutls/gnutls!1040
| * | | ext/session_ticket: avoid calling memcpy on overlapping memory areastmp-session-ticket-valgrindDaiki Ueno2019-07-101-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In _gnutls_encrypt_session_ticket, ticket.encrypted_state is allocated from ticket_data->data, thus those memory areas may overlap. Using memcpy here leads to undefined behavior. Spotted by valgrind run on ppc64le. ==95231== Source and destination overlap in memcpy(0x47ce3a2, 0x47ce3a2, 160) ==95231== at 0x408A840: memcpy (vg_replace_strmem.c:1023) ==95231== by 0x424EE9F: pack_ticket (session_ticket.c:139) ==95231== by 0x424FA4F: _gnutls_encrypt_session_ticket (session_ticket.c:335) ==95231== by 0x4199E3B: generate_session_ticket (session_ticket.c:249) ==95231== by 0x419A333: _gnutls13_send_session_ticket (session_ticket.c:307) ==95231== by 0x40F8817: _gnutls13_handshake_server (handshake-tls13.c:511) ==95231== by 0x4110DEB: handshake_server (handshake.c:3331) ==95231== by 0x410C70B: gnutls_handshake (handshake.c:2727) ==95231== by 0x10009EBF: retry_handshake (serv.c:1306) ==95231== by 0x1000AB67: tcp_server (serv.c:1500) ==95231== by 0x10009E5B: main (serv.c:1297) ==95231== Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | | | Merge branch 'tmp-pkcs11-login-error' into 'master'Daiki Ueno2019-07-116-187/+182
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | pkcs11: ignore login error when traversing tokens See merge request gnutls/gnutls!1031
| * | | | tests: remove unused destructive/p11-kit-load.shtmp-pkcs11-login-errorDaiki Ueno2019-07-111-185/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This file is replaced with tests/p11-kit-load.sh and tests/pkcs11/list-tokens.c. Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * | | | pkcs11: ignore login error when traversing tokensDaiki Ueno2019-07-115-2/+182
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a token is a general access device, it is expected that login attempt to that token returns error: https://github.com/p11-glue/p11-kit/blob/master/trust/module.c#L852 On the other hand, _pkcs11_traverse_tokens treats the error as fatal and stops iteration. This behavior prevents object search without token specifier if such tokens are registered in the system. Reported by Stanislav Zidek in https://bugzilla.redhat.com/show_bug.cgi?id=1705478 Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | | | | Merge branch 'tmp-mark-infinite-loops' into 'master'Nikos Mavrogiannopoulos2019-07-102-35/+24
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | lib: mark infinite loops explicitly See merge request gnutls/gnutls!1043
| * | | | | lib: mark infinite loops explicitlytmp-mark-infinite-loopsNikos Mavrogiannopoulos2019-07-102-35/+24
|/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There were few infinite loop constructions which were checking for an always true condition. Make sure that this construction is marked explicitly as while(1) to assist static analysers, or reviewers. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | | | Merge branch 'tmp-coverage' into 'master'Nikos Mavrogiannopoulos2019-07-091-12/+98
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | tests: improve coverage of CRQ related functions See merge request gnutls/gnutls!1042
| * | | | | tests: improve coverage of CRQ related functionstmp-coverageNikos Mavrogiannopoulos2019-07-091-12/+98
|/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | That adds sanity check of crq-related functions that were not included in the testsuite at all. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | | | Merge branch 'tmp-var' into 'master'Nikos Mavrogiannopoulos2019-07-092-0/+4
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | encode_ber_digest_info: added sanity check See merge request gnutls/gnutls!1041
| * | | | | encode_ber_digest_info: added sanity checkNikos Mavrogiannopoulos2019-07-082-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15665 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | | | | Merge branch 'tmp-fix-ocsp' into 'master'Nikos Mavrogiannopoulos2019-07-098-71/+507
|\ \ \ \ \ \ | |/ / / / / |/| | | | | | | | | | | | | | | | | Improve the OCSP (status request) and interop testing See merge request gnutls/gnutls!1024
| * | | | | testcompat-openssl: added interop test with DTLS 1.2Nikos Mavrogiannopoulos2019-07-031-2/+89
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This tests AES-CBC ciphersuites in isolation, as they are prioritized lower than AES-GCM. We want to test them explicitly because they have different behavior under EtM. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | | | | tests: added sanity check for rfc7633 behaviorNikos Mavrogiannopoulos2019-07-033-1/+380
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| * | | | | tests: status-request-missing: renamed to rfc7633-missingNikos Mavrogiannopoulos2019-07-032-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | | | | status-request-ext: run under all TLS versionsNikos Mavrogiannopoulos2019-07-031-7/+16
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | | | | tests: status-request: cleanupNikos Mavrogiannopoulos2019-07-033-38/+3
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | | | | tests: status-request-missing: run for all TLS versionsNikos Mavrogiannopoulos2019-07-031-22/+18
| | |_|_|/ | |/| | | | | | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | | | doc update [ci skip]Nikos Mavrogiannopoulos2019-07-081-1/+1
|/ / / / | | | | | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | | Merge branch 'tmp-cli-debug' into 'master'Dmitry Eremin-Solenikov2019-07-014-2/+32
|\ \ \ \ | |_|/ / |/| | | | | | | | | | | | | | | | | | | gnutls-cli-debug: test whether RSA key exchange is supported Closes #449 See merge request gnutls/gnutls!1039
| * | | gnutls-cli-debug: test whether RSA key exchange is supportedNikos Mavrogiannopoulos2019-06-294-2/+32
| | | | | | | | | | | | | | | | | | | | | | | | Resolves: #449 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | | Merge branch 'tmp-fix-desc' into 'master'Nikos Mavrogiannopoulos2019-06-303-5/+325
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | gnutls_session_get_desc: avoid printing a NULL value See merge request gnutls/gnutls!1038
| * | | | gnutls_session_get_desc: avoid printing a NULL valuetmp-fix-descNikos Mavrogiannopoulos2019-06-293-5/+325
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When gnutls_session_set_premaster() is used (under openconnect), it is possible that gnutls_session_get_desc will print a string like this: "(DTLS1.2)-(ECDHE-(null))-(AES-256-GCM)" With this change we ensure that we do not print null values. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | | | Merge branch 'tmp-fips-drbg-continuous' into 'master'Daiki Ueno2019-06-301-21/+81
|\ \ \ \ \ | |_|/ / / |/| | | | | | | | | | | | | | nettle/rnd-fips: add FIPS 140-2 continuous RNG test See merge request gnutls/gnutls!1034
| * | | | nettle/rnd-fips: add FIPS 140-2 continuous RNG testtmp-fips-drbg-continuousDaiki Ueno2019-06-281-21/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a continuous random number generator test as defined in FIPS 140-2 4.9.2, by iteratively fetching fixed sized block from the system and comparing consecutive blocks. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | | | | Merge branch 'mac-gmac' into 'master'Dmitry Eremin-Solenikov2019-06-299-6/+280
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | lib: add support for AES-GMAC Closes #781 See merge request gnutls/gnutls!1036
| * | | | | lib: document gnutls_hmac_fast vs nonce relationshipDmitry Eremin-Solenikov2019-06-282-6/+7
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | | | | tests/gnutls_hmac_fast: run test for AES-UMAC-96/-128Dmitry Eremin-Solenikov2019-06-281-0/+20
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | | | | nettle: return true for gnutls_mac_exists(AES-CMAC*)Dmitry Eremin-Solenikov2019-06-281-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | | | | NEWS: add an entry for AES-GMAC algorithmsDmitry Eremin-Solenikov2019-06-281-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | | | | tests/gnutls_hmac_fast: run test for AES-GMAC-128/-192/-256Dmitry Eremin-Solenikov2019-06-281-0/+31
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
View Lorry Controller Status