summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* Unconditionally include nettle/memxor.htmp-remove-gl-memxorTim Rühsen2018-11-101-5/+0
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Merge branch 'tmp-ignore-ctypes' into 'master'Nikos Mavrogiannopoulos2018-11-021-22/+28
|\ | | | | | | | | | | | | gnutls_priority_init: ignore CTYPE-OPENPGP options Closes #593 See merge request gnutls/gnutls!789
| * gnutls_priority_init: ignore CTYPE-OPENPGP optionstmp-ignore-ctypesNikos Mavrogiannopoulos2018-11-011-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | In GnuTLS 3.6.0 we dropped support for openpgp keys, however the CTYPE-OPENPGP is often seen in applications, sometimes as -CTYPE-OPENPGP to ensure it is not enabled. We simply ignore this priority string when seen, to avoid preventing these applications from running. Resolves #593 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| * gnutls_priority_init: fixed indentation according to project rulesNikos Mavrogiannopoulos2018-11-011-22/+25
| | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | ext/record_size_limit: handle the extension in TLS 1.2 ServerHellotmp-fix-record-size-limit-tls12Daiki Ueno2018-11-011-1/+1
|/ | | | | | | Previously it had assumed that TLS 1.2 servers don't send the extension, while actually it can be present in ServerHello. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* gnutls_priority_set: re-organizedtmp-fix-priority-setNikos Mavrogiannopoulos2018-10-311-22/+22
| | | | | | | | | The sanity tests we moved prior to setting these priorities and the %GNUTLS_E_NO_PRIORITIES_WERE_SET error code is returned consistently to indicate that the existing priorities were not overwritten. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_priority_set: do not override the version after handshake is completeNikos Mavrogiannopoulos2018-10-301-4/+6
| | | | | | | | | | | When an application would re-set priorities prior to a rehandshake we would override the negotiated version with the highest supported, something which may lead to issues. This disables that unnecessary version override. See: https://bugzilla.redhat.com/show_bug.cgi?id=1634736 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* self-tests: add GOST public key testsDmitry Eremin-Solenikov2018-10-291-2/+88
| | | | | | | | | | Test vectors provided in standard are not that usefull (they use unsupported curves with a != -3), so these test vectors were generated by hand. Fixes #492 Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Add selftests for CMACSimo Sorce2018-10-282-0/+29
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Vendor in CMAC functionality from NettleSimo Sorce2018-10-284-0/+359
| | | | | | | | If nettle's CMAC is not available, use a vendored in version from master. This is necessary as long as we need to link against 3.4 for ABI compatibility reasons. Signed-off-by: Simo Sorce <simo@redhat.com>
* Add CMAC SupportSimo Sorce2018-10-283-0/+44
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* self-tests: add GOST symmetric algorithms testsDmitry Eremin-Solenikov2018-10-281-0/+197
| | | | | | | | | | Add tests for: - GOST 28147-89 CFB cipher - GOST R 34.11-94 hash function - Streebog-256/-512 hash functions - HMAC using GOST R 34.11-94/Streebog functions Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* nettle: fix s-boxes selection for rare GOST 28147-89 variantsDmitry Eremin-Solenikov2018-10-281-3/+3
| | | | | | | gost28147-89 code contained c&p error, which resulted in using S-BOX CryptoPro-A instead of -B, -C, -D. Fix that. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Merge branch 'cfb8' into 'master'Dmitry Eremin-Solenikov2018-10-268-1/+363
|\ | | | | | | | | | | | | Add support for AES CFB8 cipher Closes #357 See merge request gnutls/gnutls!783
| * Add selftest for CFB8Simo Sorce2018-10-253-0/+80
| |
| * Vendor in CFB8 functionality from NettleSimo Sorce2018-10-244-1/+219
| | | | | | | | | | | | | | | | If nettle's CFB8 is not available, use a vendored in version from master. This is necessary as long as we need to link against 3.4 for ABI compatibility reasons. Signed-off-by: Simo Sorce <simo@redhat.com>
| * Add AES-CFB8 SupportSimo Sorce2018-10-242-0/+64
| | | | | | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* | ext/pre_shared_key: don't assume ob_ticket_age < ticket_age_addtmp-session-ticket-timestampDaiki Ueno2018-10-261-6/+0
| | | | | | | | | | | | | | Previously, the server treated the condition as error, while it is possible that ob_ticket_age may have wrapped round by 2^32. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | tls13/session_ticket: calculate ticket_age in millisecondsDaiki Ueno2018-10-264-12/+19
| | | | | | | | | | | | | | | | Previously we calculated ticket age from the current wall clock in seconds, multiplying by 1000. This is conceptually wrong, because ticket age is designed to be in milliseconds. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | str: add macros to encode/decode struct timespec valueDaiki Ueno2018-10-261-0/+42
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | system: provide a means to replace gettime implementationDaiki Ueno2018-10-2610-30/+45
| | | | | | | | | | | | | | | | | | While gettime() is extensively used in the code, the library previously hadn't provided a way to replace it for testing. This adds a new internal function _gnutls_global_set_gettime_function and makes use of it through virt-time.h. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | _gnutls_timespec_cmp: new inline functionDaiki Ueno2018-10-251-0/+12
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | tls13/session_ticket: rename tls13_ticket_t type to tls13_ticket_stDaiki Ueno2018-10-255-19/+19
|/ | | | | | This is consistent with the coding guideline. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Merge branch 'tmp-fix-fips-mode' into 'master'Nikos Mavrogiannopoulos2018-10-241-0/+10
|\ | | | | | | | | fips140: aligned code with documentation See merge request gnutls/gnutls!781
| * fips140: aligned code with documentationtmp-fix-fips-modeNikos Mavrogiannopoulos2018-10-231-0/+10
| | | | | | | | | | | | | | That is, we introduce the documented but unimplemented macros GNUTLS_FIPS140_SET_LAX_MODE() and GNUTLS_FIPS140_SET_STRICT_MODE(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | p11tool: fix initialization of security officer's PINtmp-initialize-so-pin-fixNikos Mavrogiannopoulos2018-10-243-14/+47
|/ | | | | | | | | | | | Previously we would call gnutls_pkcs11_token_set_pin() without an old PIN provided, which will result to the use of C_InitPIN() on the underlying module. The C_InitPIN() in contrast with C_SetPIN() will only work for the user and not for the administrator. As such, we always provide the oldpin for when we change the admin's PIN. Resolves #561 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'tmp_cleanup_and_fixes' into 'master'Nikos Mavrogiannopoulos2018-10-2331-228/+227
|\ | | | | | | | | | | | | Cleanup and fixes Closes #453 See merge request gnutls/gnutls!779
| * Simplified check for NULL pointer to reduce code changes.Tom Vrancken2018-10-221-10/+11
| | | | | | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
| * Unified abbreviation for certificate type priorities in code.Tom Vrancken2018-10-222-18/+18
| | | | | | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
| * Renamed CHECK_AUTH macro to CHECK_AUTH_TYPE to be more clear what it checks.Tom Vrancken2018-10-184-10/+10
| | | | | | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
| * Renamed _gnutls_server_select_cert() to _gnutls_select_server_cert() for ↵Tom Vrancken2018-10-183-5/+5
| | | | | | | | | | | | consistency reasons with its client couterpart. Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
| * Renamed certificate_credential_append_crt_list() to ↵Tom Vrancken2018-10-181-7/+7
| | | | | | | | | | | | certificate_credential_append_keypair(). Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
| * Renamed _gnutls_auth_info_set() to _gnutls_auth_info_init().Tom Vrancken2018-10-1814-27/+27
| | | | | | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
| * Renamed fields in priority_st to improve code readability. Fixes #453.Tom Vrancken2018-10-189-140/+140
| | | | | | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
| * Added NULL pointer check in gnutls_certificate_free_credentials for safety.Tom Vrancken2018-10-181-11/+14
| | | | | | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
| * Renamed _gnutls_proc_x509_server_crt to _gnutls_proc_x509_crt.Tom Vrancken2018-10-181-2/+2
| | | | | | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
| * Small fixes for comments and log strings.Tom Vrancken2018-10-184-29/+24
| | | | | | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* | Merge branch 'tmp-update-tlsfuzzer' into 'master'Nikos Mavrogiannopoulos2018-10-196-11/+43
|\ \ | |/ |/| | | | | | | | | update tlsfuzzer scripts to latest version Closes #591 See merge request gnutls/gnutls!774
| * handshake: send missing extension alertNikos Mavrogiannopoulos2018-10-166-11/+43
| | | | | | | | | | | | | | When a key share extension is not seen under TLS1.3, send the missing extension alert. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Merge branch 'tmp-uris' into 'master'Nikos Mavrogiannopoulos2018-10-184-25/+30
|\ \ | |/ |/| | | | | | | | | pkcs11 uris: the scheme is case insensitive Closes #590 See merge request gnutls/gnutls!616
| * pkcs11 uris: the URI scheme is case insensitivetmp-urisNikos Mavrogiannopoulos2018-10-124-25/+30
| | | | | | | | | | | | | | | | | | | | | | Makes the comparisons of the URI scheme to use c_strcasecmp from gnulib. It also replaces various straw strcasecmp with the gnulib variant. This ensures that comparison will be reliable irrespective of the locale. Resolves #590 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | _gnutls_server_select_cert: return error when no server cert is selectedtmp-auto-reauthNikos Mavrogiannopoulos2018-10-161-3/+4
| | | | | | | | | | | | | | | | | | | | When a certificate callback is used and no certificate is provided by it, return an error rather than trying to use it (and crashing) later. Note that this affects only an "illegal" code path when a server would have provided no certificate, something which must not happen on a real-world server. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | gnutls_init: added flag for automatic re-authenticationNikos Mavrogiannopoulos2018-10-167-39/+89
|/ | | | | | | | | This introduces the GNUTLS_AUTO_REAUTH gnutls_init() flag and makes re-authentication under TLS simpler to enable and use. Resolves #571 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'tmp-fix-priority-set-call' into 'master'Nikos Mavrogiannopoulos2018-10-042-13/+32
|\ | | | | | | | | | | | | gnutls_priority_set: do not override version on handshake Closes #580 See merge request gnutls/gnutls!765
| * gnutls_priority_set: do not override version on handshaketmp-fix-priority-set-callNikos Mavrogiannopoulos2018-10-032-13/+32
| | | | | | | | | | | | | | | | | | | | When handshake is in progress, do not override the default TLS version in the session. This allows gnutls_priority_set to be called in the post_client_hello function without breaking the handshake. Resolves #580 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | encrypt_packet_tls13: added explicit check on iv_size boundstmp-check-iv-sizeNikos Mavrogiannopoulos2018-10-021-0/+3
| | | | | | | | | | | | | | | | Although there are no ciphers defined for TLS1.3 which would overflow the assumed bound, an explicit check is necessary to avoid that code be a liability in future updates. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | privkey_pkcs8: added reference for validation parameters OID [ci skip]Nikos Mavrogiannopoulos2018-10-012-0/+2
|/ | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'tmp-lib-c-strcase' into 'master'Nikos Mavrogiannopoulos2018-09-2910-52/+62
|\ | | | | | | | | | | | | Use ASCII version of strcasecmp() in library code Closes #570 See merge request gnutls/gnutls!764
| * Use ASCII version of strcasecmp() in library codetmp-lib-c-strcaseTim Rühsen2018-09-2710-52/+62
| | | | | | | | | | | | | | | | | | | | strcasecmp() has side effects in some locales. What we really need is c_strcasecmp() from Gnulib for comparing ASCII strings. Fixes #570 Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | Merge branch 'tmp-cleanup-in-docs' into 'master'Tim Rühsen2018-09-286-4/+15
|\ \ | |/ |/| | | | | manpage generation cleanup See merge request gnutls/gnutls!760
View Lorry Controller Status