summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* updated tlsfuzzertmp-tls1.3-backportsNikos Mavrogiannopoulos2017-07-131-0/+0
| | | | | | | That fixes issue detecting connection termination from gnutls-serv in chacha20 test. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: csr-invalid.der: modify the SPKI OID to use SECP384R1Nikos Mavrogiannopoulos2017-07-131-0/+0
| | | | | | | That avoids false positives in error detection in 'crq' test due to SECP224R1 not being supported in our CI platforms. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509/output: do not attempt to print the key ID on unknown SPKI algorithmsNikos Mavrogiannopoulos2017-07-131-6/+15
| | | | | | | On unknown algorithms, it is not always possible to parse the SPKI field. Instead avoid printing errors. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* .gitlab-ci.yml: corrected location of artifacts in aarch64 buildNikos Mavrogiannopoulos2017-07-131-3/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: certtool-rsa-pss: use unique temp filesNikos Mavrogiannopoulos2017-07-131-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* updated auto-generated filesNikos Mavrogiannopoulos2017-07-132-200/+232
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_buffer_append_data_prefix: cleanupNikos Mavrogiannopoulos2017-07-131-6/+5
| | | | | | | | This eliminates a misleading code that assumed that the called functions will return the appended size. Always return zero on success which is what the existing callers assume. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* .gitlab-ci.yml: removed unnecessary options from minimal buildNikos Mavrogiannopoulos2017-07-131-3/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pubkey: print the failed signature algorithm when verification failsNikos Mavrogiannopoulos2017-07-131-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls-cli: added option to allow verification with broken algorithmsNikos Mavrogiannopoulos2017-07-132-0/+13
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tls sessions will not fail of insecure algorithms which are explicitly enabledNikos Mavrogiannopoulos2017-07-131-2/+8
| | | | | | | | That is, if DSA-SHA1 is allowed, do not propagate errors from gnutls_pubkey_verify_data2() due to SHA1 considered insecure, but rather ignore such errors. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: mini-record-2: made more robustNikos Mavrogiannopoulos2017-07-131-14/+15
| | | | | | | | It will no longer close the session prior to peer processing all messages. This prevents the peer stopping processing prior to all messages being received. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: mini-record: made more robustNikos Mavrogiannopoulos2017-07-131-62/+19
| | | | | | | It will no longer use a stream socket as this can does not work well with damaged records (they may end up merged). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* record: reject 0-byte long ciphertextNikos Mavrogiannopoulos2017-07-131-1/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* record: added sanity checking in the record layer version copyNikos Mavrogiannopoulos2017-07-132-6/+18
| | | | | | | | | Previously we assumed that an active session had always a version set, however there have been reports of evolution crashing in that particular point. Although, this could have been due to memory corruption, be careful and check for invalid input. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* record: more precise calculation of max recv sizeNikos Mavrogiannopoulos2017-07-136-11/+26
| | | | | | | | Previously we were using a rough calculation of the max recv size based on maximum values. Now we calculate the exact maximum value once the epoch is initialized and enforce it throughout the session. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* decryption: use the same error code on all casesNikos Mavrogiannopoulos2017-07-131-5/+5
| | | | | | This eases testing using tlsfuzzer. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls-serv: allow receiving requests up to 16kbNikos Mavrogiannopoulos2017-07-111-5/+4
| | | | | | This makes gnutls-serv useful for few tlsfuzzer test cases. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* max_record_recv_size: removed call to gnutls_compression_get()Nikos Mavrogiannopoulos2017-07-111-1/+1
| | | | | | We no longer support compression. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Print the requested CA names when in debug modeNikos Mavrogiannopoulos2017-07-112-3/+21
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls-http-serv: do not set the obsolete PGP optionsNikos Mavrogiannopoulos2017-07-111-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: updated documentation on client authentication [ci skip]Nikos Mavrogiannopoulos2017-07-112-2/+15
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: explicitly state intended usage of priorities on server-sideNikos Mavrogiannopoulos2017-07-101-4/+14
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: use the default priorities in server exampleNikos Mavrogiannopoulos2017-07-101-2/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* updated auto-generated filesNikos Mavrogiannopoulos2017-07-103-0/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added unit tests for gnutls_priority_set*()Nikos Mavrogiannopoulos2017-07-103-1/+263
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Documented use gnutls_priority_set2().Nikos Mavrogiannopoulos2017-07-108-5/+12
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priorities: share priority structures across sessionsNikos Mavrogiannopoulos2017-07-1022-97/+184
| | | | | | | | | | | | | As the contents of the priority cache grows, it makes sense to shared these structures across many sessions (in server side) rather than copying them to a session. All overrides of the priority contents were moved to session->internals. On client side where gnutls_priority_set_direct() is more commonly used, ensure that the set priority is deinitialized. That also introduces gnutls_priority_set2() which does not copy the priority contents by default. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* set_client_ciphersuite: use the new internal APIsNikos Mavrogiannopoulos2017-07-101-10/+6
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* .gitignore: ignore new testsNikos Mavrogiannopoulos2017-07-101-0/+30
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: added unit testing for server/client cipher negotiationNikos Mavrogiannopoulos2017-07-106-1/+691
| | | | | | This verifies that the expected algorithm (cipher) is negotiated. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: added unit testing for server ciphersuite/KX negotiationNikos Mavrogiannopoulos2017-07-107-2/+1749
| | | | | | | This verifies whether the ciphersuite negotiation will detect and reject incompatible data present in credentials. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* doc: corrected typoNikos Mavrogiannopoulos2017-07-101-4/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Renamed fields of sign_algorithm_stNikos Mavrogiannopoulos2017-07-106-53/+50
| | | | | | | The new names better reflect the reality with signature algorithms in TLS 1.3, and correct the initial naming error. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: simplified signature algorithm list generationNikos Mavrogiannopoulos2017-07-107-66/+56
| | | | | | | | Similarly to ciphersuites, that also utilizes a cache of signature algorithms on the priority structure which is used to quickly generate the signature algorithm list. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Eliminated access to obsolete priority cache fieldsNikos Mavrogiannopoulos2017-07-109-195/+126
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: simplified the client-side ciphersuite negotiationNikos Mavrogiannopoulos2017-07-103-258/+100
| | | | | | | | | | | | This takes advantage of the ciphersuite cache in priorities structure while keeping the same ciphersuite selection checks in place. The previous ciphersuite selection checks kept: * Removing SRP ciphersuites when no SRP credentials are set * Removing ciphersuites when no corresponding to KX credentials were set * SCSV addition in SSL 3.0 and fallback SCSV Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: simplified the server-side ciphersuite negotiationNikos Mavrogiannopoulos2017-07-1011-428/+287
| | | | | | | | | | | | | This eliminates all the back and forth loops in the previous code while keeping the same ciphersuite selection checks in place. The ciphersuite selection tests that were kept: * Check if key exchange supports the server public key and key usage flags * Check if DH or other parameters required for the ciphersuite are present * Find appropriate certificate for the credentials and ciphersuite * Check whether a curve is negotiated for the ECDH ciphersuites Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priority: include a cache of supported ciphersuitesNikos Mavrogiannopoulos2017-07-104-4/+43
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* removed unused cipher-suite and KX related functionsNikos Mavrogiannopoulos2017-07-104-64/+23
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* algorithm/kx: sorted key exchange algorithms based on current trendsNikos Mavrogiannopoulos2017-07-101-19/+19
| | | | | | That optimizes linear search for the common options. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Removed unused functionsNikos Mavrogiannopoulos2017-07-108-139/+0
| | | | | | | These were identified using callcatcher. http://www.skynet.ie/~caolan/Packages/callcatcher.html Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* fuzz: added make update command [ci skip]Nikos Mavrogiannopoulos2017-07-072-0/+11
| | | | | | | This allows updating the fuzzer corpus from openssl using a single command. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* fuzz: added corpora from openssl [ci skip]Nikos Mavrogiannopoulos2017-07-077900-0/+36
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* fuzz: undid changes related to boringssl server/client corpus format [ci skip]Nikos Mavrogiannopoulos2017-07-077-22/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* fuzz: included verbatim corpus from boringsslNikos Mavrogiannopoulos2017-07-071936-0/+43
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* fuzz: gnutls-client-fuzzer: read directly from memory [ci skip]Nikos Mavrogiannopoulos2017-07-075-45/+95
| | | | | | Also updated to read the prefixed boringssl corpus files. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* fuzz: gnutls-server-fuzzer: read directly from memory [ci skip]Nikos Mavrogiannopoulos2017-07-072-284/+334
| | | | | | Also updated to read the prefixed boring ssl corpus files. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* updated auto-generated filestmp-alpn-updatesNikos Mavrogiannopoulos2017-07-062-344/+409
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* priority_options.gperf: modified for gperf 3.1Nikos Mavrogiannopoulos2017-07-062-2/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
View Lorry Controller Status