| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Resolves: #749
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |\
| |
| |
| |
| |
| |
| | |
cert auth: reject auth if no signature algorithm is usable in TLS 1.3
Closes #730
See merge request gnutls/gnutls!967
|
| | |
| |
| |
| |
| |
| |
| | |
This adds a test that exercise the client's auth rejection logic,
using the RSA-PSS disabled PKCS #11 token.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds libpkcs11mock2.so, which wraps SoftHSM but filters out the
use of the CKM_RSA_PKCS_PSS mechanism. That way we can simulate the
situation where the certificate is RSA while the private key cannot be
used for RSA-PSS.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, when there is no overlap between usable signature
algorithms and the "signature_algorithms" extension in Certificate
Request, the client failed in sending Certificate Verify, followed by
a connection close. In TLS 1.3, it is possible to keep the connection
but reject the authentication by not sending Certificate Verify.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Previously, while the flag HSK_CRT_SENT was checked in
_gnutls13_send_certificate_verify, the flag was never set anywhere.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |\ \
| | |
| | |
| | |
| | | |
nettle: include config.h before checking for definitions
See merge request gnutls/gnutls!970
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| | |
This makes sure that we don't include the internal backport
if compiled with a version of nettle that includes that code.
We also exclude nettle/backport from the static analyzer's list
as it contains files outside our control (from nettle project).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |\ \
| | |
| | |
| | |
| | | |
[OSCP] Fix : null pointer resp
See merge request gnutls/gnutls!969
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Elta Koepp <elta_koepp@gmail.com>
|
| |/ /
| |
| |
| |
| |
| |
| | |
If we use explicit_bzero() to zero-fill a buffer in gnutls_memset() we
don't need to zero it again via a volatile trick later in this function.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
|
| | |
| |
| |
| |
| |
| | |
That is, because there are no diffs to check.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\ \
| |/
|/|
| |
| | |
Fix check_if_signed
See merge request gnutls/gnutls!964
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix the target branch we check against by adding upstream as remote.
Drop the use of set -e as this causes the shell to immediately exit on
errors instead of allowing the code to check the failure and report what
it faled about.
Also print which commits are being checked and what information was found
so that a CI failure can be better diagnosed.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |/
|
|
|
|
|
|
| |
If nettle's XTS is not available, use a vendored in version from master.
This is necessary as long as we need to link against 3.4 for ABI
compatibility reasons.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
Added a larger set of corpus (generated with afl-fuzz), and made
sure that the fuzzer application crashes if verification succeeds.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |\
| |
| |
| |
| | |
Let check_if_signed fail if git fails
See merge request gnutls/gnutls!962
|
| |/
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |\
| |
| |
| |
| | |
Detect malloc failure.
See merge request gnutls/gnutls!960
|
| | | |
|
| |/
|
| |
malloc(data.size + 1) maybe returns NULL on failure.
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
| |
Resolves: #704
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
| |
This also adds a reproducer for CVE-2019-3829.
Resolves: #694
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\
| |
| |
| |
| | |
fips140: Perform SHA-3 self tests
See merge request gnutls/gnutls!958
|
| | |
| |
| |
| |
| |
| |
| | |
It is required to perform the self tests to validate SHA-3
implementation.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\ \
| |/
|/|
| |
| |
| |
| | |
handshake: increase the default number of tickets we send to 2
Closes #596
See merge request gnutls/gnutls!942
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This makes it easier for clients which perform multiple connections
to the server to use the tickets sent by a default server. That's
because 2 tickets allow for 2 new connections (if one is using each
ticket once as recommended), which in turn lead to 4 new and so on.
Resolves: #596
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\ \
| | |
| | |
| | |
| | | |
SECURITY.md: updated to reflect the current practice
See merge request gnutls/gnutls!951
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change updates the SECURITY guidelines to reflect the current
practice (no special security releases), and thus refer directly
to the upcoming or following release. Furthermore, it removes
any mention of absolute time, as the release cadence is already
fixed to bi-monthly.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
configure.ac: remove --with-guile-site-dir
See merge request gnutls/gnutls!957
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The hack of distcheck is not known and should not be the default as the
GUILE_SITE_DIR macro is the default expected behavior.
There is little value in specifying any other location of the site-dir as it
is out of the guile configuration so best to remove.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The X.509 connection would still print informational message to the
stdout by default. Move that output to logfile and add x509 functionality
test in the test suite.
Signed-off-by: Ke Zhao <kzhao@redhat.com>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Improved estimation of wait in gnutls_session_get_data2
Closes #706
See merge request gnutls/gnutls!936
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Previously we would wait an arbitrary value of 50ms for the
server to send session tickets. This change makes the client
wait for the estimated single trip time + 60 ms for the server
to calculate the session tickets. This improves the chance
to obtain tickets from internet servers during the call of
gnutls_session_get_data2().
Resolves: #706
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |_|/
|/| |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | | |
pkcs11: security officer login implies writable session
Closes #721
See merge request gnutls/gnutls!953
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
According to the PKCS#11 v2.30, 6.7.1 there are no read-only Security Officer
sessions.
Resolves: #721
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
Removed all FIXME comments in code
See merge request gnutls/gnutls!955
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We expand informational comments on limitations, but with removing
FIXME (keyword didn't help fixing these), and remove completely unhelpful
comments, obsolete ones, or comments about ideas.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
First, add an option "--logfile" so user could choose a specific file to
store all the informational messages. In some cases, informational
messages may cause unexpected result if the output is standard output.
With this option, user could redirect these messages to a specific
file. This will be helpful in testing and tracking.
Second, replace printf() function with log_msg() function
This log_msg() function is used when "--logfile" is enabled.
Third, add a functionality test for "--logfile" option
Add a test script to test if "--logfile" option works as it should be.
Signed-off-by: Ke Zhao <kzhao@redhat.com>
|
| |\ \
| | |
| | |
| | |
| | | |
Change HTTP:// references to HTTPs:// (generally)
See merge request gnutls/gnutls!910
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
