| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
This allows the test suite to be run in FIPS140-2 mode.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
This is affected utilization of generated RSA keys under FIPS140-2 mode
which utilizes provable generation.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
| |
That is, in FIPS140-2/Fedora/x86_64 build, run tests under a normal
run (when library is compiled with FIPS140-2 support but not enabled
on run time), and also run tests under a run-time that simulates
FIPS140-2 support.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
non-existent ciphers
That is, do return only the enabled algorithms in states like FIPS140-2,
rather than returning the set that would have been enabled if these
restrictions wouldn't be in place.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
| |
These certificates contain invalid secret key sub-packets.
These trigger invalid memory accesses:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reduces the attack surface on the parsers, and prevents any bugs
in the secret key parser to be exploitable by inserting secret key
sub-packets into an openpgp certificate.
This addresses:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
|
|
| |
That is check the functionality of:
- gnutls_x509_crt_get_subject_unique_id
- gnutls_x509_crt_get_issuer_unique_id
- gnutls_x509_crt_set_issuer_unique_id
- gnutls_x509_crt_set_subject_unique_id
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
This allows printing the reverse map of an IDNA-encoded email.
Modified x509/output to include this decoding for RFC822Name.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
That also removes the incorrect mapping to IDNA punycode when the
input is not printable.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
Relates #179
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
That removes the limits when reading most of the interactive input.
The read_str() function due to its dependence on static variable remains
with a limit, but will output an error if the input string exceeds size.
Resolves #179
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This allows reading longer than 128-byte fields interactively.
The new limit is 512-bytes.
Relates #179
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
| |
approach
That is, do not include the trailing NULL byte size in the
size of the object identifier.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
That is, fix a bug which prevented critical extensions to be stored
if no other free-form extensions were specified.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
That was defined to be gnutls_certificate_verify_flags, and
it allows passing verification flags, such as flags to allow
broken algorithms.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
This is done at is_broken_allowed(), and in fact checking them in
is_level_acceptable() creates a conflict when overrides like flag
GNUTLS_VERIFY_ALLOW_BROKEN is used.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
This flag allows operation of the function even with broken algorithms.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
Also added the IDNA targets to makefile's default target.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
see request in:
https://github.com/google/oss-fuzz/issues/417
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
| |
This triggers an invalid memory access:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
That ensures that there is no read past the end of buffer.
Resolves the oss-fuzz found bug:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391
Relates: #159
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
That is, if --starttls-proto is provided the default port
selected will be converted to host byte order as expected.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
Detected using oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=676
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
That reproduces a memory leak detected in the client code path.
Detected using oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=676
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
That is in order to reduce bloat in the output, which already
contains many identifiers for public key.
See mailing list discussion at:
https://lists.gnupg.org/pipermail/gnutls-devel/2017-February/008324.html
https://lists.gnupg.org/pipermail/gnutls-devel/2017-February/008329.html
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
That is, instead of the public key ID. The key PIN due to HPKP
is now more widely used than hex-based key IDs.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
That is, print the value used by the HPKP protocol as per
RFC7469.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
Reported at:
https://bugzilla.redhat.com/show_bug.cgi?id=1425884
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
| |
This introduces a test on PIN input to retrieve an object using
pin-value and pin-source (file).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|