summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* lib: removed legacy debugging codetmp-remove-debugging-codeNikos Mavrogiannopoulos2017-08-182-41/+0
| | | | | | | | | That code was code from the initial versions of gnutls. It was neither used nor updated for long time. Relates #248 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_crl_get_issuer_dn: removed unnecessary constNikos Mavrogiannopoulos2017-08-181-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* sign APIs: introduce RSA-RAW signing algorithmNikos Mavrogiannopoulos2017-08-179-41/+94
| | | | | | | | | This ensures that there is a signing algorithm for all the operations we support. Previously, we required GNUTLS_SIGN_UNKNOWN to be acceptable by signing functions to accomodate for raw RSA operations. Now we make that explicit and in the process clean-up the API. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_recv_server_certificate_status: use the same type in subtracted valuesNikos Mavrogiannopoulos2017-08-161-2/+2
| | | | | | | | | | This ensures that there are no issues with subtracting those values. Note that the second is read from an uint24_t and thus it is always positive regardless its type. Resolves #245 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_proc_srp_client_kx: use same type in subtracted valuesNikos Mavrogiannopoulos2017-08-161-1/+1
| | | | | | | | | | This ensures that there are no issues with subtracting those values. Note that the second is read from an uint16_t and thus it is always positive regardless its type. Resolves #244 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* fuzzer: Suppress unsigned integer overflow in rnd-fuzzer.cTim Rühsen2017-08-161-0/+6
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* fuzzer: added a fuzzer targetNikos Mavrogiannopoulos2017-08-165-2/+174
| | | | | | | | This allows to compile the library with flags which will add predictable random generation and eliminate some crypto checks, in order for the library to be used for testing (fuzzying). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_export: made a wrapper over gnutls_x509_privkey_export2()Nikos Mavrogiannopoulos2017-08-151-30/+18
| | | | | | In addition, improved function description. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_privkey_import_ext4: introduced to allow signing with RSA-PSS or ↵Nikos Mavrogiannopoulos2017-08-155-56/+201
| | | | | | | | | | | | Ed25519 keys That function allows a signing callback which passes the signature algorithm, providing all the information to callback for signing. It also introduces GNUTLS_PRIVKEY_INFO_HAVE_SIGN_ALGO flag which allows the library to query the private key of the supported signature algorithms. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* reduce common asserts to assist in debugging the libraryNikos Mavrogiannopoulos2017-08-154-4/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: eliminated unnecessary function wrappersNikos Mavrogiannopoulos2017-08-111-48/+17
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_int.h: reduce memory occupied by ext_dataNikos Mavrogiannopoulos2017-08-111-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_int.h: reduced the maximum number of epoch states we keepNikos Mavrogiannopoulos2017-08-111-1/+1
| | | | | | | There was no need to keep 16 epochs, as we typically we have only one or two active. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_int.h: removed unused variable from stateNikos Mavrogiannopoulos2017-08-112-6/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* extensions: simplified requirements from send callbackNikos Mavrogiannopoulos2017-08-113-15/+20
| | | | | | | The callback no longer needs to return the number of sent data; they are now calculated by the caller. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ext/ecc: renamed Supported curves extensionNikos Mavrogiannopoulos2017-08-101-3/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* libgnutls.map: separated symbols introduced in 3.6.0Nikos Mavrogiannopoulos2017-08-091-4/+16
| | | | | | | | This separation assists tools like rpm which can detect the right version of the library to use, by using the symbol version. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* rnd: use time_t for prng_reseed_timeNikos Mavrogiannopoulos2017-08-091-1/+1
| | | | | | | This ensures that all time comparisons are done under the same type. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_import_pkcs8: fixed memory leak on incorrect key importNikos Mavrogiannopoulos2017-08-091-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_srp_verifier: corrected memory leakNikos Mavrogiannopoulos2017-08-091-0/+6
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* rsa-psk: corrected memory leak on invalid decryptNikos Mavrogiannopoulos2017-08-091-0/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Fix memleaks in gnutls_x509_trust_list_add_crls()Tim Rühsen2017-08-081-5/+14
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Fix memleak in gnutls_x509_crl_list_import()Tim Rühsen2017-08-081-0/+1
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* publickey: fixed incorrect assignmentNikos Mavrogiannopoulos2017-08-081-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* mac: simplified iteration functionsNikos Mavrogiannopoulos2017-08-081-17/+6
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* corrected input to gnutls_sign_supports_pk_algorithmNikos Mavrogiannopoulos2017-08-081-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* extensions: corrected flag checkNikos Mavrogiannopoulos2017-08-081-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* cert selection: prioritize RSA-PSS certs over RSANikos Mavrogiannopoulos2017-08-084-9/+48
| | | | | | | | | | | | | | | | RSA and RSA-PSS can both be used for RSA-PSS operations, and as such without prioritizing RSA-PSS certificates it is unknown which certificate will be used for an RSA-PSS operation. The reason we want to have only RSA-PSS keys used for RSA-PSS operations is to cover the use case where a server uses a legacy RSA certificate for clients that don't support RSA-PSS and an RSA-PSS certificate for the rest, thus separating the keys used for these client groups. That separation ensures that any issue on PKCS#1 1.5 (legacy RSA), would not affect sessions which use RSA-PSS. Resolves #243 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_certificate_credentials_t: combine privkey into cert_st structureNikos Mavrogiannopoulos2017-08-084-96/+61
| | | | | | | | This reduces the number of applications and allows for easier use of the structure information, as they are now self-contained for most uses. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_pk_params_st: separate flags/qbits and curveNikos Mavrogiannopoulos2017-08-0817-63/+69
| | | | | | | | | | Previously we were using the field flags to store the size of q in case of GNUTLS_PK_DH, some key generation flags in case of GNUTLS_PK_RSA, and the curve in case of elliptic curve key. Separate this into multiple fields to reduce confusion on the field. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_verify_seed: improved error on missing validation parametersNikos Mavrogiannopoulos2017-08-073-2/+5
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* x509: no longer emit the previous custom format for provable parametersNikos Mavrogiannopoulos2017-08-076-112/+24
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509: store and read provable seed in PKCS#8 form of keyNikos Mavrogiannopoulos2017-08-076-10/+201
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pkix.asn: removed unused DomainParametersNikos Mavrogiannopoulos2017-08-072-20/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509: separated PKIX1 attributes parsing code for cert request handlingNikos Mavrogiannopoulos2017-08-074-266/+335
| | | | | | This allows other code to utilize it. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_fbase64_decode will always return non-zerotmp-base64-reject-zero-lengthNikos Mavrogiannopoulos2017-08-074-6/+5
| | | | | | | That is, document that fact and update its callers to remove checks for zero. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_base64_decode: reject all zero-length string encodings on decodingNikos Mavrogiannopoulos2017-08-061-4/+19
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* wrap_nettle_pk_fixup: added sanity check in RSA-PSS param checkingNikos Mavrogiannopoulos2017-08-061-1/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* _decode_pkcs8_rsa_key: signal error in RSA privkey decodingNikos Mavrogiannopoulos2017-08-061-0/+1
| | | | | | | Addresses oss-fuzz issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2865 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* base64: reverted the raw semantics from the PEM encoding/decoding functionsNikos Mavrogiannopoulos2017-08-041-22/+0
| | | | | | | Keeping the complex semantics with NULL headers would most likely cause issues in the future. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* base64: uniformly use GNUTLS_E_BASE64_DECODING_ERROR for decoding errorsNikos Mavrogiannopoulos2017-08-041-3/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* base64: introduced new functions for base64 encodingNikos Mavrogiannopoulos2017-08-043-1/+73
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls_x509_privkey_import: allow importing ed25519 PKCS#8 keys in DER formNikos Mavrogiannopoulos2017-08-041-6/+10
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* sign/digest: separate "brokenness" of signatures and hash algorithmsNikos Mavrogiannopoulos2017-08-047-51/+57
| | | | | | | That is, allow digital signatures to be marked as broken irrespective of their used hash, and restrict hash brokenness to preimage resistance. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* sign: use C99 syntax for signature algorithm's tableNikos Mavrogiannopoulos2017-08-041-97/+252
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509_privkey: handle keys which can only have PKCS#8 form transparentlyNikos Mavrogiannopoulos2017-08-041-9/+26
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* privkey: reject signing with ext keys and GNUTLS_PK_RSA_PSS or ↵Nikos Mavrogiannopoulos2017-08-041-0/+3
| | | | | | GNUTLS_PK_EDDSA_ED25519 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_check_key_cert_match: use the new API for signingNikos Mavrogiannopoulos2017-08-041-7/+9
| | | | | | | This ensures that the same signature algorithm is used for signing and verification. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* privkey: return less specific but more appropriate error on invalid pks for ↵Nikos Mavrogiannopoulos2017-08-041-1/+1
| | | | | | ext keys Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* prior to negotiating a signature check compatibility with private keyNikos Mavrogiannopoulos2017-08-048-23/+85
| | | | | | | | | | | | | That is, check if the private key can support the public key operation needed for the signature. That in particular includes, excluding the Ed25519 and RSA-PSS from being used with the 'EXT' keys as the current API cannot handle them, and RSA-PSS from being used by PKCS#11 RSA keys which do not provide the CKM_RSA_PKCS_PSS mechanism. Relates #234 Resolves #209 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status