| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
While the documentation of gnutls_aead_cipher_decrypt indicates that
the inout argument ptext_len initially holds the size that
sufficiently fits the expected output size, there was no runtime check
on that. This makes the interface robuster against misuses.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\
| |
| |
| |
| | |
Fix invalid free in missing issuer test case error path
See merge request gnutls/gnutls!1303
|
| |
| |
| |
| |
| |
| |
| | |
This variable is not initialized in this error path: it's only
initialized if gnutls_x509_crt_get_authority_info_access() succeeds.
Signed-off-by: Michael Catanzaro <mcatanzaro@gnome.org>
|
|\ \
| |/
|/|
| |
| | |
Fix typo in API docs
See merge request gnutls/gnutls!1302
|
|/
|
|
| |
Signed-off-by: Michael Catanzaro <mcatanzaro@gnome.org>
|
|\
| |
| |
| |
| | |
pubkey: avoid spurious audit messages from _gnutls_pubkey_compatible_with_sig()
See merge request gnutls/gnutls!1301
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When checking in _gnutls_pubkey_compatible_with_sig() whether a public
key is compatible with a signature algorithm, run first
pubkey_supports_sig() before performing weaker checks that can accept
the given algorithm but with an audit-log warning. This avoids an issue
when a weaker check would log an audit message for some signature
algorithm that would then be determined as incompatible by the
pubkey_supports_sig() check anyway.
For instance, a GnuTLS server might have a certificate with a SECP384R1
public key and a client can report that it supports
ECDSA-SECP256R1-SHA256 and ECDSA-SECP384R1-SHA384. In such a case, the
GnuTLS server will eventually find that it must use
ECDSA-SECP384R1-SHA384 with this public key. However, the code would
first run _gnutls_pubkey_compatible_with_sig() to check if SECP384R1 is
compatible with ECDSA-SECP256R1-SHA256. The function would report the
audit warning "The hash size used in signature (32) is less than the
expected (48)" but then reject the signature algorithm in
pubkey_supports_sig() as incompatible because it has a different curve.
Since the algorithm gets rejected it is not necessary to inform about
its hash size difference in the audit log.
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
|
|\ \
| |/
|/|
| |
| | |
nettle: check validity of (EC)DH shared secret before export
See merge request gnutls/gnutls!1299
|
| |
| |
| |
| |
| |
| |
| | |
This implements full public key validation required in
SP800-56A rev3, section 5.6.2.3.3.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| |
| |
| |
| | |
This implements full public key validation required in SP800-56A rev3,
section 5.6.2.3.1.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| |
| |
| |
| | |
This is necessary for full public key validation in
SP800-56A (revision 3), section 5.6.2.3.1.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
SP800-56A rev3 section 5.7.1.2 step 2 mandates that the validity of
the calculated shared secret is verified before the data is returned
to the caller. This patch adds the validation check.
Suggested by Stephan Mueller.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|/
|
|
|
|
|
|
|
|
| |
SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the
calculated shared secret is verified before the data is returned to the
caller. This patch adds the validation check.
Suggested by Stephan Mueller.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\
| |
| |
| |
| | |
RELEASES.md: update for the 3.7.x releases
See merge request gnutls/gnutls!1283
|
| |
| |
| |
| |
| |
| |
| | |
As the information is only useful to developers, having it under
devel/ rather than in the tarball is more releavant.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| |
| |
| |
| | |
Reported by Andreas Metzler in:
https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004650.html
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| | |
| | |
| | |
| | | |
build: use $(LIBPTHREAD) rather than non-existent $(LTLIBPTHREAD)
See merge request gnutls/gnutls!1296
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
On a very recent openSUSE build, libgnutls is getting built without
libpthread. This caused a thread related error when trying to load a
pkcs11 module that uses threading. The reason is rather convoluted:
glibc actually controls all the pthread_ function calls, but it
returns success without doing anything unless -lpthread is in the link
list. What's happening is that gnutls_system_mutex_init() is being
called on _gnutls_pkcs11_mutex before library pthreading is
initialized, so the pthread_mutex_init ends up being a nop. Then, when
the pkcs11 module is loaded, pthreads get initialized and the call to
pthread_mutex_lock is real, but errors out on the uninitialized mutex.
The problem seems to be that nothing in the gnulib macros gnutls
relies on for threading support detection actually sets LTLIBPTHREAD,
they only set LIBPTHREAD. The fix is to use LIBPTHREAD in
lib/Makefile.in
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
.gitlab-ci: disable config.cache for nettle-master builds
See merge request gnutls/gnutls!1291
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Disable usage of config.cache for nettle-master builds. Such
config.cache files can easily become stale, thus resulting in build
failures.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
tests: split up system-override-sig-hash.sh
See merge request gnutls/gnutls!1298
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Split up system-override-sig-hash.sh
so that the errors won't get swallowed or conflated.
Also correct unused `srcdir` to `builddir`,
which I believe was meant to be set there.
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
|\ \ \ \ \
| |/ / / /
|/| | | |
| | | | |
| | | | | |
Detect the availability of connectx at runtime
See merge request gnutls/gnutls!1294
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Fixes this compilation error:
system/fastopen.c:134:9: error: 'connectx' is only available on macOS 10.11 or newer [-Werror,-Wunguarded-availability]
ret = connectx(fd, &endpoints, SAE_ASSOCID_ANY, CONNECT_RESUME_ON_READ_WRITE | CONNECT_DATA_IDEMPOTENT, NULL, 0, NULL, NULL);
^~~~~~~~
/Applications/Xcode9.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk/usr/include/sys/socket.h:713:5: note: 'connectx' has been marked as being introduced in macOS 10.11 here, but the deployment target is macOS 10.7.0
The detection is the same as found in curl [1].
If HAVE_BUILTIN_AVAILABLE is not available we fallback to the code without
TCP_FASTOPEN_OSX.
The OS values match exactly the values found in
https://opensource.apple.com/source/xnu/xnu-4570.41.2/bsd/sys/socket.h
[1] https://github.com/curl/curl/commit/870d849d48a26b8eeb0d4bb1f4655367a4a191ca
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
safe_memcmp: remove in favor of gnutls_memcmp
Closes #1042
See merge request gnutls/gnutls!1297
|
|/ / / /
| | | |
| | | |
| | | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \ \ \
| |_|/ /
|/| | |
| | | |
| | | | |
fips: tighten check on DH parameters according to SP800-56A (rev 3)
See merge request gnutls/gnutls!1295
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
SP800-56A rev. 3 restricts the FIPS compliant clients to use only
approved DH parameters, defined in RFC 7919 and RFC 3526. This adds a
check in the handling of ServerKeyExchange if DHE is negotiated.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|/ / /
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
Wipe session ticket keys before releasing the session structure
See merge request gnutls/gnutls!1289
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This includes both a copy of the master key and one or two derived
keys, all of which could be used to decrypt session tickets if
stolen. The derived keys could only be used for tickets issued within
a certain time frame (by default several hours).
The documentation for gnutls_session_ticket_enable_server() already
states that the master key should be wiped before releasing it, and
the same should apply to internal copies.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
issues #1018- Modied the license to GPLv2.1+ to keep with LICENSE file.
See merge request gnutls/gnutls!1285
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Detect Python interpreter for tests instead of assuming "python"
Closes #1034
See merge request gnutls/gnutls!1292
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Tlsfuzzer also assumed the Python interpreter would be called
"python", this update is necessary to get a fixed version (see
https://github.com/tomato42/tlsfuzzer/pull/671).
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This makes the extended test suite work one Debian(-ish) systems
without Python 2, where the Python 3 interpreter is called "python3".
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
GOSTR341194, RIPEMD160: mark as insecure for digital signatures
See merge request gnutls/gnutls!1175
|
| |\ \ \ \
| |/ / / /
|/| | | |
| | | | | |
# Conflicts:
# lib/crypto-selftests-pk.c
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
build: minor fixes
See merge request gnutls/gnutls!1287
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |_|/ /
| |/| | |
| | | | |
| | | | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
refine tests for ancient servers which support both SSL 3.0 and TLS 1.0, but both only with %NO_EXTENSIONS
See merge request gnutls/gnutls!1251
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
both only with %NO_EXTENSIONS
This is a follow-up to !1221.
See #958 and https://gitlab.com/openconnect/openconnect/-/issues/145 for a
real-world example of ancient Cisco servers with these deficiencies.
With !1221 only, gnutls-cli-debug reports that these ancient servers only support
SSL 3.0 (but without extensions). Information after this point is
largely erroneous:
$ gnutls-cli-debug ***vpn.***.com
GnuTLS debug client 3.6.12
Checking ***vpn.***.com:443
whether the server accepts default record size (512 bytes)... no
whether %ALLOW_SMALL_RECORDS is required... no
for SSL 3.0 (RFC6101) support... yes
for SSL 3.0 with extensions... no
With this additional change, gnutls-cli-debug correctly reports that such a
server also supports TLS 1.0 (but again with extensions disabled). Below
I've marked some of the significant fields that have changed:
$ gnutls-cli-debug ***vpn.***.com
GnuTLS debug client 3.6.12
Checking ***vpn.***.com:443
whether the server accepts default record size (512 bytes)... no
whether %ALLOW_SMALL_RECORDS is required... no
for SSL 3.0 (RFC6101) support... yes
for SSL 3.0 with extensions... no
whether we need to disable TLS 1.2... yes
whether we need to disable TLS 1.1... yes
# This is now correct:
whether we need to disable TLS 1.0... no
# This is now correct:
whether %NO_EXTENSIONS is required... yes
# This is now correct:
for TLS 1.0 (RFC2246) support... yes
for TLS 1.1 (RFC4346) support... no
fallback from TLS 1.1 to... failed
for TLS 1.2 (RFC5246) support... no
# This is now correct:
for known TLS or SSL protocols support... yes
TLS1.2 neg fallback from TLS 1.6 to... failed (server requires fallback dance)
for inappropriate fallback (RFC7507) support... no
for HTTPS server name... ******
for certificate chain order... sorted
for Safe renegotiation support (SCSV)... no
for version rollback bug in RSA PMS... no
for version rollback bug in Client Hello... no
whether the server ignores the RSA PMS version... no
whether small records (512 bytes) are tolerated on handshake... yes
whether cipher suites not in SSL 3.0 spec are accepted... yes
whether a bogus TLS record version in the client hello is accepted... yes
whether the server understands TLS closure alerts... partially
whether the server supports session resumption... yes
for anonymous authentication support... no
for ephemeral Diffie-Hellman support... no
for RFC7919 Diffie-Hellman support... no
for AES-GCM cipher (RFC5288) support... no
for AES-CCM cipher (RFC6655) support... no
for AES-CCM-8 cipher (RFC6655) support... no
for AES-CBC cipher (RFC3268) support... no
for CAMELLIA-GCM cipher (RFC6367) support... no
for CAMELLIA-CBC cipher (RFC5932) support... no
# This is now correct:
for 3DES-CBC cipher (RFC2246) support... yes
# This is now correct:
for ARCFOUR 128 cipher (RFC2246) support... yes
for CHACHA20-POLY1305 cipher (RFC7905) support... no
for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... no
for MD5 MAC support... yes
for SHA1 MAC support... yes
for SHA256 MAC support... no
for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... no
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
tests: improve datefudge usage
Closes #1021
See merge request gnutls/gnutls!1288
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Suggested by Andreas Metzler in:
https://gitlab.com/gnutls/gnutls/-/issues/1021
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This makes check_for_datefudge not to immediately exit the program,
but to return non-zero to allow the tests by themselves to control the
behavior when "datefudge" is not found.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \ \ \ \ \
| |/ / / / /
|/| | | | |
| | | | | |
| | | | | | |
configure.ac: prefer the latest version of build infrastructure
See merge request gnutls/gnutls!1284
|