| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
|
|
|
|
|
|
| |
Remove memory leak in error handling in print_issuer_sign_tool() by
moving asn1_delete_structure to the end of the function.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\
| |
| |
| |
| | |
keylogfile: simplify the callback mechanism
See merge request gnutls/gnutls!1196
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This partially reverts commit 97117556 with a simpler interface. The
original intention of having the callback mechanism was to reuse it
for monitoring QUIC encryption changes. However, it turned out to be
insufficient because such changes must be emitted after a new epoch is
ready.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|/
|
|
| |
Signed-off-by: Ross Nicholson <phunkyfish@gmail.com>
|
|
|
|
|
|
|
| |
Updated pbkdf2 API in GnuTLS removed the need for PBKDF2 helpers, drop
them now.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\
| |
| |
| |
| |
| |
| | |
keylogfile: generalize with a callback
Closes #852
See merge request gnutls/gnutls!1184
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This refactors the keylogfile mechanism by adding a callback to get
notified when a new secret is derived and installed. That way,
consumers can implement custom logging feature per session, which is
particularly useful in QUIC implementation.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \
| |/
|/|
| |
| | |
nettle/gost: gost28147: require calling set_param before set_key
See merge request gnutls/gnutls!1188
|
| |
| |
| |
| |
| |
| |
| | |
Require selecting parameter set before setting the key. There is no need
to provide default setting, if a param is always selected anyway.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\ \
| |/
|/|
| |
| |
| |
| | |
crypto-api: add generic crypto functions for KDF
Closes #851 and #813
See merge request gnutls/gnutls!1186
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This exposes HKDF and PBKDF2 functions from the library. Instead of
defining a single KDF interface as in PKCS #11, this patch defines 3
distinct functions for HKDF-Extract, HKDF-Expand, and PBKDF2
derivation, so that we can take advantage of compile time checking of
necesssary parameters.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|/
|
|
|
|
|
| |
If called at the wrong time, it allocates the buffer sb and forgets to
clear it.
Signed-off-by: Michael Catanzaro <mcatanzaro@gnome.org>
|
|\
| |
| |
| |
| | |
nettle/gost: support use GOST DSA support from master branch
See merge request gnutls/gnutls!1183
|
| |
| |
| |
| |
| |
| | |
Use GOST DSA and GOST curves provided by Nettle's master branch.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | | |
pkcs12: do not go try calculating pbkdf2 with 0 iterations
See merge request gnutls/gnutls!1182
|
| |/
| |
| |
| |
| |
| |
| | |
Nettle will abort on a call to pbkdf2 if iterations is 0. Add check to
GnuTLS PKCS12 GOST code to check that iter is not 0.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|/
|
|
| |
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
|
|
|
|
|
|
|
|
|
| |
On unknown curves or illegal parameters, make sure we return the
right error code which will translate to the appropriate alert.
Resolves: #907
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
| |
Use newer format of ecc curve data if curve448 support is detected.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\
| |
| |
| |
| | |
x509: include digestParamSet into GOST 512-bit curves A and B params
See merge request gnutls/gnutls!1173
|
| |
| |
| |
| |
| |
| |
| |
| | |
Old implementations do not understand PublicKeyParams with omitted
digestParamSet. So include the field for old 512-bit curves to improve
compatibility with old implementations.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | | |
algorithms: implement X448 key exchange and Ed448 signature scheme
See merge request gnutls/gnutls!984
|
| | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |/
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \
| | |
| | |
| | |
| | | |
pkcs12: use correct key length when using STREEBOG-512
See merge request gnutls/gnutls!1171
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
PKCS#12 files using GOST HMAC (GOST R 34.11-94 and Streebog) use special
function to generate MAC key. Pass correct key length (fixed to be 32)
when generating PKCS#12 files protected with Streebog (currently it
incorrectly uses 64 there).
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
tls13: fix issues with client OCSP responses
Closes #876
See merge request gnutls/gnutls!1169
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The TLS1.3 protocol requires the server to advertise an empty
OCSP status request extension on its certificate verify message
for an OCSP response to be sent by the client. We now always
send this extension to allow clients attaching those responses.
Resolves: #876
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
In client side ensure we see a request for OCSP from servers before
sending one.
Relates: #876
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|/
|
|
| |
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\
| |
| |
| |
| | |
libgnutls: Add system-wide default-priority-string override.
See merge request gnutls/gnutls!1158
|
| |
| |
| |
| | |
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
|
| |
| |
| |
| | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | | |
Extend GOST priority settings and documentation
See merge request gnutls/gnutls!1160
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
To remove possibility of using wrong length or using strncasecmp()
instead of c_strncasecmp() define PRIO_MATCH(name) macro taking care
about all details.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add GOST-ALL as an alias for CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL,
SIGN-GOST-ALL and GROUP-GOST-ALL.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add shortcuts for GOST ciphers, MACs and KXes. For now they contain only
one item, but this list will be expanded as support for GOST-CTR-ACPKM
ciphersuites will be added.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add SIGN-GOST-ALL keyword containing all defined GOST signature
algorithms.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Use c_strncasecmp() instead of just strncasecmp() which can be affected
by locale.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
Fix tests execution when FIPS mode is compiled but not enforced.
See merge request gnutls/gnutls!1164
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | | |
In wrap_nettle_pk_generate_keys() set params->algo before calling
pct_test() as GOST sign/verify use that field.
Reported-by: Daiki Ueno
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\ \ \
| |/ /
|/| |
| | |
| | | |
ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation
See merge request gnutls/gnutls!1159
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
This makes the OCSP based certificate verification adhere to the
convention used throughout the library: "The 'GNUTLS_CERT_INVALID'
flag is always set on a verification error and more detailed flags
will also be set when appropriate."
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
doc: clarify thread safeness in gnutls_global_init() [ci skip]
Closes #900
See merge request gnutls/gnutls!1162
|