delta/gnutls.git/lib/auth, branch tmp-remove-debugging-code gitlab.com: gnutls/gnutls.git _gnutls_proc_srp_client_kx: use same type in subtracted values 2017-08-16T08:33:45+00:00 Nikos Mavrogiannopoulos nmav@redhat.com 2017-08-14T06:42:51+00:00 2c097389a1585f6723c4b486dbb027e41f5f40c6 This ensures that there are no issues with subtracting those values. Note that the second is read from an uint16_t and thus it is always positive regardless its type. Resolves #244 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> 
This ensures that there are no issues with subtracting those values.
Note that the second is read from an uint16_t and thus it is always
positive regardless its type.

Resolves #244

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
rsa-psk: corrected memory leak on invalid decrypt 2017-08-09T13:33:01+00:00 Nikos Mavrogiannopoulos nmav@redhat.com 2017-08-09T07:52:21+00:00 4cf1b6aa2178dab6f7c2c9810cebfbf725ed8991 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
cert selection: prioritize RSA-PSS certs over RSA 2017-08-08T14:10:51+00:00 Nikos Mavrogiannopoulos nmav@redhat.com 2017-08-08T10:51:58+00:00 70a833c2b9c1296048b51f937263990dda7b6713 RSA and RSA-PSS can both be used for RSA-PSS operations, and as such without prioritizing RSA-PSS certificates it is unknown which certificate will be used for an RSA-PSS operation. The reason we want to have only RSA-PSS keys used for RSA-PSS operations is to cover the use case where a server uses a legacy RSA certificate for clients that don't support RSA-PSS and an RSA-PSS certificate for the rest, thus separating the keys used for these client groups. That separation ensures that any issue on PKCS#1 1.5 (legacy RSA), would not affect sessions which use RSA-PSS. Resolves #243 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> 
RSA and RSA-PSS can both be used for RSA-PSS operations, and
as such without prioritizing RSA-PSS certificates it is unknown
which certificate will be used for an RSA-PSS operation. The
reason we want to have only RSA-PSS keys used for RSA-PSS operations
is to cover the use case where a server uses a legacy RSA certificate
for clients that don't support RSA-PSS and an RSA-PSS certificate
for the rest, thus separating the keys used for these client
groups. That separation ensures that any issue on PKCS#1 1.5
(legacy RSA), would not affect sessions which use RSA-PSS.

Resolves #243

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
gnutls_certificate_credentials_t: combine privkey into cert_st structure 2017-08-08T14:10:51+00:00 Nikos Mavrogiannopoulos nmav@redhat.com 2017-08-08T09:35:26+00:00 dcc956872958ec62352d422d394d509c43ffdd32 This reduces the number of applications and allows for easier use of the structure information, as they are now self-contained for most uses. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> 
This reduces the number of applications and allows for easier
use of the structure information, as they are now self-contained
for most uses.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
gnutls_pk_params_st: separate flags/qbits and curve 2017-08-08T06:30:01+00:00 Nikos Mavrogiannopoulos nmav@redhat.com 2017-08-07T14:23:29+00:00 2c5129f360384cc74aa94290c4edd1463d3e558f Previously we were using the field flags to store the size of q in case of GNUTLS_PK_DH, some key generation flags in case of GNUTLS_PK_RSA, and the curve in case of elliptic curve key. Separate this into multiple fields to reduce confusion on the field. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> 
Previously we were using the field flags to store the
size of q in case of GNUTLS_PK_DH, some key generation flags
in case of GNUTLS_PK_RSA, and the curve in case of elliptic
curve key. Separate this into multiple fields to reduce
confusion on the field.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
prior to negotiating a signature check compatibility with private key 2017-08-04T14:46:18+00:00 Nikos Mavrogiannopoulos nmav@redhat.com 2017-07-28T07:27:03+00:00 31cb0cac7d4f1d34a8c42d65817357ee24e4e0e8 That is, check if the private key can support the public key operation needed for the signature. That in particular includes, excluding the Ed25519 and RSA-PSS from being used with the 'EXT' keys as the current API cannot handle them, and RSA-PSS from being used by PKCS#11 RSA keys which do not provide the CKM_RSA_PKCS_PSS mechanism. Relates #234 Resolves #209 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> 
That is, check if the private key can support the public key operation
needed for the signature. That in particular includes, excluding the
Ed25519 and RSA-PSS from being used with the 'EXT' keys as the
current API cannot handle them, and RSA-PSS from being used by PKCS#11
RSA keys which do not provide the CKM_RSA_PKCS_PSS mechanism.

Relates #234
Resolves #209

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
handshake: select a signature algorithm early 2017-08-04T11:54:42+00:00 Nikos Mavrogiannopoulos nmav@redhat.com 2017-07-11T09:55:52+00:00 c63d58f962b0e2c3b522e49279516d713b3b5925 That is, select the signature algorithm at the point the certificate and ciphersuites are decided. Also ensure that a compatible signature algorithm with the ciphersuite and the key is selected. That prevents situations where a ciphersuite and a certificate are negotiated, but later on the handshake we figure that there are no common signature algorithms. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> 
That is, select the signature algorithm at the point the certificate and
ciphersuites are decided. Also ensure that a compatible signature algorithm
with the ciphersuite and the key is selected.

That prevents situations where a ciphersuite and a certificate are
negotiated, but later on the handshake we figure that there are no
common signature algorithms.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
cleanup: removed duplicate parameter in gnutls_pubkey_st 2017-08-03T09:57:52+00:00 Nikos Mavrogiannopoulos nmav@redhat.com 2017-07-25T11:38:34+00:00 fe47976a6db5b2da86d5b5c53b2bf58ea7dd28b6 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
security_parameters: ease access to group information by keeping pointer to it 2017-08-02T06:26:32+00:00 Nikos Mavrogiannopoulos nmav@redhat.com 2017-07-14T08:35:58+00:00 05a70e1283a1755456f5bb6941b9b0c908a725f1 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
security_parameters: simplified contents by keeping pointer to cipher_suite_entry_st 2017-08-02T06:26:28+00:00 Nikos Mavrogiannopoulos nmav@redhat.com 2017-07-14T08:15:23+00:00 f9b6cfd536fc97a9fdf94e61649bffb682e78de1 That, in addition to simplifying the contents, it allows faster access to ciphersuite's properties. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> 
That, in addition to simplifying the contents, it allows faster access
to ciphersuite's properties.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>