| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | | |
| | |
| | |
| | | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| | |
On busybox 'date +%N' returns an empty value.
On 'dash' (Debian shell) $RANDOM doesn't work.
This commit works first tries $RANDOM and then falls back to 'date +%N'.
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |\ \
| | |
| | |
| | |
| | | |
Fix gnutls_pkcs11_token_get_info for short output buffers and fix a memleak
See merge request gnutls/gnutls!827
|
| | | |
| | |
| | |
| | |
| | | |
find_token_modname_cb uses p11_kit_config_option to retrieve the module
name, but its return value (stored in tn.modname) must be freed.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
find_token_modname_cb uses p11_kit_config_option to retrieve the module
name, but its return value must be free'd.
Other fixes:
- Do not silently truncate the output buffer, return an error instead.
- If the module name is unavailable, do not write "(null)" to the
output. Write an empty string instead.
- The module path can be of arbitrary length, so passing output=NULL to
learn the length seems reasonable, except that snprintf crashed on a
NULL pointer dereference.
Fixes: 241f9f0b1 ("Added GNUTLS_PKCS11_TOKEN_MODNAME for gnutls_pkcs11_token_get_info")
Signed-off-by: Peter Wu <peter@lekensteyn.nl>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
It was not clear whether @output_size contains the actual string length
or the buffer length (including null terminator).
Signed-off-by: Peter Wu <peter@lekensteyn.nl>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Created NEWS entry for 3.6.6 and unified the listing of gnutls_init_flags_t
items.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
RFC7250 Raw public keys
Closes #280 and #26
See merge request gnutls/gnutls!650
|
| | |/ /
| | |
| | |
| | | |
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
| |\ \ \
| |/ /
|/| |
| | |
| | | |
Unicode support
See merge request gnutls/gnutls!838
|
| | | | |
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
build: remove src/*.bak from distribution
See merge request gnutls/gnutls!808
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Instead, include the autogen-generated *.c, *.h and the stamp files in
the distribution.
To prevent the bundled files being linked with incompatible autogen
libopts, this adds an extra check in configure. If the detected
system libopts version is too old, it will use the included libopts
implementation.
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
GNUTLS_PCERT_NO_CERT: marked as unused/ignored
See merge request gnutls/gnutls!837
|
| |/ / /
| | |
| | |
| | |
| | |
| | | |
This flag was already a no-op.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
record: make CCS handling stricter in TLS 1.3
Closes #618
See merge request gnutls/gnutls!817
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
In TLS 1.3, the change_cipher_spec messages received under the
following conditions should be treated as unexpected record type:
containing value other than 0x01, or received after the handshake.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |\ \ \ \
| |/ / /
|/| | |
| | | |
| | | | |
Fix gnutls_handshake_set_timeout() for values < 1000
See merge request gnutls/gnutls!834
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
handshake-timeout.c now tests for <1000ms timeout and for >=1000ms
timeout. The test duration decreased from 45s to 1.2s.
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
bootstrap: only update the required submodules for building
See merge request gnutls/gnutls!836
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Although we have few submodules they are not all required for
building and testing. This patch modified bootstrap.conf not
to update all of them, but only the necessary for building and
testing.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\ \ \
| |/ /
|/| |
| | |
| | | |
Fix error message on too old nettle
See merge request gnutls/gnutls!833
|
| |/ /
| |
| |
| | |
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
| | |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | | |
CVE-2018-16868
Closes #630
See merge request gnutls/gnutls!832
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch tries to make the code have the same time and memory access
aptterns across all branches of the decryption function so that timining
or cache side channels are minimized or neutralized.
To do so it uses a new nettle rsa decryption function that is
side-channel silent.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |/ /
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Fixed the documentation of the function to reflect reality.
This function did not accept the GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION
macro.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |\ \
| | |
| | |
| | |
| | | |
DRBG: Remove all traces of FIPS 140-2 continuous self test
See merge request gnutls/gnutls!820
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Due to removing all of the FIPS 140-2 continuous self test leftovers,
the DRBG test vector must be updated as the very first DRBG block is not
dropped any more.
The test complies with the CAVP test definition specified in "The
NIST SP 800-90A Deterministic Random Bit Generator Validation
System (DRBGVS)" section 6.2.
The test vector is obtained during a successful trial run using the
NIST ACVP server. The following registration was used to generate the
test vector:
{
"algorithm":"ctrDRBG",
"prereqVals":[
{
"algorithm":"AES",
"valValue":"same"
}
],
"predResistanceEnabled":[
false
],
"reseedImplemented":true,
"capabilities":[
{
"mode":"AES-256",
"derFuncEnabled":false,
"entropyInputLen":[
384
],
"nonceLen":[
0
],
"persoStringLen":[
0,
256
],
"additionalInputLen":[
0,
256
],
"returnedBitsLen":512
}
]
},
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The removal allows the CAVS / ACVP test required for a successful FIPS
140-2 validation to pass.
Signed-off-by: Stephan Mueller <smueller@chronox.de>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
Fix MacOS X builds
See merge request gnutls/gnutls!826
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It looks like Mac OS X's grep has issues with applying basic regexps
with alternation operator inside. Use several grep calls in pipeline to
achieve the same result.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |/ / /
| | |
| | |
| | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |\ \ \
| |_|/
|/| |
| | |
| | |
| | |
| | | |
lib: fix pkcs11 using defines from PKCS#11 3.0 for EdDSA
Closes #626
See merge request gnutls/gnutls!823
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pkcs11 support code uses several definitions from forthcoming PKCS#11
standard version. Older p11-kit versions do not provide these
definitions. Detect and disable code supporting EdDSA if compiling
GnuTLS with older p11-kit library.
Closes #626
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Fixes: 88377775a3eff679a9ec60ab9bfc6b3c683a0407
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |\ \
| | |
| | |
| | |
| | | |
tests: fix crl test under MinGW32/64
See merge request gnutls/gnutls!824
|
| |/ /
| |
| |
| |
| |
| |
| | |
Use --outfile instead of output redirection to stop CR from sneaking
into temp file. Extra CR symbols make grep choke on that file.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This fixes a truncation issue in session description information printing
for certain ciphersuites, and adds a limited testing of expected description
strings for certain ciphersuites.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\ \
| | |
| | |
| | |
| | | |
Fix some minor issue in the TPM test cases
See merge request gnutls/gnutls!814
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Use kill_proc to terminate a process by first sending it SIGTERM,
waiting max. 1 second and then use SIGKILL.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The dash shell doesn't seem to understand &>/dev/null, so use
>/dev/null to quiet down the help screen check.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Prevent applications from combining legacy versions of TLS with TLS1.3
Closes #621
See merge request gnutls/gnutls!815
|
