summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* crypto-selftests-pk.c: Cleanup self teststmp-fips-sign-postAnderson Toshiyuki Sasaki2019-09-261-33/+9
| | | | | | | | | | | | | | test_sig() always uses the same key for RSA, DSA, and ECDSA regardless of the value provided in the "bits" parameter. Therefore, avoid printing specific information (number of bits or name of the curve). Changes test_sig() to use 2048 bits key for DSA; deleted hardcoded 512 bits DSA key; Avoid calling test_sig() multiple times for ECDSA: the same key is used regardless of the curve provided in the parameters. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* crypto-selftests-pk.c: Fix PK_KNOWN_TEST and PK_TESTAnderson Toshiyuki Sasaki2019-09-261-17/+20
| | | | | | | | | | Remove the flag check from the end of the macros. This change allows more than one test to run in sequence when GNUTLS_SELF_TEST_FLAG_ALL is not set. Move the flags checks to run the minimal set of tests required for FIPS and keep the previous behaviour for GOST (run the first test for each algorithm). Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* crypto-selftests-pk.c: Fix test_known_sigAnderson Toshiyuki Sasaki2019-09-261-11/+20
| | | | | | | | | | Previously a new signature was generated only for deterministic algorithms (i.e. only RSA). With this, a new signature is always generated (and compared with a stored signature for deterministic algorithms). The signature verification is tested for both generated and stored signatures. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* tests: Run rng-no-onload test in FIPS modeAnderson Toshiyuki Sasaki2019-09-261-5/+7
| | | | | | | | | | | | | This changes the function used in the test to override gnutls_rnd() to fill the given buffer with a different value each time it is called. This allows the test to run when FIPS mode is enabled. Previously the rng-no-onload test could get stuck if FIPS mode was enabled. This happened if gnutls_rnd() function was called during global_init() in a loop that checks the generated value (e.g. if ECDSA signature generation is called during self tests). Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* crypto-selftests-pk.c: Add a comparison with a known signatureAnderson Toshiyuki Sasaki2019-09-261-0/+13
| | | | | | | For RSA, compare the generated signature with a stored known value in test_sig(). Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* crypto-selftests-pk.c: Move hardcoded values to the topAnderson Toshiyuki Sasaki2019-09-261-112/+112
| | | | | | | The objective of moving these values to the top is to allow them to be used by other functions, in particular test_sig(). Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* Merge branch 'tmp-update-nettle-compat' into 'master'Nikos Mavrogiannopoulos2019-09-234-26/+16
|\ | | | | | | | | | | | | fix nettle 3.5 issues/warnings Closes #835 See merge request gnutls/gnutls!1067
| * tests: cipher-alignment: ensure cipher registrationNikos Mavrogiannopoulos2019-09-231-1/+6
| | | | | | | | | | | | | | | | That is, ensure that the registered cipher is called at least once in the program. That is, to make this test fail if the registration API ever become deprecated/no-op. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * tests: mini-alignment moved to modern nettle APINikos Mavrogiannopoulos2019-09-232-14/+9
| | | | | | | | | | | | | | | | | | That is, it no longer uses the deprecated API, and it is also removed to cipher-alignment for clarity. Resolves: #835 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * nettle: use nettle_get_secpp* consistentlyNikos Mavrogiannopoulos2019-09-232-11/+1
|/ | | | | | | | | We already depend on nettle 3.4.1 which provides that symbol, ensure that we use it consistently. Relates: #835 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'tmp-pkcs11-mock' into 'master'Nikos Mavrogiannopoulos2019-09-202-20/+31
|\ | | | | | | | | pkcs11-mock: updated license based on upstream project [ci skip] See merge request gnutls/gnutls!1065
| * pkcs11-mock: updated license based on upstream project [ci skip]Nikos Mavrogiannopoulos2019-09-202-20/+31
| | | | | | | | | | | | | | | | | | Based on the relicense of the original project: https://github.com/Pkcs11Interop/pkcs11-mock Applied in commit: 8751256956e414c1b0a30414831f5083afbf64bf Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Merge branch 'wip-guile-3.0' into 'master'Daiki Ueno2019-09-163-7/+7
|\ \ | |/ |/| | | | | Add support for Guile 3.0 See merge request gnutls/gnutls!1020
| * guile: Add support for Guile 3.0.Ludovic Courtès2019-09-162-5/+5
| | | | | | | | | | | | | | | | | | * configure.ac: Add 3.0 to 'GUILE_PKG', as well as the previously-supported versions. * doc/gnutls-guile.texi (Guile Preparations): Update list of supported versions. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
| * doc: Run guile with '-q'.Ludovic Courtès2019-09-161-2/+2
|/ | | | | | | | This makes sure we don't load the user's ~/.guile. * doc/Makefile.am (GUILE_FOR_BUILD): Pass '-q'. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* Merge branch 'wip-guile-include-m4-macros' into 'master'Daiki Ueno2019-09-163-1/+405
|\ | | | | | | | | maint: Include Guile's M4 macros. See merge request gnutls/gnutls!1061
| * .gitlab-ci.yml: bump configure cache versiontmp-guile-include-m4-macrosDaiki Ueno2019-09-111-1/+1
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * .gitlab-ci.yml: export guile related envvars for doc-dist.FedoraDaiki Ueno2019-09-111-1/+9
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * .gitlab-ci.yml: minimal.Fedora.x86_64: Pass '--disable-guile' the 2nd time ↵Ludovic Courtès2019-09-051-0/+1
| | | | | | | | | | | | as well. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
| * .gitlab-ci.yml: doc-dist.Fedora: Pass "GUILE", "GUILD", and "guile_snarf" to ↵Ludovic Courtès2019-09-051-1/+1
| | | | | | | | | | | | 'configure'. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
| * maint: Include Guile's M4 macros.Ludovic Courtès2019-09-052-0/+395
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This ensures 'GUILE_PKG' & co. behaves as we want. Previously we had problem in CI when using 'guile.m4' coming from potentially old distro packages, as discussed in issue !1020: https://gitlab.com/gnutls/gnutls/merge_requests/1020#note_194443890 * m4/guile.m4: New file, from Guile's 'stable-2.2' branch, commit 9846178c69445142ef0b9432417453d2d4de6635. * .x-sc_prohibit_test_minus_ao: New file. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* | Merge branch 'tmp-interop-old-gnutls' into 'master'Nikos Mavrogiannopoulos2019-09-1311-23/+265
|\ \ | | | | | | | | | | | | | | | | | | Do not forbid excess random padding in TLS1.x CBC ciphersuites Closes #811 See merge request gnutls/gnutls!1054
| * | tlsfuzzer: enable atypical padding checkNikos Mavrogiannopoulos2019-09-134-18/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The atypical padding check is complementary to the existing GnuTLS 2.12.x interop test. This commit also upgrades to the latest version, and adds new TLS1.3 tests as well. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | tests: check interoperability testing with gnutls 2.12.x and SHA256Nikos Mavrogiannopoulos2019-09-061-2/+14
| | | | | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | _gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuitesNikos Mavrogiannopoulos2019-09-063-4/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since some point in 3.6.x we updated the calculation of maximum record size, however that did not include the possibility of random record padding available for CBC ciphersuites which exceeds the maximum. This commit allows for larger sizes for these ciphersuites to account for random padding as applied by gnutls 2.12.x. Resolves: #811 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| * | tests: added interoperability test with gnutls 2.12.xNikos Mavrogiannopoulos2019-09-014-1/+206
| |/ | | | | | | | | | | This enables this test in debian build. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | Merge branch 'tmp-decr-len' into 'master'Daiki Ueno2019-09-1227-83/+64
|\ \ | | | | | | | | | | | | gnutls_int.h: make DECR_LEN neutral to signedness See merge request gnutls/gnutls!1056
| * | lib/*: remove unnecessary cast to ssize_ttmp-decr-lenDaiki Ueno2019-09-1226-78/+58
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * | gnutls_int.h: make DECR_LEN neutral to signednessDaiki Ueno2019-09-121-5/+6
|/ / | | | | | | | | | | | | | | | | DECR_LEN was previously implemented in a way that it first decrements the given length and then checks whether the result is negative. This requires the caller to properly coerce the length argument to a signed integer, before invoking the macro. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Merge branch 'fix-priority-setting' into 'master'Dmitry Eremin-Solenikov2019-09-061-1/+1
|\ \ | | | | | | | | | | | | priority: fix loop which removes systemwide disabled KX algos See merge request gnutls/gnutls!1064
| * | priority: fix loop which removes systemwide disabled KX algosDmitry Eremin-Solenikov2019-09-051-1/+1
| | | | | | | | | | | | | | | | | | Fix c&p error in KX-removal loop. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | | Merge branch 'fix-cli-debug' into 'master'Dmitry Eremin-Solenikov2019-09-063-60/+56
|\ \ \ | |/ / |/| | | | | | | | gnutls-cli-debug: fix early break for no version supported check See merge request gnutls/gnutls!1063
| * | gnutls-cli-debug: fix early break for no version supported checkDmitry Eremin-Solenikov2019-09-023-60/+56
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently gnutls-cli-debug code hardodes index of tests, after which it will check if any known protocols (SSL 3.0/TLS1.[0123]) are supported by the server. However this number is hardcoded and thus easy to break. This is exactly what happened after adding %ALLOW_SMALL_RECORDS check. Two tests were added in front of tests lists without updating this index. So let's make this check robust by adding another test which will return fatal error if no known protocols are supported. While we are at it, also simplify tests loop by removing internal loop completely and controlling opening/closing a socket with a flag. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | Merge branch 'tmp_rawpk_fuzzing' into 'master'Nikos Mavrogiannopoulos2019-09-046-0/+281
|\ \ | | | | | | | | | | | | | | | | | | Raw public key fuzzing tests Closes #687 See merge request gnutls/gnutls!1062
| * | Added initial corpora for rawpk client and server fuzzers.Tom Vrancken2019-09-022-0/+0
| | | | | | | | | | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
| * | Implemented server rawpk fuzzer.Tom Vrancken2019-09-022-0/+106
| | | | | | | | | | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
| * | Implemented client rawpk fuzzer.Tom Vrancken2019-09-023-0/+175
| | | | | | | | | | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* | | Merge branch 'wip-certificate-status' into 'master'Nikos Mavrogiannopoulos2019-09-043-1/+30
|\ \ \ | |_|/ |/| | | | | | | | guile: Update the list of certificate status values. See merge request gnutls/gnutls!1060
| * | guile: Update the list of certificate status values.Ludovic Courtès2019-08-313-1/+30
|/ / | | | | | | | | | | | | | | | | | | * guile/modules/gnutls/build/enums.scm (%certificate-status-enum): Add 'gnutls_certificate_status_t' values that were missing. * guile/src/core.c (scm_gnutls_peer_certificate_status): Add 'MATCH_STATUS' clauses to handle them. * guile/modules/gnutls.in: Export them. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* | Merge branch 'mcatanzaro/typo' into 'master'Daiki Ueno2019-08-141-1/+1
|\ \ | | | | | | | | | | | | Fix typo in gnutls_db_set_cache_expiration() docs See merge request gnutls/gnutls!1057
| * | Fix typo in gnutls_db_set_cache_expiration() docsMichael Catanzaro2019-08-131-1/+1
|/ / | | | | | | | | | | 21600 seconds is six hours. Signed-off-by: Michael Catanzaro <mcatanzaro@gnome.org>
* | Merge branch 'tmp-encryptv2' into 'master'Daiki Ueno2019-08-0915-114/+943
|\ \ | | | | | | | | | | | | | | | | | | crypto-api: add gnutls_aead_cipher_{en,de}cryptv2 Closes #718 See merge request gnutls/gnutls!1052
| * | crypto-api: add gnutls_aead_cipher_{en,de}cryptv2tmp-encryptv2Daiki Ueno2019-08-0911-4/+541
| | | | | | | | | | | | | | | | | | | | | This adds an in-place equivalent of gnutls_aead_cipher_encrypt() and gnutls_aead_cipher_decrypt(), that works on data buffers. Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * | crypto-api: use giovec_t iterator interface for aead_encryptvDaiki Ueno2019-08-091-110/+57
| | | | | | | | | | | | | | | | | | | | | This replaces the macros AUTH_UPDATE and ENCRYPT used in gnutls_aead_cipher_encryptv() with the iov_iter interface. Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * | iov: add iterator interface for giovec_tDaiki Ueno2019-08-097-2/+347
|/ / | | | | | | | | | | | | This adds an iterator interface over giovec_t array, extracting a fixed sized block. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Merge branch 'tmp-deterministic-ecdsa' into 'master'Daiki Ueno2019-08-0818-14/+845
|\ \ | |/ |/| | | | | | | | | pk: implement deterministic ECDSA/DSA for provable signing Closes #94 See merge request gnutls/gnutls!1051
| * nettle: prohibit deterministic ECDSA/DSA under FIPS except selfteststmp-deterministic-ecdsaDaiki Ueno2019-08-082-7/+28
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * nettle: enable deterministic ECDSA/DSA during FIPS selftestsDaiki Ueno2019-08-081-2/+4
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * pk: implement deterministic ECDSA/DSADaiki Ueno2019-08-0811-5/+290
| | | | | | | | | | | | | | This exposes the deterministic ECDSA/DSA functionality through the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag. Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * privkey_sign_prehashed: remove unused argumentDaiki Ueno2019-08-081-5/+4
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
View Lorry Controller Status