| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
This flag was already a no-op.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |\
| |
| |
| |
| |
| |
| | |
record: make CCS handling stricter in TLS 1.3
Closes #618
See merge request gnutls/gnutls!817
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
In TLS 1.3, the change_cipher_spec messages received under the
following conditions should be treated as unexpected record type:
containing value other than 0x01, or received after the handshake.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |\ \
| |/
|/|
| |
| | |
Fix gnutls_handshake_set_timeout() for values < 1000
See merge request gnutls/gnutls!834
|
| |/
|
|
|
|
|
| |
handshake-timeout.c now tests for <1000ms timeout and for >=1000ms
timeout. The test duration decreased from 45s to 1.2s.
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |\
| |
| |
| |
| | |
bootstrap: only update the required submodules for building
See merge request gnutls/gnutls!836
|
| |/
|
|
|
|
|
|
|
| |
Although we have few submodules they are not all required for
building and testing. This patch modified bootstrap.conf not
to update all of them, but only the necessary for building and
testing.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\
| |
| |
| |
| | |
Fix error message on too old nettle
See merge request gnutls/gnutls!833
|
| |/
|
|
| |
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |\
| |
| |
| |
| |
| |
| | |
CVE-2018-16868
Closes #630
See merge request gnutls/gnutls!832
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch tries to make the code have the same time and memory access
aptterns across all branches of the decryption function so that timining
or cache side channels are minimized or neutralized.
To do so it uses a new nettle rsa decryption function that is
side-channel silent.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |/
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
| |
Fixed the documentation of the function to reflect reality.
This function did not accept the GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION
macro.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |\
| |
| |
| |
| | |
DRBG: Remove all traces of FIPS 140-2 continuous self test
See merge request gnutls/gnutls!820
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Due to removing all of the FIPS 140-2 continuous self test leftovers,
the DRBG test vector must be updated as the very first DRBG block is not
dropped any more.
The test complies with the CAVP test definition specified in "The
NIST SP 800-90A Deterministic Random Bit Generator Validation
System (DRBGVS)" section 6.2.
The test vector is obtained during a successful trial run using the
NIST ACVP server. The following registration was used to generate the
test vector:
{
"algorithm":"ctrDRBG",
"prereqVals":[
{
"algorithm":"AES",
"valValue":"same"
}
],
"predResistanceEnabled":[
false
],
"reseedImplemented":true,
"capabilities":[
{
"mode":"AES-256",
"derFuncEnabled":false,
"entropyInputLen":[
384
],
"nonceLen":[
0
],
"persoStringLen":[
0,
256
],
"additionalInputLen":[
0,
256
],
"returnedBitsLen":512
}
]
},
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
| | |
| |
| |
| |
| |
| |
| | |
The removal allows the CAVS / ACVP test required for a successful FIPS
140-2 validation to pass.
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
| |\ \
| | |
| | |
| | |
| | | |
Fix MacOS X builds
See merge request gnutls/gnutls!826
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It looks like Mac OS X's grep has issues with applying basic regexps
with alternation operator inside. Use several grep calls in pipeline to
achieve the same result.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |/ /
| |
| |
| | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | | |
lib: fix pkcs11 using defines from PKCS#11 3.0 for EdDSA
Closes #626
See merge request gnutls/gnutls!823
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pkcs11 support code uses several definitions from forthcoming PKCS#11
standard version. Older p11-kit versions do not provide these
definitions. Detect and disable code supporting EdDSA if compiling
GnuTLS with older p11-kit library.
Closes #626
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Fixes: 88377775a3eff679a9ec60ab9bfc6b3c683a0407
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |\ \
| | |
| | |
| | |
| | | |
tests: fix crl test under MinGW32/64
See merge request gnutls/gnutls!824
|
| |/ /
| |
| |
| |
| |
| |
| | |
Use --outfile instead of output redirection to stop CR from sneaking
into temp file. Extra CR symbols make grep choke on that file.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This fixes a truncation issue in session description information printing
for certain ciphersuites, and adds a limited testing of expected description
strings for certain ciphersuites.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\ \
| | |
| | |
| | |
| | | |
Fix some minor issue in the TPM test cases
See merge request gnutls/gnutls!814
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Use kill_proc to terminate a process by first sending it SIGTERM,
waiting max. 1 second and then use SIGKILL.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The dash shell doesn't seem to understand &>/dev/null, so use
>/dev/null to quiet down the help screen check.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Prevent applications from combining legacy versions of TLS with TLS1.3
Closes #621
See merge request gnutls/gnutls!815
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It can happen that an application due to a misconfiguration, enables TLS1.3
in combination with TLS1.0 or TLS1.1 only. In that case a server which is
unaware of the TLS1.3 protocol will reply by selecting the TLS1.2 protocol
instead and that answer will be rejected by the client. With this change
we ensure that TLS1.3 is not enabled in these problematic scenarios.
Resolves: #621
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
certtool: don't output textual information if --no-text was given
Closes #487
See merge request gnutls/gnutls!810
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Disable text output if --no-text option was given for --p7-info and
--p12-info.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Print all pkcs12-info output to outfile, rather than stderr.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Change privkey/certificate/CRL/CSR handling to disable text output if
--no-text option was given.
Closes #487
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |\ \ \
| |_|/
|/| |
| | |
| | | |
Minor fixes towards 3.6.5
See merge request gnutls/gnutls!818
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Unlike the ".c.c.bak:" and ".h.h.bak:" rules, ".def.stamp:" needs this
adjustment because the source files (*.bak) are not provided as $<.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| | |
This test only checks the behavior of _gnutls_anti_replay_check, thus
session is not needed at all.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
