summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* tests: update to take into account the removal of random arttmp-print-public-key-pinNikos Mavrogiannopoulos2017-02-2310-120/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509/output: No longer include public key's random artNikos Mavrogiannopoulos2017-02-231-12/+0
| | | | | | | | | | | That is in order to reduce bloat in the output, which already contains many identifiers for public key. See mailing list discussion at: https://lists.gnupg.org/pipermail/gnutls-devel/2017-February/008324.html https://lists.gnupg.org/pipermail/gnutls-devel/2017-February/008329.html Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: updated to include the pin-sha256 in outputNikos Mavrogiannopoulos2017-02-2312-0/+24
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: updated to take into account the pin-sha256 oneline outputNikos Mavrogiannopoulos2017-02-231-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509/output: print key PIN on oneline outputNikos Mavrogiannopoulos2017-02-231-4/+4
| | | | | | | That is, instead of the public key ID. The key PIN due to HPKP is now more widely used than hex-based key IDs. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509/output: print the public key PIN of a certificateNikos Mavrogiannopoulos2017-02-233-0/+27
| | | | | | | That is, print the value used by the HPKP protocol as per RFC7469. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: don't warn when 'uri' is specified on templateNikos Mavrogiannopoulos2017-02-231-0/+1
| | | | | | | Reported at: https://bugzilla.redhat.com/show_bug.cgi?id=1425884 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* .gitlab-ci.yml: ubsan build: fixed artifacts pathNikos Mavrogiannopoulos2017-02-231-4/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: split starttls.sh into multiple scriptsNikos Mavrogiannopoulos2017-02-2311-145/+351
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: pkcs11-import-with-pin: removed invalid conditional macroNikos Mavrogiannopoulos2017-02-221-4/+0
|
* tests: added PKCS#11 test for pin inputNikos Mavrogiannopoulos2017-02-222-1/+199
| | | | | | | This introduces a test on PIN input to retrieve an object using pin-value and pin-source (file). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* SECURITY.md: updated after comments from Daniel Berrange [ci skip]Nikos Mavrogiannopoulos2017-02-221-1/+8
|
* Removed unnecessary entries in pkix.asn and gnutls.asntmp-minimize-pkix-asnNikos Mavrogiannopoulos2017-02-224-171/+37
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* nettle/pk: corrected memcpy of Q in DSA paramsNikos Mavrogiannopoulos2017-02-211-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* crypto.h: improved documentation of randomness levelsNikos Mavrogiannopoulos2017-02-211-2/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* nettle/pk: use the appropriate level of randomness for each operationNikos Mavrogiannopoulos2017-02-211-14/+36
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* srp: use nonce level for SRP password randomizationNikos Mavrogiannopoulos2017-02-211-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: document the use of assert()Nikos Mavrogiannopoulos2017-02-211-0/+21
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: removed protocol/ directoryNikos Mavrogiannopoulos2017-02-21205-270483/+0
| | | | | | | | While it was used during the first years of development, today it is way more easy to access protocol documents via the IETF web site. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Added SECURITY.md, a description of the security issue handling processNikos Mavrogiannopoulos2017-02-211-0/+32
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* .gitlab-ci.yml: require clang analyzer build to be warning freeNikos Mavrogiannopoulos2017-02-211-3/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* configure: no longer use -Wframe-larger-thanNikos Mavrogiannopoulos2017-02-201-1/+0
| | | | | | | | We do not require a specific stack size, and there is legacy code which utilizes large stack sizes. As such remove the warnings to allow for a warning free compilation. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* pkcs11: avoid calling memcpy will null optionsNikos Mavrogiannopoulos2017-02-201-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* preinitialize variables to work-around warnings with clangNikos Mavrogiannopoulos2017-02-204-2/+7
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* eliminated dead code as indicated by clang scan-buildNikos Mavrogiannopoulos2017-02-209-11/+6
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pkcs7: corrected error checking in write_signer_idNikos Mavrogiannopoulos2017-02-201-6/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* preinitialize variables to work-around warnings with clang's scan-buildNikos Mavrogiannopoulos2017-02-205-13/+16
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* eliminated various clang warnings with non-null argumentsNikos Mavrogiannopoulos2017-02-2010-4/+23
| | | | | | | That is, use assert() to ensure that known to be non-null variables will be used as input to functions requiring non-null. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* make_printable_string: allow operation with null inputNikos Mavrogiannopoulos2017-02-201-0/+11
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* .gitlab-ci.yml: replaced clang's build with clang analyser's scan-buildNikos Mavrogiannopoulos2017-02-201-21/+22
| | | | | | This introduces a static analyser pass in the CI. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* .gitlab-ci.yml: added cppcheck runNikos Mavrogiannopoulos2017-02-201-0/+21
| | | | | | This adds a basic static analysis of the source code. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* opencdk/read-packet.c: corrected typo in type castNikos Mavrogiannopoulos2017-02-201-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* cdk_pkt_read: enforce packet limitsNikos Mavrogiannopoulos2017-02-201-0/+9
| | | | | | | | | | | | That ensures that there are no overflows in the subsequent calculations. Resolves the oss-fuzz found bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 Relates: #159 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added test case with invalid openpgp certNikos Mavrogiannopoulos2017-02-203-2/+4
| | | | | | | That triggers a heap buffer overflow: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Add LMTP, POP3, NNTP, Sieve and PostgreSQL support to gnutls-cliRobert Scheck2017-02-1910-3/+107
| | | | | | Add LMTP (RFC 2033), POP3 (RFC 2595), NNTP (RFC 4642), Sieve (RFC 5804) and PostgreSQL support to gnutls-cli ("--starttls-proto"). Signed-off-by: Robert Scheck <robert@fedoraproject.org>
* README.md: added CII best practices badge [ci skip]Nikos Mavrogiannopoulos2017-02-191-0/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: Improve port-checking infrastructure.tmp-work-without-netstatRical Jasan2017-02-191-6/+47
| | | | | | | | | | | | | | | | | | | | | | | The test suite unnecessarily failed on systems without netstat because it was assumed to be present. Instead of simply checking for its presence and indicating an unsupported test, however, the ss utility can be used as a drop-in replacement. When netstat/net-tools is not present, the ss utility from iproute2 still stands a fair chance of existing, and they also have similar enough semantics that they can be used interchangeably in the test suite. The functions in tests/scripts/common.sh that used netstat (wait_for_port, wait_for_free_port) now use new functions, check_if_port_in_use and check_if_port_listening, to abstract the call to netstat/ss. The eval'd variable GETPORT also used netstat, and has been updated accordingly. The new port-checking functions use another new function, have_port_finder, which takes care of the details of selecting ss (preferred) or netstat, or fails otherwise. Signed-off-by: Rical Jasan <ricaljasan@pacific.net> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* build: doc: install images also into htmldirAlon Bar-Lev2017-02-181-8/+11
| | | | | | images are required also by the html documentation. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
* .gitlab-ci.yml: corrected coverage buildtmp-cert-fractional-secondsNikos Mavrogiannopoulos2017-02-181-3/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* .gitlab-ci.yml: remove submodule update from main buildNikos Mavrogiannopoulos2017-02-181-2/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* updated auto-generated filesNikos Mavrogiannopoulos2017-02-182-1/+3
|
* Makefile: improved symbols extractionNikos Mavrogiannopoulos2017-02-181-1/+1
| | | | | | That is, do not include non-function names. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc updateNikos Mavrogiannopoulos2017-02-171-1/+7
|
* tests: ignore sanity checks in broken cert testNikos Mavrogiannopoulos2017-02-171-0/+2
| | | | | | | This allows the existing reproducers which contain certificates which are rejected by sanity checks, to still be used to detect regressions. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Added gnutls_x509_crt_set_flags()Nikos Mavrogiannopoulos2017-02-176-0/+37
| | | | | | | | This functions allows specifying flags to the certificate object. In particular it allows the single flag GNUTLS_X509_CRT_FLAG_IGNORE_SANITY which allows to ignore sanity checks at the import of the certificate. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc updateNikos Mavrogiannopoulos2017-02-171-0/+4
|
* Introduced GNUTLS_E_CERTIFICATE_TIME_ERROR error codeNikos Mavrogiannopoulos2017-02-173-1/+4
| | | | | | This error code indicates an issue in the time fields of certificate. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509/output: properly indicate error in Time fieldsNikos Mavrogiannopoulos2017-02-171-2/+6
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509/time: refuse importing certificates with invalid Time fieldsNikos Mavrogiannopoulos2017-02-171-0/+8
| | | | | | | | | That will refuse to import certificates which their time field is not in GMT, or contain fractional seconds. Resolves: #169 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_x509_generalTime2gtime: refuse to parse fractional secondsNikos Mavrogiannopoulos2017-02-171-2/+7
| | | | | | Fractional seconds in GeneralizedTime are prohibited by RFC5280. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status