summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* crypto-selftests-pk.c: Move hardcoded values to the topAnderson Toshiyuki Sasaki2020-03-111-112/+112
| | | | Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* lib/x509/output.c: remove occasioinal memory leak in print_issuer_sign_tool()Dmitry Baryshkov2020-03-071-1/+2
| | | | | | | Remove memory leak in error handling in print_issuer_sign_tool() by moving asn1_delete_structure to the end of the function. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* Merge branch 'tmp-keylog-func' into 'master'Daiki Ueno2020-02-279-116/+40
|\ | | | | | | | | keylogfile: simplify the callback mechanism See merge request gnutls/gnutls!1196
| * keylogfile: simplify the callback mechanismtmp-keylog-funcDaiki Ueno2020-02-229-116/+40
| | | | | | | | | | | | | | | | | | | | This partially reverts commit 97117556 with a simpler interface. The original intention of having the callback mechanism was to reuse it for monitoring QUIC encryption changes. However, it turned out to be insufficient because such changes must be emitted after a new epoch is ready. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Adding missing macosx directory for aarch64 accelerationRoss Nicholson2020-02-241-6/+4
|/ | | | Signed-off-by: Ross Nicholson <phunkyfish@gmail.com>
* lib: drop unused pbkdf2 helpersDmitry Baryshkov2020-02-184-216/+0
| | | | | | | Updated pbkdf2 API in GnuTLS removed the need for PBKDF2 helpers, drop them now. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* Merge branch 'tmp-keylog-hook' into 'master'Daiki Ueno2020-02-079-24/+189
|\ | | | | | | | | | | | | keylogfile: generalize with a callback Closes #852 See merge request gnutls/gnutls!1184
| * keylogfile: generalize with a callbacktmp-keylog-hookDaiki Ueno2020-02-079-24/+189
| | | | | | | | | | | | | | | | | | This refactors the keylogfile mechanism by adding a callback to get notified when a new secret is derived and installed. That way, consumers can implement custom logging feature per session, which is particularly useful in QUIC implementation. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Merge branch 'gost28147' into 'master'Dmitry Baryshkov2020-02-053-20/+11
|\ \ | |/ |/| | | | | nettle/gost: gost28147: require calling set_param before set_key See merge request gnutls/gnutls!1188
| * nettle/gost: gost28147: require calling set_param before set_keyDmitry Baryshkov2020-02-053-20/+11
| | | | | | | | | | | | | | Require selecting parameter set before setting the key. There is no need to provide default setting, if a param is always selected anyway. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* | Merge branch 'tmp-kdf-api' into 'master'Daiki Ueno2020-02-049-90/+252
|\ \ | |/ |/| | | | | | | | | crypto-api: add generic crypto functions for KDF Closes #851 and #813 See merge request gnutls/gnutls!1186
| * privkey_pkcs8: remove unused #include <nettle/pbkdf2.h>Daiki Ueno2020-02-041-1/+0
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * pkcs7-crypt: refactor using gnutls_pbkdf2Daiki Ueno2020-02-041-37/+9
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * pkcs12: refactor using gnutls_pbkdf2Daiki Ueno2020-02-041-26/+12
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * secrets: refactor using gnutls_hkdf_{extract,expand}Daiki Ueno2020-02-041-26/+19
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * crypto-api: add generic crypto functions for KDFDaiki Ueno2020-02-045-0/+212
| | | | | | | | | | | | | | | | | | | | This exposes HKDF and PBKDF2 functions from the library. Instead of defining a single KDF interface as in PKCS #11, this patch defines 3 distinct functions for HKDF-Extract, HKDF-Expand, and PBKDF2 derivation, so that we can take advantage of compile time checking of necesssary parameters. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | session_pack: fix leak in error pathMichael Catanzaro2020-02-021-1/+2
|/ | | | | | | If called at the wrong time, it allocates the buffer sb and forgets to clear it. Signed-off-by: Michael Catanzaro <mcatanzaro@gnome.org>
* Merge branch 'nettle-master-gostdsa' into 'master'Nikos Mavrogiannopoulos2020-01-319-30/+88
|\ | | | | | | | | nettle/gost: support use GOST DSA support from master branch See merge request gnutls/gnutls!1183
| * nettle/gost: support use GOST DSA support from master branchDmitry Baryshkov2020-01-309-30/+88
| | | | | | | | | | | | Use GOST DSA and GOST curves provided by Nettle's master branch. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* | Merge branch 'fix-pkcs12-iter' into 'master'Dmitry Baryshkov2020-01-281-0/+3
|\ \ | | | | | | | | | | | | pkcs12: do not go try calculating pbkdf2 with 0 iterations See merge request gnutls/gnutls!1182
| * | pkcs12: do not go try calculating pbkdf2 with 0 iterationsDmitry Baryshkov2020-01-281-0/+3
| |/ | | | | | | | | | | | | Nettle will abort on a call to pbkdf2 if iterations is 0. Add check to GnuTLS PKCS12 GOST code to check that iter is not 0. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* | add support for local threads with studio and ibm compilersBjoern Jacke2020-01-271-1/+1
|/ | | | Signed-off-by: Bjoern Jacke <bjacke@samba.org>
* key shares: avoid using internal errorsNikos Mavrogiannopoulos2020-01-251-10/+10
| | | | | | | | | On unknown curves or illegal parameters, make sure we return the right error code which will translate to the appropriate alert. Resolves: #907 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* lib/nettle/gost: restore compatibility with nettle masterDmitry Baryshkov2020-01-243-0/+73
| | | | | | Use newer format of ecc curve data if curve448 support is detected. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* Merge branch 'legacy-gost-512' into 'master'Nikos Mavrogiannopoulos2020-01-241-0/+4
|\ | | | | | | | | x509: include digestParamSet into GOST 512-bit curves A and B params See merge request gnutls/gnutls!1173
| * x509: include digestParamSet into GOST 512-bit curves A and B paramsDmitry Eremin-Solenikov2020-01-201-0/+4
| | | | | | | | | | | | | | | | Old implementations do not understand PublicKeyParams with omitted digestParamSet. So include the field for old 512-bit curves to improve compatibility with old implementations. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | Merge branch 'tmp-ed448' into 'master'Daiki Ueno2020-01-2423-52/+398
|\ \ | | | | | | | | | | | | algorithms: implement X448 key exchange and Ed448 signature scheme See merge request gnutls/gnutls!984
| * | algorithms: implement X448 key exchange and Ed448 signature schemeDaiki Ueno2020-01-2322-52/+348
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * | nettle: vendor in Curve448 and Ed448 implementationDaiki Ueno2020-01-231-0/+50
| |/ | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Merge branch 'fix-gost-pkcs12' into 'master'Dmitry Baryshkov2020-01-201-1/+1
|\ \ | | | | | | | | | | | | pkcs12: use correct key length when using STREEBOG-512 See merge request gnutls/gnutls!1171
| * | pkcs12: use correct key length when using STREEBOG-512Dmitry Baryshkov2020-01-201-1/+1
| |/ | | | | | | | | | | | | | | | | PKCS#12 files using GOST HMAC (GOST R 34.11-94 and Streebog) use special function to generate MAC key. Pass correct key length (fixed to be 32) when generating PKCS#12 files protected with Streebog (currently it incorrectly uses 64 there). Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* | Merge branch 'tmp-tls13-ocsp' into 'master'Nikos Mavrogiannopoulos2020-01-205-2/+33
|\ \ | | | | | | | | | | | | | | | | | | tls13: fix issues with client OCSP responses Closes #876 See merge request gnutls/gnutls!1169
| * | tls13: request OCSP responses as a serverNikos Mavrogiannopoulos2020-01-201-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The TLS1.3 protocol requires the server to advertise an empty OCSP status request extension on its certificate verify message for an OCSP response to be sent by the client. We now always send this extension to allow clients attaching those responses. Resolves: #876 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | tls13: do not send OCSP responses as client without server requestingNikos Mavrogiannopoulos2020-01-155-2/+17
| |/ | | | | | | | | | | | | | | | | In client side ensure we see a request for OCSP from servers before sending one. Relates: #876 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | x509: add OGRNIP DN entry definition used by qualified GOST certificatesDmitry Baryshkov2020-01-201-0/+2
|/ | | | Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* Merge branch 'override-default-priority' into 'master'Nikos Mavrogiannopoulos2020-01-131-2/+31
|\ | | | | | | | | libgnutls: Add system-wide default-priority-string override. See merge request gnutls/gnutls!1158
| * libgnutls: Add system-wide default-priority-string override.Dimitri John Ledkov2020-01-131-2/+31
| | | | | | | | Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
* | lib: fix _kx_priority_gost termination itemDmitry Eremin-Solenikov2020-01-131-0/+1
| | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | Merge branch 'gost-priorities' into 'master'Dmitry Eremin-Solenikov2020-01-121-54/+84
|\ \ | | | | | | | | | | | | Extend GOST priority settings and documentation See merge request gnutls/gnutls!1160
| * | priority: make priority matching less error-proneDmitry Eremin-Solenikov2020-01-101-67/+34
| | | | | | | | | | | | | | | | | | | | | | | | To remove possibility of using wrong length or using strncasecmp() instead of c_strncasecmp() define PRIO_MATCH(name) macro taking care about all details. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | priority: add new GOST-ALL shortcutDmitry Eremin-Solenikov2020-01-101-0/+12
| | | | | | | | | | | | | | | | | | | | | Add GOST-ALL as an alias for CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL and GROUP-GOST-ALL. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | priority: add more GOST shortcutsDmitry Eremin-Solenikov2020-01-091-10/+47
| | | | | | | | | | | | | | | | | | | | | | | | Add shortcuts for GOST ciphers, MACs and KXes. For now they contain only one item, but this list will be expanded as support for GOST-CTR-ACPKM ciphersuites will be added. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | lib/priority: add SIGN-GOST-ALL keywordDmitry Eremin-Solenikov2020-01-091-0/+14
| | | | | | | | | | | | | | | | | | | | | Add SIGN-GOST-ALL keyword containing all defined GOST signature algorithms. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | lib/priority: use c_strncasecmp() for string comparisonDmitry Eremin-Solenikov2020-01-081-12/+12
| | | | | | | | | | | | | | | | | | | | | Use c_strncasecmp() instead of just strncasecmp() which can be affected by locale. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | priority: fix GROUP-GOST-ALL comparison lengthDmitry Eremin-Solenikov2020-01-081-1/+1
| | | | | | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | | Merge branch 'fix-fips-gost' into 'master'Dmitry Eremin-Solenikov2020-01-121-2/+2
|\ \ \ | | | | | | | | | | | | | | | | Fix tests execution when FIPS mode is compiled but not enforced. See merge request gnutls/gnutls!1164
| * | | pk: set generated key algo before calling pct_testDmitry Eremin-Solenikov2020-01-101-2/+2
| | |/ | |/| | | | | | | | | | | | | | | | | | | In wrap_nettle_pk_generate_keys() set params->algo before calling pct_test() as GOST sign/verify use that field. Reported-by: Daiki Ueno Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | | Merge branch 'tmp-ocsp-revocation' into 'master'Daiki Ueno2020-01-101-0/+8
|\ \ \ | |/ / |/| | | | | | | | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation See merge request gnutls/gnutls!1159
| * | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocationDaiki Ueno2020-01-101-0/+8
| |/ | | | | | | | | | | | | | | | | This makes the OCSP based certificate verification adhere to the convention used throughout the library: "The 'GNUTLS_CERT_INVALID' flag is always set on a verification error and more detailed flags will also be set when appropriate." Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Merge branch 'tmp-fix-doc' into 'master'Tim Rühsen2020-01-091-1/+1
|\ \ | | | | | | | | | | | | | | | | | | doc: clarify thread safeness in gnutls_global_init() [ci skip] Closes #900 See merge request gnutls/gnutls!1162
View Lorry Controller Status