| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
This allows to rely on the assert() macro being functional on
the test suite.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
| |
key operation
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
|
| |
This not only creates a trust list with the system certificates, but
also attempts to verify a certificate, increasing the number of calls
to PKCS#11 verification API (and thus ensuring there are no calls
which may trigger the load of other modules).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE
That is, make sure that all our calls to PKCS#11 subsystem for verification
will only trigger the trust module initialization, and not the generic
PKCS#11 initialization.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
That is always utilize the same flags (GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE)
to determine whether to initialize trusted modules only or
proceed with general initialization.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The init_level_t for PKCS#11 modules, was incorrectly handled as a
linear state transition, causing few cases in the transition to be
incorrectly handled. Define precisely the state transitions and
enforce them in _gnutls_pkcs11_check_init.
That addresses a regression introduced by the previous state handling
addition, which made impossible to switch from the trusted state to
the all modules.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, gnutls-serv --echo segfaulted when closing client
connection after inactivity timeout. Here is the valgrind output:
==20246== Invalid free() / delete / delete[] / realloc()
==20246== at 0x4C2FD18: free (vg_replace_malloc.c:530)
==20246== by 0x405310: listener_free (serv.c:154)
==20246== by 0x408B57: tcp_server (serv.c:1568)
==20246== by 0x407DA6: main (serv.c:1231)
==20246== Address 0x6ed4fe0 is 0 bytes inside a block of size 3 free'd
==20246== at 0x4C2FD18: free (vg_replace_malloc.c:530)
==20246== by 0x408A1D: tcp_server (serv.c:1548)
==20246== by 0x407DA6: main (serv.c:1231)
==20246== Block was alloc'd at
==20246== at 0x4C2EB6B: malloc (vg_replace_malloc.c:299)
==20246== by 0x6A64489: strdup (in /usr/lib64/libc-2.25.so)
==20246== by 0x407310: get_response (serv.c:948)
==20246== by 0x408840: tcp_server (serv.c:1492)
==20246== by 0x407DA6: main (serv.c:1231)
==20246==
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
| |
This forces Emacs to use the Linux kernel coding style for all C code.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
| |
Having these files in the git repository causes unnecessary changes
after "make bootstrap".
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
Resolves #332
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
Resolves #331
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
That allows resumed sessions to have the original group information such as
curve used for key exchange or FFDHE parameters.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
starting
This addresses a hang issue on freebsd builds.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This aligns the psktool --help output with the psktool operation.
Suggested by Jack Lloyd.
Resolves #327
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
| |
In addition it includes the 8192-bit parameters, and
the default params used for a new user are the 2k ones.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
| |
Test 1024, 1536, 2048, 3072, 4096 and 8192 bit parameters.
In addition, verify that parameters not in the SRP spec are
rejected by a gnutls client.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
That is, to ensure they are only run after the trust store
is complete and that it doesn't affect its output.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
As we now reject any primes not in the SRP spec, we include
that parameter to ensure we can handle clients within the
spec but with large parameters.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
This implements the SHOULD requirement from RFC5054, i.e., to
only accept group parameters that come from a trusted source,
such as those listed in Appendix A.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
That avoids timeouts in the oss-fuzz infrastructure:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3277
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
That makes the citations to be links in the generated html manual.
Resolves: #321
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
Resolves #322
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Also added reproducer for the memory leak found.
Issue found using oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3159
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
This avoids warnings by static analyzers.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
That should decrease the time spent in configure. Based on suggestions
by Tim Ruehsen.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
That reduces the total time spent per build by caching configure
checks, and compilation artifacts.
Also that patch set no longer uploads coverage files as artifacts.
These files are not generally useful, and removing that "feature"
will reduce CI running time.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
That is, when ck_info matches, we soft fail loading the module.
That is, because in several cases the pointers got by p11-kit
may differ for the same modules.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
Test whether implicit initialization in trusted module (e.g.,
via verification), would result to proper initialization of additional
modules once a PCKS#11 function is called.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This checks:
1. Whether all modules are loaded from p11-kit when
no explicit gnutls_pkcs11_init() is called and
pkcs11 calls are accessed.
2. Whether only the trusted modules are loaded from
p11-kit and no other PKCS#11 calls than PKCS#11
cert validation is performed.
3. Whether the trusted modules are loaded when
gnutls_pkcs11_init() is called with manual
flag.
Resolves #315
Resolves #316
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a PKCS#11 trust module is used in the system, but gnutls_pkcs11_init()
is explicitly called with GNUTLS_PKCS11_FLAG_MANUAL flag, then the PKCS#11
trust store was not loaded, and thus prevent any certificate validation.
This change allows initializing the trust modules only even if generic
PKCS#11 support is disabled by the application.
Relates #316
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|