| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| |
| |
| | |
build: use $(LIBPTHREAD) rather than non-existent $(LTLIBPTHREAD)
See merge request gnutls/gnutls!1296
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
On a very recent openSUSE build, libgnutls is getting built without
libpthread. This caused a thread related error when trying to load a
pkcs11 module that uses threading. The reason is rather convoluted:
glibc actually controls all the pthread_ function calls, but it
returns success without doing anything unless -lpthread is in the link
list. What's happening is that gnutls_system_mutex_init() is being
called on _gnutls_pkcs11_mutex before library pthreading is
initialized, so the pthread_mutex_init ends up being a nop. Then, when
the pkcs11 module is loaded, pthreads get initialized and the call to
pthread_mutex_lock is real, but errors out on the uninitialized mutex.
The problem seems to be that nothing in the gnulib macros gnutls
relies on for threading support detection actually sets LTLIBPTHREAD,
they only set LIBPTHREAD. The fix is to use LIBPTHREAD in
lib/Makefile.in
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes this compilation error:
system/fastopen.c:134:9: error: 'connectx' is only available on macOS 10.11 or newer [-Werror,-Wunguarded-availability]
ret = connectx(fd, &endpoints, SAE_ASSOCID_ANY, CONNECT_RESUME_ON_READ_WRITE | CONNECT_DATA_IDEMPOTENT, NULL, 0, NULL, NULL);
^~~~~~~~
/Applications/Xcode9.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk/usr/include/sys/socket.h:713:5: note: 'connectx' has been marked as being introduced in macOS 10.11 here, but the deployment target is macOS 10.7.0
The detection is the same as found in curl [1].
If HAVE_BUILTIN_AVAILABLE is not available we fallback to the code without
TCP_FASTOPEN_OSX.
The OS values match exactly the values found in
https://opensource.apple.com/source/xnu/xnu-4570.41.2/bsd/sys/socket.h
[1] https://github.com/curl/curl/commit/870d849d48a26b8eeb0d4bb1f4655367a4a191ca
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
SP800-56A rev. 3 restricts the FIPS compliant clients to use only
approved DH parameters, defined in RFC 7919 and RFC 3526. This adds a
check in the handling of ServerKeyExchange if DHE is negotiated.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |/
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| | |
Wipe session ticket keys before releasing the session structure
See merge request gnutls/gnutls!1289
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This includes both a copy of the master key and one or two derived
keys, all of which could be used to decrypt session tickets if
stolen. The derived keys could only be used for tickets issued within
a certain time frame (by default several hours).
The documentation for gnutls_session_ticket_enable_server() already
states that the master key should be wiped before releasing it, and
the same should apply to internal copies.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
|
| |\ \
| | |
| | |
| | |
| | | |
issues #1018- Modied the license to GPLv2.1+ to keep with LICENSE file.
See merge request gnutls/gnutls!1285
|
| | |/
| |
| |
| | |
Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
|
| |\ \
| | |
| | |
| | | |
# Conflicts:
# lib/crypto-selftests-pk.c
|
| | |/
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |\
| | |
| | |
| | |
| | |
| | |
| | | |
crypto-api: always allocate memory when serializing iovec_t
Closes #1017
See merge request gnutls/gnutls!1278
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The AEAD iov interface falls back to serializing the input buffers if
the low-level cipher doesn't support scatter/gather encryption.
However, there was a bug in the functions used for the serialization,
which causes memory leaks under a certain condition (i.e. the number
of input buffers is 1).
This patch makes the logic of the functions simpler, by removing a
micro-optimization that tries to minimize the number of calls to
malloc/free.
The original problem was reported by Marius Steffen in:
https://bugzilla.samba.org/show_bug.cgi?id=14399
and the cause was investigated by Alexander Haase in:
https://gitlab.com/gnutls/gnutls/-/merge_requests/1277
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |\ \
| | | |
| | | |
| | | |
| | | | |
MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support
See merge request gnutls/gnutls!1161
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add test vectors for newly added MAC algorithms.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This should fix #1020 where bcrypt is missing from thirdparty_libadd.
Ultimately it would be good to add libraries that always need to be linked in
one variable that is shared between the Makefile and the pkg-config file.
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>
|
| | |\ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
gnutls_aead_cipher_init: fix potential memleak
Closes #1010
See merge request gnutls/gnutls!1274
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Upon failure this function returns without freeing memory allocated
internally. This makes sure that it is released and do not touch the
output handle argument.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When _gnutls_aead_cipher_init() fails, the function returns without
freeing the allocted handle. This was once fixed in commit
502be130493e8ce802cdf60fffdbb5f1885352a5 but regressed after a code
reorganization in commit 2eef509ce5f2d250f8dcaeffa46444dd2b694e91.
Reported by Miroslav Lichvar.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | |/
| |/|
| | |
| | | |
Signed-off-by: Sahana Prasad <sahana@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This adds a valgrind client request for
session->key.session_ticket_key to make sure that it is not used
without initialization.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| | |
There was a confusion in the TOTP implementation in stek.c. When the
mechanism is initialized at the first time, it records the timestamp
but doesn't initialize the key. This removes the timestamp recording
at the initialization phase, so the key is properly set later.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |\
| | |
| | |
| | |
| | | |
_gnutls_pkcs11_verify_crt_status: check validity against system cert
See merge request gnutls/gnutls!1271
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN
to trigger the fallback verification path if the signer of the last
certificate is not in the trust store. Previously, it doesn't take
into account of the condition where the certificate is expired.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
To verify a certificate chain, this function replaces known
certificates with the ones in the system trust store if possible.
However, if it is found, the function checks the validity of the
original certificate rather than the certificate found in the trust
store. That reveals a problem in a scenario that (1) a certificate is
signed by multiple issuers and (2) one of the issuers' certificate has
expired and included in the input chain.
This patch makes it a little robuster by actually retrieving the
certificate from the trust store and perform check against it.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |\ \
| | |/
| |/|
| | |
| | | |
use bcrypt for the windows random generator instead of wincrypt
See merge request gnutls/gnutls!1255
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
CryptoAPI is a deprecated API [1] that is forbidden in UWP builds.
Rewrite the CryptoAPI calls in bcrypt.
bcrypt is used instead of CryptoAPI when targeting Windows Vista and above.
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptdecrypt
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>
|
| | |\ \
| | | |
| | | |
| | | |
| | | | |
lib: add support for AES-192-GCM
See merge request gnutls/gnutls!1267
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add support for AES-192 in GCM mode.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| | |\ \ \
| | |_|/
| |/| |
| | | |
| | | | |
lib: improve external file loading
See merge request gnutls/gnutls!1261
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This makes it clear that "fd" is not a file descriptor but a FILE
pointer. Suggested by Tim Rühsen.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This makes use of the RF_SENSITIVE flag newly added to read_file
function when reading potentially senstive information from a file.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This makes use of the "e" flag of fopen, provided by the Gnulib's
fopen-gnu module.
Reported by Remi Denis-Courmont in:
https://gitlab.com/gnutls/gnutls/-/issues/985
and fix suggested by Tim Rühsen.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This brings in the new fopen-gnu module and the RF_SENSITIVE flag for
fread_file and read_file. This also adds the following changes to be
consistent with the latest changes in Gnulib:
- the callers of fread_file and read_file to be adjusted for the FLAGS
argument
- "attribute.h" needs to be used extensively
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |\ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
win32: allow using ncrypt in UWP builds
See merge request gnutls/gnutls!1256
|
| | | | |/
| | |/|
| | | |
| | | |
| | | |
| | | | |
No functional change. The has been simply moved.
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>
|
| | |\ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
Allow statically linking ncrypt (win32)
See merge request gnutls/gnutls!1254
|
| | | |/ /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If _WIN32_WINNT is higher or equal to 0x0600, Vista API's are allowed during
the build. We can assume that the minimum platform the code will run on is
Vista [1]
In that case there's no need to call API's (ncrypt) dynamically when it can be
done statically.
[1] https://docs.microsoft.com/en-us/cpp/porting/modifying-winver-and-win32-winnt
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>
|
