| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Like the rest of tls-fuzzer tests, pass "-p PORT" to subtests, allowing
usage of random port for server.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |\
| |
| |
| |
| | |
mech-list.h: generate unique entries
See merge request gnutls/gnutls!761
|
| |/
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
| |
The NetBSD default shell cannot handle the UTF-8 strings we use
in that script.
Resolves #544
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
As the protocol has been finalized, and the implementation is
stable and interoperable, there is no need to enable it conditionally.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\
| |
| |
| |
| |
| |
| | |
Provide a less restrictive PKCS#11 search of certificates
Closes #569
See merge request gnutls/gnutls!757
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This addresses the problem where the CA certificate doesn't
have a subject key identifier whereas the end certificates
have an authority key identifier.
Resolves #569
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | | |
gnutls-cli enables CRL validation on startup
Closes #564
See merge request gnutls/gnutls!752
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This also makes the failure in adding CRLs or CAs, a fatal error.
Resolves #564
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |/
| |
| |
| |
| |
| |
| | |
This allows an application to be notified of the addition of invalid
CRLs in the trust list.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\ \
| |/
|/|
| |
| |
| |
| | |
Session ticket key rotation with TOTP
Closes #184
See merge request gnutls/gnutls!695
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
We were previously only relying on the client's view of the
ticket lifetime for TLS1.3 tickets. This makes sure that we
only resume tickets that the server considers valid and consolidates
the expiration time checks to _gnutls_check_resumed_params().
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This introduces session ticket key rotation on server side. The
key set with gnutls_session_ticket_enable_server() is used as a
master key to generate time-based keys for tickets. The rotation
relates to the gnutls_db_set_cache_expiration() period.
Resolves #184
Signed-off-by: Ander Juaristi <a@juaristi.eus>
|
| |\ \
| | |
| | |
| | |
| | | |
Remove auto-generated src/mech-list.h from repo
See merge request gnutls/gnutls!753
|
| |/ /
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |\ \
| | |
| | |
| | |
| | | |
Fix issue introduced in 20886264fe
See merge request gnutls/gnutls!756
|
| |/ /
| |
| |
| |
| |
| |
| | |
This makes _gnutls_resolve_priorities() return a string that is always
allocated with the gnutls memory functions.
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This clarifies the format that parameters in the EdDSA curves
will be returned, and also ensures that the import/export
functions fail on unsupported curves.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\ \
| |/
|/|
| |
| | |
GOST endianness
See merge request gnutls/gnutls!755
|
| | |
| |
| |
| |
| |
| |
| | |
OpenSSL and other libraries print MSB first, when printing GOST public
keys. Let's return to this convention.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
OpenSSL and other libraries print MSB first, when printing GOST public
keys. Let's return to this convention.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
GOST R 34.10 native format is little endian. It is better for the
application code to use native format data to interface library, rather
than convert buffers on their own.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |/
|
|
|
|
|
| |
Add little endian counterpart to _gnutls_mpi_dprint and
_gnutls_mpi_dprint_le.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |\
| |
| |
| |
| | |
gnutls.h: correct GOST R number references
See merge request gnutls/gnutls!750
|
| |/
|
|
|
|
|
|
|
| |
Fix numeric GOST R ids used in documentation, too many numbers:
- GOST R 34.11 is digest function
- GOST R 34.10-2001 is a digital signature over GOST R 34.11-94 digest
- GOST R 34.10-2012 is a digital signature over GOST R 34.11-2012 digest
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |
|
|
|
|
|
| |
Setting $SUBMODULE_NOFETCH to a non-empty value adds
--no-fetch to the git command (for CI speedup).
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
This adds a CI run with SHA-1 enabled, and corrects issues in the
testsuite when that's the case.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If gnutls_x509_trust_list_add_cas returns less than clist_size, the additional
unaccounted certificates will never be freed.
Relates #552
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
When the flag GNUTLS_TL_USE_IN_TLS is used and add_new_ca_to_rdn_seq
the return value did not include the last certificate added to the
list. This corrects its return value.
Relates #552
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
That clarifies and addresses issues in the documentation of
gnutls_x509_trust_list_add_crls() and gnutls_x509_trust_list_add_cas()
Relates #552
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\
| |
| |
| |
| | |
certtool: crl handling updates
See merge request gnutls/gnutls!747
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This tests CRL verification with certtool --verify-crl on correct
and incorrect cases.
Relates #564
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |/
|
|
|
|
|
|
| |
This fixes the messages printed for the generation of a CRL, and
makes the return code of the CRL verification depending on the
verification result.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
|
| |
This corrects the variable name used in the sizeof argument
for realloc. This does not alter the actual allocation size,
but rather it fixes a logic error.
Relates: #554
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When the server's NewSessionTicket gets lost while the ChangeCipherSpec
goes through, the client did not request retransmission by retransmitting
his last flight, and the handshake was blocked. This commit addresses
the issue and adds a reproducer.
Resolves #543
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
| |
Signed-off-by: Andreas Schwab <schwab@suse.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
That is, we allow priority strings which do not enable any groups to
work, by disabling TLS1.3. For example
'NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-GCM:+SIGN-ALL:+COMP-NULL'
is still operational, but no TLS1.3 is enabled when specified.
Resolves: #549
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\
| |
| |
| |
| | |
Use gnutls_strdup() in library code
See merge request gnutls/gnutls!742
|
| | |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |/
|
|
|
|
|
| |
The 'issue' should be fixed already. Even if not, it has to
addressed in gnulib.
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |\
| |
| |
| |
| | |
tls13/psk_ext_parser: simplify the iterator interface
See merge request gnutls/gnutls!736
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously we used a pattern like this:
uint32_t obfuscated_ticket_age, ticket_age_add;
time_t ticket_age;
ticket_age = obfuscated_ticket_age - ticket_age_add;
if (ticket_age < 0) {
...
}
This always evaluates to false, because subtraction between unsigned
integers yields an unsigned integer. Let's do the comparison before
subtraction and also use correct types for representing time: uint32_t
for protocol time and time_t for system time.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |/
|
|
|
|
|
|
| |
Previously it was unclear whether psk_ext_parser_st is stateful or
not. This change introduces the simpler API to iterate over the
immutable data (psk_ext_parser_st), following the iterator pattern.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
