summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* fuzz: added OCSP structure parsersNikos Mavrogiannopoulos2017-03-093-2/+104
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* fuzz: increased minimized set of X.509 certificatesNikos Mavrogiannopoulos2017-03-097-0/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* PKCS8/PKCS12: enforce a maximum number of iterationsNikos Mavrogiannopoulos2017-03-093-3/+7
| | | | | | | | This prevents denial of service through very large iteration counts. Issue found via oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=434 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Do not attempt to parse a 32-bit integer if a packet is not 4 bytes.Alex Gaynor2017-03-093-2/+2
| | | | | | | This addresses: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=737 Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>
* Revert ".gitlab-ci.yml: include coverage statistics of FIPS140-2 code"Nikos Mavrogiannopoulos2017-03-091-2/+1
| | | | | | | This reverts commit 603772688c4e37dae437b4cede12e25b9dd9f678. The commit introduced a long wait for the coverage build without and significant benefit (the extend of the FIPS140 code is limited to have any impact on the overall coverage).
* sysrng-linux: define _rnd_get_system_entropy unconditionallyNikos Mavrogiannopoulos2017-03-091-1/+2
| | | | | | This fixes compilation in systems without getrandom(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: dtls-stress: use X.509 certificates instead of openpgptmp-openpgp-compatNikos Mavrogiannopoulos2017-03-082-59/+9
| | | | | | | This will allow the test tool to operate even after openpgp certificates are deprecated. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* .gitlab-ci.yml: added build without openpgp supportNikos Mavrogiannopoulos2017-03-081-2/+25
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* doc updateNikos Mavrogiannopoulos2017-03-081-0/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Added openpgp stub fileNikos Mavrogiannopoulos2017-03-082-1/+703
| | | | | | | That allows disabling openpgp authentication and at the same time retaining ABI compatibility with versions including openpgp. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* doc updatetmp-improve-test-suiteNikos Mavrogiannopoulos2017-03-081-0/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: split PKCS#12 encoding from decoding testsNikos Mavrogiannopoulos2017-03-083-35/+110
| | | | | | | Enhanced PKCS#12 encoding tests, with the encoding of a file which contains a cert, a key and a CRL. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added PKCS#12 file decoding containing a CRLNikos Mavrogiannopoulos2017-03-083-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: enhance to allow writing CRLs in PKCS#12 filesNikos Mavrogiannopoulos2017-03-082-2/+43
| | | | | | | In addition fallback to DER when --load-crl fails importing a PEM encoded CRL due to PEM issues. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added CRL decoding unit tests using certtoolNikos Mavrogiannopoulos2017-03-085-2/+753
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: enhanced basic tests in CRL parsingNikos Mavrogiannopoulos2017-03-081-1/+30
| | | | | | That tests gnutls_x509_crl_get_crt_serial(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Rewritten gnutls_x509_rdn_get() and gnutls_x509_rdn_get2()Nikos Mavrogiannopoulos2017-03-081-43/+25
| | | | | | The new code re-uses the gnutls_x509_dn APIs instead of re-implementing. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added checks for the old DN decoding functionsNikos Mavrogiannopoulos2017-03-082-1/+152
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: do not run tests which require openpgp when it is disabledNikos Mavrogiannopoulos2017-03-081-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* .gitlab-ci.yml: include coverage html output as artifactNikos Mavrogiannopoulos2017-03-081-1/+5
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: x509-verify: print the keys on failureNikos Mavrogiannopoulos2017-03-081-16/+51
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_privkey_export_x509: doc updateNikos Mavrogiannopoulos2017-03-081-2/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: split sign-verify test to RSA and ECDSA partsNikos Mavrogiannopoulos2017-03-084-73/+129
| | | | | | | This allows parallelist and also helps identifying easier the culprit on an error. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: adjusted for the removal of HMAC-MD5tmp-remove-hmac-md5Nikos Mavrogiannopoulos2017-03-082-3/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priority: do not enable HMAC-MD5 by defaultNikos Mavrogiannopoulos2017-03-081-1/+0
| | | | | | | | | While HMAC-MD5 is not yet broken, it is not used by any non-broken or non-NULL ciphersuites (is only used with NULL and RC4), and as there is not plan to introduce new ciphersuites with that MAC algorithm, there is no point to include it in the default set of allowed algorithms. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: converted FIPS140-2 mode checks in Makefiles to run-time in scriptsNikos Mavrogiannopoulos2017-03-085-10/+18
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls.h: introduced GNUTLS_E_TLS_PACKET_DECODING_ERROR [ci skip]Nikos Mavrogiannopoulos2017-03-082-2/+3
| | | | | | | This is an alias to GNUTLS_E_UNEXPECTED_PACKET_LENGTH. That allows distinguishing the alert from GNUTLS_E_RECORD_OVERFLOW. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: crq: ignore lines for Security LeveltlsfuzzerNikos Mavrogiannopoulos2017-03-071-1/+1
| | | | | | This allows running the test under FIPS140-2 mode. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* ax_code_coverage.m4: updatedNikos Mavrogiannopoulos2017-03-071-57/+47
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* .gitlab-ci.yml: initialize submodules where needed (for tlsfuzzer run)Nikos Mavrogiannopoulos2017-03-071-8/+17
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* .gitlab-ci.yml: include subdirs of suite/ in artifactsNikos Mavrogiannopoulos2017-03-071-0/+5
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ext/signature: error on invalid extension formatNikos Mavrogiannopoulos2017-03-071-0/+2
| | | | | | | | That is, if an extension containing no signature algorithms is encountered, treat that as an error. This is an RFC5246 requirement, since the minimum "supported_signature_algorithms" length is 2. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* _gnutls_proc_x509_server_crt: return GNUTLS_E_CERTIFICATE_ERROR on parsing errorNikos Mavrogiannopoulos2017-03-071-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* alert: GNUTLS_E_NO_CERTIFICATE_FOUND maps to GNUTLS_A_DECODE_ERRORNikos Mavrogiannopoulos2017-03-071-1/+1
| | | | | | | | This is the closest to use alert when no certificate is found; at least it is closer according to tlsfuzzer and rfc5246 text on insuficient_security alert. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* read_client_hello: use integer for extensions sizeNikos Mavrogiannopoulos2017-03-071-1/+2
| | | | | | | | | | As we do not read the value directly, but rather assign to it the remaining data, we ensure that there are no overflows if we have additional data past the extensions field. The integer can hold more than 2^24 which is the maximum handshake packet size. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ext/signature: reject an extension with padded dataNikos Mavrogiannopoulos2017-03-071-0/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ext/signature: reject an extension size of zeroNikos Mavrogiannopoulos2017-03-071-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_record_recv: do not accept a client hello while handshake is in progressNikos Mavrogiannopoulos2017-03-071-0/+1
| | | | | | | That is, do not return GNUTLS_E_REHANDSHAKE, while we are within a handshake process. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* read_client_hello: fail early on illegally formatted messageNikos Mavrogiannopoulos2017-03-072-1/+9
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_parse_extensions: do not fail on empty extensions fieldNikos Mavrogiannopoulos2017-03-071-1/+9
| | | | | | | | On the other hand, fail if an empty extensions field is seen, but the client hello contains data nevertheless, or if the extensions field is padded with additional unaccounted data. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* alert: GNUTLS_E_PK_INVALID_PUBKEY maps to GNUTLS_A_ILLEGAL_PARAMETERNikos Mavrogiannopoulos2017-03-071-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* alerts: separated record overflow from decode error alertsNikos Mavrogiannopoulos2017-03-074-3/+9
| | | | | | Introduced GNUTLS_E_RECORD_OVERFLOW. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* auth: failures of _gnutls_mpi_init_scan_nz map to ↵Nikos Mavrogiannopoulos2017-03-072-12/+12
| | | | | | | | | GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER That ensures that the right alert is send when illegal parameters are received (e.g., zero length). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: updated tlsproxy to latest versionNikos Mavrogiannopoulos2017-03-071-0/+0
|
* testsuite: added tlsfuzzerNikos Mavrogiannopoulos2017-03-077-1/+172
| | | | | | | This enhances the testsuite by running all the tlsfuzzer fuzzer tests which require no certificates from server. https://github.com/tomato42/tlsfuzzer
* tests: converted compile-time checks for FIPS140 mode to run-timetmp-use-thread-local-rngNikos Mavrogiannopoulos2017-03-0715-61/+81
| | | | | | | | This allows running the complete test suite even when the library is compiled in FIPS140-2 mode, as long as the run-time is not at this mode. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* .gitlab-ci.yml: include coverage statistics of FIPS140-2 codeNikos Mavrogiannopoulos2017-03-071-1/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* .gitlab-ci.yml: include FIPS140-2 code into static analyzer runsNikos Mavrogiannopoulos2017-03-071-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* doc updateNikos Mavrogiannopoulos2017-03-071-0/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* nettle/rnd-fips: combined the FIPS-compliant generators to twoNikos Mavrogiannopoulos2017-03-061-15/+5
| | | | | | This brings the FIPS generators in par with the non-FIPS chacha-based ones. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status