summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* Disable AVX support when it is not supported by the CPUNikos Mavrogiannopoulos2017-01-181-2/+31
| | | | | | This mostly affects virtual systems. Reported by Frank Chen. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* opencdk: improved error code checking in the stream reading functionsNikos Mavrogiannopoulos2017-01-171-2/+3
| | | | | | This ammends 49be4f7b82eba2363bb8d4090950dad976a77a3a Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* opencdk: added error checking in the stream reading functionsNikos Mavrogiannopoulos2017-01-061-5/+35
| | | | | | | This addresses an out of memory error. Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=337 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* opencdk: cdk_pk_get_keyid: fix stack overflowNikos Mavrogiannopoulos2017-01-061-1/+7
| | | | | | | Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* opencdk: read_attribute: added more precise checks when reading streamNikos Mavrogiannopoulos2017-01-061-11/+29
| | | | | | | | That addresses heap read overflows found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_pkcs12_string_to_key: avoid division by zero when salt_size = 0Nikos Mavrogiannopoulos2017-01-051-3/+9
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_ext_import_policies: fixed memory leak on error pathNikos Mavrogiannopoulos2017-01-051-3/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509 output: fixed memory leak in AIA extension printingNikos Mavrogiannopoulos2017-01-051-2/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* proc_server_kx: eliminated leak on error pathNikos Mavrogiannopoulos2017-01-051-0/+3
| | | | | | | Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=272 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_x509_get_signature: fix memory leak on error pathNikos Mavrogiannopoulos2017-01-051-1/+2
|
* x509: address leak in print_altname - cert printingNikos Mavrogiannopoulos2017-01-051-1/+3
|
* status_request: eliminated leak on error pathNikos Mavrogiannopoulos2017-01-051-5/+10
| | | | | | | Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=269 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* auth rsa: eliminated memory leak on pkcs-1 formatting attack pathNikos Mavrogiannopoulos2017-01-041-1/+5
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_pkcs8_info: addressed memory leak on error pathNikos Mavrogiannopoulos2017-01-021-3/+5
|
* wrap_nettle_mpi_modm: bail on a modulus that is zeroNikos Mavrogiannopoulos2017-01-021-0/+3
| | | | Relates #156
* pkcs7 decrypt: require a valid IV size on all ciphersNikos Mavrogiannopoulos2017-01-021-4/+13
| | | | | | | That is, do not accept the IV size present in the structure as valid without checking. Relates #156
* pkcs8: pkcs8_key_info() will correctly detect non-encrypted filesNikos Mavrogiannopoulos2017-01-021-2/+32
|
* Corrected a leak in OpenPGP sub-packet parsing.Alex Gaynor2017-01-021-1/+3
| | | | Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>
* Attempt to fix a leak in OpenPGP cert parsing.Alex Gaynor2017-01-021-1/+3
|
* Do not infinite loop if an EOF occurs while skipping a PGP packetAlex Gaynor2017-01-021-5/+16
| | | | Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>
* gnutls_rnd: document the available values of level [ci skip]Nikos Mavrogiannopoulos2017-01-021-1/+3
| | | | This enables using the function by only checking the man page.
* configure: introduced --with-priority-string optionNikos Mavrogiannopoulos2016-12-211-1/+1
| | | | | This allows specifying the priority string to be used with gnutls_set_default_priority() on configure time.
* priorities: reset the profile flags when appending new flagsNikos Mavrogiannopoulos2016-12-203-3/+14
| | | | | | That is, to avoid causing issues to applications calling gnutls_*priority_set() multiple times with different parameters. In that case if multiple profiles are used the outcome could be undefined. Now, the last call will prevail.
* gnutls_session_set_verify_cert: doc updateNikos Mavrogiannopoulos2016-12-201-0/+6
|
* Revert "priorities: set the additional verify flags instead of appending them"Nikos Mavrogiannopoulos2016-12-201-1/+1
| | | | This reverts commit aaf49747f981f6c17cdc9ea7495a8948a5015ae2.
* Merge branch 'tmp-priority-fix' into 'master' Nikos Mavrogiannopoulos2016-12-192-9/+12
| | | | | Fix issue with multiple calls to priority functions See merge request !195
* Merge branch 'tmp-x509-print-fix' into 'master' Nikos Mavrogiannopoulos2016-12-172-12/+13
| | | | | | | Updates in X.509 certificate handling Relates to #156 See merge request !192
* _gnutls_pkcs_raw_decrypt_data: merge all errors during decryption to ↵Nikos Mavrogiannopoulos2016-12-141-3/+4
| | | | | | GNUTLS_E_DECRYPTION_FAILED This makes the function's return values simpler to handle.
* pkcs8: ensure that the correct error code is returned on decryption failureNikos Mavrogiannopoulos2016-12-131-0/+1
|
* x509: better documented gnutls_trust_list_flags_tNikos Mavrogiannopoulos2016-12-093-7/+34
|
* handshake: return GNUTLS_E_ILLEGAL_PARAMETER on invalid ID sizeNikos Mavrogiannopoulos2016-12-091-1/+1
| | | | This is a more sensible error code to return on invalid packet.
* str: do not call gnutls_assert in inline functionNikos Mavrogiannopoulos2016-12-081-1/+2
| | | | This allows the build to succeed when compiled without libidn.
* gnutls_x509_crt_check_email type changed to unsignedNikos Mavrogiannopoulos2016-12-082-2/+2
| | | | | | This reflects the documented returned value type (bool), and allows the compiler to warn on accidental checks for negative value.
* x509: do not attempt to ACE encode values stored in certificatesNikos Mavrogiannopoulos2016-12-082-36/+12
| | | | | | The email and hostname values are required to be in ASCII form by PKIX. We instead ignore these names, if their values are outside the ASCII printable character set.
* gnutls_x509_privkey_cpy: use _gnutls_pk_params_copyNikos Mavrogiannopoulos2016-12-071-11/+6
| | | | | This ensures that all fields of parameters are copied. Inspired by patch of Dmitry Eremin-Solenikov.
* x509 crl: document the nextUpdate field limitationNikos Mavrogiannopoulos2016-12-071-0/+5
|
* x509 crl: Allow generation of CRLs not to specify a nextUpdateNikos Mavrogiannopoulos2016-12-071-0/+6
|
* DTLS: more precise overhead calculationNikos Mavrogiannopoulos2016-12-061-21/+52
| | | | | | | That takes into account space available due to padding, and allows it to be included for use in the gnutls_get_data_mtu(). Resolves #140
* tpm: fix handling of keys requiring authorizationJames Bottomley2016-12-051-28/+44
| | | | | | | | | | | | | | | | | | | | | | | | | There are several problems with the key handling in the tpm code. The first, and most serious, is that we should make sure we understand the authorization requirements of a key *before* using it. The reason for this is that the TPM has a dictionary attack defence and is programmed to lock up after a certain number of authorization failures (which can be very small). If we try first without authorization, we may lock up the TPM. The fix for this is to check whether authorization is required and supply it before using the key. Secondly, if the key does require authorization but no password is supplied we should return immediately, since we know the TPM will give us an authorization error anyway. Thirdly, we should unconditionally read the policy of the key rather than checking if a policy exists: Policies are tied to key objects, so if there is an old policy in s->tpm_key_policy, but we're creating a new key, the key it belonged to will be closed, meaning the policy will be invalid. Fix this by always setting the policy each time we get a new key object. Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
* In import_tpm_key_cb() fix the wrong password loopNikos Mavrogiannopoulos2016-12-053-0/+12
| | | | | | | | When calling import_tpm_key() once it initializes the key, but a second call fails due to the key being already initialized. Ensure that failure of import_tpm_key() leaves the key on a clear state. Reported by James Bottomley <James.Bottomley@HansenPartnership.com>.
* gl: removed iconv moduleNikos Mavrogiannopoulos2016-12-042-2/+2
| | | | It is no longer used by the library.
* x509: fixed output of pubkeyNikos Mavrogiannopoulos2016-12-021-1/+1
|
* doc: document the fact that certificates and CRLs are unusable after generationNikos Mavrogiannopoulos2016-12-012-0/+18
| | | | | They must be exported and re-imported if intended to be used for signing or verification.
* doc: no longer list SHA1 as a safe choice in X.509 signingNikos Mavrogiannopoulos2016-12-012-4/+4
|
* gnutls_x509_crl_verify: always return zero on successNikos Mavrogiannopoulos2016-12-011-1/+6
| | | | | Also document that in previous versions a positive number could be returned on success. Reported by Adrien Beraud.
* Improved messages and violation handling in signature key usage checksNikos Mavrogiannopoulos2016-12-011-6/+17
| | | | | This will now tolerate violations in server certificate, if %DEBUG_ALLOW_KEY_USAGE_VIOLATIONS is set.
* Removed redundant certificate key usage checks.Nikos Mavrogiannopoulos2016-12-014-74/+53
| | | | | | There were redundant checks when a certificate was obtained, as well as prior to performing operations with certificates/pubkeys. Kept the checks prior to operations.
* _gnutls_map_pk_get_pk -> _gnutls_map_kx_get_pkNikos Mavrogiannopoulos2016-12-014-5/+5
|
* gnutls_kx_get: allow calling the function during handshakeNikos Mavrogiannopoulos2016-12-011-1/+6
| | | | | | | | Previous this function would return garbage during handshake, because parameters were not considered established, however there are valid uses of this function during it. For that reason this function is modified to return a correct value even during handshake (after a hello is being exchanged).
* _gnutls_check_key_usage: check for invalid key exchange algorithmNikos Mavrogiannopoulos2016-12-011-1/+1
| | | | Reported by Dmitry Eremin-Solenikov.
View Lorry Controller Status