summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
...
* handshake: generate early exporter secretDaiki Ueno2019-04-192-1/+13
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* handshake: move early secrets calculation to pre_shared_keyDaiki Ueno2019-04-194-124/+109
| | | | | | | TLS 1.3 Early Secret and the derived keys are calculated upon a PSK being selected, thus the code fits better in ext/pre_shared_key.c. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* prf: centrally define "exporter" label in handshake.hDaiki Ueno2019-04-192-3/+2
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Merge branch 'tmp-abigail' into 'master'Nikos Mavrogiannopoulos2019-04-181-0/+2
|\ | | | | | | | | Use libabigail for tracking ABI changes See merge request gnutls/gnutls!972
| * gnutls.h: re-define GNUTLS_CRT_RAWPKNikos Mavrogiannopoulos2019-04-161-0/+2
| | | | | | | | | | | | | | This was available before 3.6.4, and was incorrectly removed. It was found using libabigail tools. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | doc: Add documentation for GNUTLS_CERT_IGNOREAndreas Metzler2019-04-181-2/+3
|/ | | | Signed-off-by: Andreas Metzler <ametzler@bebt.de>
* doc: mark TLS1.2 functions as such [ci skip]Nikos Mavrogiannopoulos2019-04-142-3/+10
| | | | | | | | gnutls_cipher_suite_get_name and gnutls_session_get_master_secret are marked as TLS1.2 or earlier-only as they cannot be used with TLS 1.3. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutlsxx.h: removed fixme comments [ci skip]Nikos Mavrogiannopoulos2019-04-131-2/+2
| | | | | | They served no purpose. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Merge branch 'tmp-client-auth-decline' into 'master'Daiki Ueno2019-04-073-28/+46
|\ | | | | | | | | | | | | cert auth: reject auth if no signature algorithm is usable in TLS 1.3 Closes #730 See merge request gnutls/gnutls!967
| * cert auth: reject auth if no signature algorithm is usable in TLS 1.3Daiki Ueno2019-04-042-22/+41
| | | | | | | | | | | | | | | | | | | | Previously, when there is no overlap between usable signature algorithms and the "signature_algorithms" extension in Certificate Request, the client failed in sending Certificate Verify, followed by a connection close. In TLS 1.3, it is possible to keep the connection but reject the authentication by not sending Certificate Verify. Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * handshake: remove unnecessary HSK_CRT_SENT flagDaiki Ueno2019-04-032-6/+5
| | | | | | | | | | | | | | Previously, while the flag HSK_CRT_SENT was checked in _gnutls13_send_certificate_verify, the flag was never set anywhere. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | nettle: include config.h before checking for definitionstmp-cmac-cfb8-fixNikos Mavrogiannopoulos2019-04-062-0/+8
| | | | | | | | | | | | | | | | | | This makes sure that we don't include the internal backport if compiled with a version of nettle that includes that code. We also exclude nettle/backport from the static analyzer's list as it contains files outside our control (from nettle project). Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | Merge branch 'master' into 'master'Tim Rühsen2019-04-051-0/+3
|\ \ | | | | | | | | | | | | [OSCP] Fix : null pointer resp See merge request gnutls/gnutls!969
| * | [OSCP] Fix : null pointer respElta Koepp2019-04-051-0/+3
| |/ | | | | | | Signed-off-by: Elta Koepp <elta_koepp@gmail.com>
* | gnutls_memset(): calling explicit_bzero() is enough to zero-fill a bufferMaciej S. Szmigiero2019-04-051-0/+1
|/ | | | | | | If we use explicit_bzero() to zero-fill a buffer in gnutls_memset() we don't need to zero it again via a volatile trick later in this function. Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
* Vendor in XTS functionality from NettleSimo Sorce2019-03-299-0/+529
| | | | | | | | If nettle's XTS is not available, use a vendored in version from master. This is necessary as long as we need to link against 3.4 for ABI compatibility reasons. Signed-off-by: Simo Sorce <simo@redhat.com>
* handshake: add missing initialization of local variableDaiki Ueno2019-03-271-0/+2
| | | | | | | Resolves: #704 Signed-off-by: Daiki Ueno <dueno@redhat.com> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'sha3_selftests' into 'master'Nikos Mavrogiannopoulos2019-03-261-0/+25
|\ | | | | | | | | fips140: Perform SHA-3 self tests See merge request gnutls/gnutls!958
| * fips140: Perform SHA-3 self testsAnderson Toshiyuki Sasaki2019-03-261-0/+25
| | | | | | | | | | | | | | It is required to perform the self tests to validate SHA-3 implementation. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* | Merge branch 'tmp-increase-nr-of-tickets' into 'master'Nikos Mavrogiannopoulos2019-03-265-31/+58
|\ \ | |/ |/| | | | | | | | | handshake: increase the default number of tickets we send to 2 Closes #596 See merge request gnutls/gnutls!942
| * handshake: increase the default number of tickets we send to 2tmp-increase-nr-of-ticketsNikos Mavrogiannopoulos2019-03-205-31/+58
| | | | | | | | | | | | | | | | | | | | | | This makes it easier for clients which perform multiple connections to the server to use the tickets sent by a default server. That's because 2 tickets allow for 2 new connections (if one is using each ticket once as recommended), which in turn lead to 4 new and so on. Resolves: #596 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Merge branch 'tmp-improve-session-resumption' into 'master'Nikos Mavrogiannopoulos2019-03-225-10/+34
|\ \ | | | | | | | | | | | | | | | | | | Improved estimation of wait in gnutls_session_get_data2 Closes #706 See merge request gnutls/gnutls!936
| * | Improved estimation of wait in gnutls_session_get_data2tmp-improve-session-resumptionNikos Mavrogiannopoulos2019-03-195-10/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously we would wait an arbitrary value of 50ms for the server to send session tickets. This change makes the client wait for the estimated single trip time + 60 ms for the server to calculate the session tickets. This improves the chance to obtain tickets from internet servers during the call of gnutls_session_get_data2(). Resolves: #706 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | _x509_en/decode_provable_seed: clarified purpose of functions [ci skip]Nikos Mavrogiannopoulos2019-03-201-0/+6
| |/ |/| | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Merge branch 'tmp-fix-pkcs11-so' into 'master'Nikos Mavrogiannopoulos2019-03-191-1/+1
|\ \ | |/ |/| | | | | | | | | pkcs11: security officer login implies writable session Closes #721 See merge request gnutls/gnutls!953
| * pkcs11: security officer login implies writable sessiontmp-fix-pkcs11-soNikos Mavrogiannopoulos2019-03-151-1/+1
| | | | | | | | | | | | | | | | | | According to the PKCS#11 v2.30, 6.7.1 there are no read-only Security Officer sessions. Resolves: #721 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Removed all FIXME comments in code [ci skip]Nikos Mavrogiannopoulos2019-03-1612-33/+13
|/ | | | | | | | We expand informational comments on limitations, but with removing FIXME (keyword didn't help fixing these), and remove completely unhelpful comments, obsolete ones, or comments about ideas. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Use https:// in lib/, src/, and m4/Tim Rühsen2019-03-1312-20/+20
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Use https:// for www.gnu.org and www.example.comTim Rühsen2019-03-13422-422/+422
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Merge branch 'tmp-explicit-sanity-checks' into 'master'Nikos Mavrogiannopoulos2019-03-062-4/+24
|\ | | | | | | | | cleanup: _gnutls_recv_handshake: added explicit sanity checks See merge request gnutls/gnutls!937
| * _gnutls_recv_handshake: added explicit sanity checkstmp-explicit-sanity-checksNikos Mavrogiannopoulos2019-02-232-4/+24
| | | | | | | | | | | | | | | | | | Although, this function acts on the message provided as expected and thus it should never call a message parsing function on unexpected messages, we make a more explicit sanity check. This unifies the sanity checks existing within the involved functions. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | Merge branch 'tmp-cert-req' into 'master'Daiki Ueno2019-03-064-2/+18
|\ \ | | | | | | | | | | | | | | | | | | TLS 1.3: utilize "certificate_required" alert Closes #715 See merge request gnutls/gnutls!946
| * | tls13/certificate: utilize "certificate_required" alerttmp-cert-reqDaiki Ueno2019-03-054-2/+14
| | | | | | | | | | | | | | | | | | | | | This could make errors more distinguishable when the client sends no certificates or a bad certificate. Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * | alert: recognize "certificate_required"Daiki Ueno2019-03-042-0/+4
| | | | | | | | | | | | | | | | | | This may be sent if the server received an empty Certificate message. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | | Merge branch 'tmp-doc-update-iv' into 'master'Nikos Mavrogiannopoulos2019-03-052-12/+16
|\ \ \ | |/ / |/| | | | | | | | | | | | | | Improve documentation for gnutls_cipher_get_iv_size and AEAD ciphers Closes #717 See merge request gnutls/gnutls!941
| * | Clarifications on AEAD cipherstmp-doc-update-ivNikos Mavrogiannopoulos2019-03-011-10/+12
| | | | | | | | | | | | | | | | | | Relates: #716 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | Improve documentation for gnutls_cipher_get_iv_sizeNikos Mavrogiannopoulos2019-03-011-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | This clarifies what is returned and what is to be expected on algorithms with variable IV sizes. Resolves: #717 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | fips140: Ignore newlines read at the end of HMAC fileAnderson Toshiyuki Sasaki2019-03-041-0/+7
| | | | | | | | | | | | | | | | | | | | | This makes the integrity check to ignore newlines appended after the HMAC value. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* | | fips140: Fix the names of files used in integrity checksAnderson Toshiyuki Sasaki2019-03-041-3/+3
| | | | | | | | | | | | | | | | | | | | | The names of the libraries haven't been updated when the soname version were bumped. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* | | Merge branch 'tmp-false-start-clarifications' into 'master'Nikos Mavrogiannopoulos2019-03-027-19/+84
|\ \ \ | |/ / |/| | | | | | | | | | | | | | Fixed operation under multiple threads Closes #713 See merge request gnutls/gnutls!935
| * | Protected _gnutls_epoch_get from _gnutls_epoch_gc on false startNikos Mavrogiannopoulos2019-03-023-7/+37
| | | | | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | gnutls_record_send2: try to ensure integrity of operations on false and ↵Nikos Mavrogiannopoulos2019-03-025-10/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | early start This adds a double check in the sanity check of gnutls_record_send2() for the initial_negotiation_completed value, making sure that the check will be successful even in parallel operation of send/recv. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | Make false start and early start multi-thread recv/send safeNikos Mavrogiannopoulos2019-03-021-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | An application that is sending and receiving from different threads after handshake is complete cannot take advantage of false start because gnutls_record_send2() detects operations during the handshake process as invalid. Because in early start and false start the remaining handshake process needs only to receive data, and the sending side is already set-up, this error detection is bogus. With this patch we remove it. Resolves: #713 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| * | doc: added more information on operation under multiple threadsNikos Mavrogiannopoulos2019-03-022-1/+4
| | | | | | | | | | | | | | | | | | Relates: #713 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | pkcs11: clarify GNUTLS_PKCS11_TOKEN_MODNAME presence [ci skip]tmp-token-modname-clarificationsNikos Mavrogiannopoulos2019-02-261-1/+2
|/ / | | | | | | | | | | Resolves: #633 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Merge branch 'tmp-reset-after-free' into 'master'Tim Rühsen2019-02-2331-72/+14
|\ \ | | | | | | | | | | | | Automatically NULLify after gnutls_free() See merge request gnutls/gnutls!923
| * | gnutls_x509_crt_init: Fix dereference of NULL pointertmp-reset-after-freeTim Rühsen2019-02-221-1/+1
| | | | | | | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
| * | Remove redundant resets of variables after free()Tim Rühsen2019-02-2230-71/+9
| | | | | | | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
| * | Automatically NULLify after gnutls_free()Tim Rühsen2019-02-221-0/+4
| | | | | | | | | | | | | | | | | | | | | This method prevents direct use-after-free and double-free issues. Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | | Merge branch 'tmp-cleanup-cert' into 'master'Tim Rühsen2019-02-231-26/+12
|\ \ \ | |_|/ |/| | | | | | | | Cleanup lib/auth/cert.c as suggested by cppcheck See merge request gnutls/gnutls!924
View Lorry Controller Status