summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* doc: reference gnutls_prf_rfc5705 instead of gnutls_prf303-provide-a-consistent-set-of-default-ciphers-across-supported-protocolsNikos Mavrogiannopoulos2017-12-081-9/+12
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: utils.h: forbid compilation with NDEBUGtmp-pkcs11-updateNikos Mavrogiannopoulos2017-12-031-0/+4
| | | | | | | This allows to rely on the assert() macro being functional on the test suite. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: p11-kit-load.sh: verify that all modules are loaded after a private ↵Nikos Mavrogiannopoulos2017-12-032-3/+23
| | | | | | key operation Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: enhanced pkcs11/list-tokensNikos Mavrogiannopoulos2017-12-031-4/+12
| | | | | | | | | This not only creates a trust list with the system certificates, but also attempts to verify a certificate, increasing the number of calls to PKCS#11 verification API (and thus ensuring there are no calls which may trigger the load of other modules). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pkcs11 verification: always use the ↵Nikos Mavrogiannopoulos2017-12-032-6/+10
| | | | | | | | | | GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE That is, make sure that all our calls to PKCS#11 subsystem for verification will only trigger the trust module initialization, and not the generic PKCS#11 initialization. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pkcs11: simplify trusted module loading stateNikos Mavrogiannopoulos2017-12-032-13/+15
| | | | | | | | That is always utilize the same flags (GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE) to determine whether to initialize trusted modules only or proceed with general initialization. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_pkcs11_check_init: improved transition between statesNikos Mavrogiannopoulos2017-12-033-20/+59
| | | | | | | | | | | | | The init_level_t for PKCS#11 modules, was incorrectly handled as a linear state transition, causing few cases in the transition to be incorrectly handled. Define precisely the state transitions and enforce them in _gnutls_pkcs11_check_init. That addresses a regression introduced by the previous state handling addition, which made impossible to switch from the trusted state to the all modules. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: corrected destructive/p11-kit-load.sh error checkingNikos Mavrogiannopoulos2017-12-021-21/+47
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls-serv: fix double-free on inactivity timeouttmp-dueno-serv-double-freeDaiki Ueno2017-12-011-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | Previously, gnutls-serv --echo segfaulted when closing client connection after inactivity timeout. Here is the valgrind output: ==20246== Invalid free() / delete / delete[] / realloc() ==20246== at 0x4C2FD18: free (vg_replace_malloc.c:530) ==20246== by 0x405310: listener_free (serv.c:154) ==20246== by 0x408B57: tcp_server (serv.c:1568) ==20246== by 0x407DA6: main (serv.c:1231) ==20246== Address 0x6ed4fe0 is 0 bytes inside a block of size 3 free'd ==20246== at 0x4C2FD18: free (vg_replace_malloc.c:530) ==20246== by 0x408A1D: tcp_server (serv.c:1548) ==20246== by 0x407DA6: main (serv.c:1231) ==20246== Block was alloc'd at ==20246== at 0x4C2EB6B: malloc (vg_replace_malloc.c:299) ==20246== by 0x6A64489: strdup (in /usr/lib64/libc-2.25.so) ==20246== by 0x407310: get_response (serv.c:948) ==20246== by 0x408840: tcp_server (serv.c:1492) ==20246== by 0x407DA6: main (serv.c:1231) ==20246== Signed-off-by: Daiki Ueno <dueno@redhat.com>
* .dir-locals.el: new fileDaiki Ueno2017-11-301-0/+1
| | | | | | This forces Emacs to use the Linux kernel coding style for all C code. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* build: remove m4 files pulled in by autopointDaiki Ueno2017-11-303-905/+0
| | | | | | | Having these files in the git repository causes unnecessary changes after "make bootstrap". Signed-off-by: Daiki Ueno <dueno@redhat.com>
* gnutls_aead_cipher_init: corrected potential memory leakNikos Mavrogiannopoulos2017-11-291-4/+10
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: provided basic documentation of the FIPS140-2 mode [ci skip]Nikos Mavrogiannopoulos2017-11-283-4/+41
| | | | | | Resolves #332 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: verify whether group remains the same after resumptiontmp-restore-group-infoNikos Mavrogiannopoulos2017-11-271-0/+19
| | | | | | Resolves #331 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_set_resumed_parameters: restore the group from resumed parametersNikos Mavrogiannopoulos2017-11-271-0/+1
| | | | | | | That allows resumed sessions to have the original group information such as curve used for key exchange or FFDHE parameters. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: removed unnecessary assertNikos Mavrogiannopoulos2017-11-241-1/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: delete temporary filesNikos Mavrogiannopoulos2017-11-241-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* session state: use the right type for send_cert_req variableNikos Mavrogiannopoulos2017-11-241-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: client-fastopen: introduce child signal handler and delay prior to ↵Nikos Mavrogiannopoulos2017-11-241-5/+8
| | | | | | | | starting This addresses a hang issue on freebsd builds. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* psktool: allow up to 512-byte keysNikos Mavrogiannopoulos2017-11-221-1/+1
| | | | | | | | | | This aligns the psktool --help output with the psktool operation. Suggested by Jack Lloyd. Resolves #327 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* getfuncs-map.pl: added gnutls_srp_8192_group* symbols to ignore listtmp-srp-updatesNikos Mavrogiannopoulos2017-11-221-0/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* updated auto-generated filesNikos Mavrogiannopoulos2017-11-214-397/+400
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* srptool: --create-conf no longer includes 1024-bit parametersNikos Mavrogiannopoulos2017-11-212-10/+15
| | | | | | | In addition it includes the 8192-bit parameters, and the default params used for a new user are the 2k ones. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: updated SRP checksNikos Mavrogiannopoulos2017-11-211-37/+60
| | | | | | | | Test 1024, 1536, 2048, 3072, 4096 and 8192 bit parameters. In addition, verify that parameters not in the SRP spec are rejected by a gnutls client. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* .gitlab-ci.yml: move destructive tests after trust store testsNikos Mavrogiannopoulos2017-11-211-1/+2
| | | | | | | That is, to ensure they are only run after the trust store is complete and that it doesn't affect its output. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc updateNikos Mavrogiannopoulos2017-11-212-0/+15
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: include the 8192-bit SRP prime into param checksNikos Mavrogiannopoulos2017-11-211-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* srp: added the 8192-bit primeNikos Mavrogiannopoulos2017-11-213-15/+180
| | | | | | | | As we now reject any primes not in the SRP spec, we include that parameter to ensure we can handle clients within the spec but with large parameters. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* srp: reject any parameters not in the SRP draftNikos Mavrogiannopoulos2017-11-211-113/+2
| | | | | | | | This implements the SHOULD requirement from RFC5054, i.e., to only accept group parameters that come from a trusted source, such as those listed in Appendix A. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* fuzz: srp-client: decreased acceptable prime bits to 1024 [ci skip]Nikos Mavrogiannopoulos2017-11-211-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: combined key and cert teststmp-simplify-testsNikos Mavrogiannopoulos2017-11-2167-109/+29
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: windows subdir is only included on windows buildsNikos Mavrogiannopoulos2017-11-211-9/+18
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: dtls subdir was merged into main testsNikos Mavrogiannopoulos2017-11-213-54/+13
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* fuzz: srp-client: restrict prime bits to 1537 [ci skip]Nikos Mavrogiannopoulos2017-11-201-0/+1
| | | | | | | That avoids timeouts in the oss-fuzz infrastructure: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3277 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: corrected typoNikos Mavrogiannopoulos2017-11-191-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* doc: better detect acronym keyword on latex outputtmp-doc-fixNikos Mavrogiannopoulos2017-11-161-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: latex: resolve all citation issuesNikos Mavrogiannopoulos2017-11-161-9/+70
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: citations translate into references in texinfoNikos Mavrogiannopoulos2017-11-164-5/+14
| | | | | | | | That makes the citations to be links in the generated html manual. Resolves: #321 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* p11tool: renamed pkcs11_set_pin() to allow static linkingNikos Mavrogiannopoulos2017-11-153-4/+4
| | | | | | Resolves #322 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* cfg.mk: do not include reproducer files into syntax checkstmp-fix-memleakNikos Mavrogiannopoulos2017-11-151-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_ext_import_proxy: corrected memory leakNikos Mavrogiannopoulos2017-11-152-8/+8
| | | | | | | | | Also added reproducer for the memory leak found. Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3159 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tools: do not access unused variablesNikos Mavrogiannopoulos2017-11-142-8/+2
| | | | | | This avoids warnings by static analyzers. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* .gitlab-ci.yml: disabled gcc warnings on CI builds and use dashNikos Mavrogiannopoulos2017-11-142-21/+22
| | | | | | | That should decrease the time spent in configure. Based on suggestions by Tim Ruehsen. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* .gitlab-ci.yml: use configure cache file and ccacheNikos Mavrogiannopoulos2017-11-141-42/+72
| | | | | | | | | | | | That reduces the total time spent per build by caching configure checks, and compilation artifacts. Also that patch set no longer uploads coverage files as artifacts. These files are not generally useful, and removing that "feature" will reduce CI running time. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* doc: corrected typo [ci skip]Nikos Mavrogiannopoulos2017-11-041-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: list-tokens: not only list but also verify whether module is operationalNikos Mavrogiannopoulos2017-11-031-0/+15
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pkcs11: refuse to load modules with duplicate informationNikos Mavrogiannopoulos2017-11-031-1/+2
| | | | | | | | That is, when ck_info matches, we soft fail loading the module. That is, because in several cases the pointers got by p11-kit may differ for the same modules. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: enhanced PKCS#11 loading testNikos Mavrogiannopoulos2017-11-032-0/+14
| | | | | | | | Test whether implicit initialization in trusted module (e.g., via verification), would result to proper initialization of additional modules once a PCKS#11 function is called. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added PKCS#11 module loading testNikos Mavrogiannopoulos2017-11-037-10/+320
| | | | | | | | | | | | | | | | | | This checks: 1. Whether all modules are loaded from p11-kit when no explicit gnutls_pkcs11_init() is called and pkcs11 calls are accessed. 2. Whether only the trusted modules are loaded from p11-kit and no other PKCS#11 calls than PKCS#11 cert validation is performed. 3. Whether the trusted modules are loaded when gnutls_pkcs11_init() is called with manual flag. Resolves #315 Resolves #316 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pkcs11: allow loading trusted modules when pkcs11 was initialized in manual modeNikos Mavrogiannopoulos2017-11-033-28/+26
| | | | | | | | | | | | | When a PKCS#11 trust module is used in the system, but gnutls_pkcs11_init() is explicitly called with GNUTLS_PKCS11_FLAG_MANUAL flag, then the PKCS#11 trust store was not loaded, and thus prevent any certificate validation. This change allows initializing the trust modules only even if generic PKCS#11 support is disabled by the application. Relates #316 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status