| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\
| |
| |
| |
| |
| |
| | |
gnutls_priority_init: ignore CTYPE-OPENPGP options
Closes #593
See merge request gnutls/gnutls!789
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In GnuTLS 3.6.0 we dropped support for openpgp keys, however
the CTYPE-OPENPGP is often seen in applications, sometimes
as -CTYPE-OPENPGP to ensure it is not enabled. We simply
ignore this priority string when seen, to avoid preventing
these applications from running.
Resolves #593
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|/
|
|
|
|
|
| |
Previously it had assumed that TLS 1.2 servers don't send the
extension, while actually it can be present in ServerHello.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The sanity tests we moved prior to setting these priorities
and the %GNUTLS_E_NO_PRIORITIES_WERE_SET error code is returned
consistently to indicate that the existing priorities were not
overwritten.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
When an application would re-set priorities prior to a rehandshake
we would override the negotiated version with the highest supported,
something which may lead to issues. This disables that unnecessary
version override. See:
https://bugzilla.redhat.com/show_bug.cgi?id=1634736
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Test vectors provided in standard are not that usefull (they use
unsupported curves with a != -3), so these test vectors were generated
by hand.
Fixes #492
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
If nettle's CMAC is not available, use a vendored in version from master.
This is necessary as long as we need to link against 3.4 for ABI
compatibility reasons.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Add tests for:
- GOST 28147-89 CFB cipher
- GOST R 34.11-94 hash function
- Streebog-256/-512 hash functions
- HMAC using GOST R 34.11-94/Streebog functions
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
|
|
|
| |
gost28147-89 code contained c&p error, which resulted in using S-BOX
CryptoPro-A instead of -B, -C, -D. Fix that.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\
| |
| |
| |
| |
| |
| | |
Add support for AES CFB8 cipher
Closes #357
See merge request gnutls/gnutls!783
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
If nettle's CFB8 is not available, use a vendored in version from master.
This is necessary as long as we need to link against 3.4 for ABI
compatibility reasons.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
| |
| |
| |
| |
| |
| | |
Previously, the server treated the condition as error, while it is
possible that ob_ticket_age may have wrapped round by 2^32.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Previously we calculated ticket age from the current wall clock in
seconds, multiplying by 1000. This is conceptually wrong, because
ticket age is designed to be in milliseconds.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
While gettime() is extensively used in the code, the library
previously hadn't provided a way to replace it for testing. This adds
a new internal function _gnutls_global_set_gettime_function and makes
use of it through virt-time.h.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|/
|
|
|
|
| |
This is consistent with the coding guideline.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\
| |
| |
| |
| | |
fips140: aligned code with documentation
See merge request gnutls/gnutls!781
|
| |
| |
| |
| |
| |
| |
| | |
That is, we introduce the documented but unimplemented macros
GNUTLS_FIPS140_SET_LAX_MODE() and GNUTLS_FIPS140_SET_STRICT_MODE().
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
| |
Previously we would call gnutls_pkcs11_token_set_pin() without an
old PIN provided, which will result to the use of C_InitPIN() on the
underlying module. The C_InitPIN() in contrast with C_SetPIN() will
only work for the user and not for the administrator. As such, we
always provide the oldpin for when we change the admin's PIN.
Resolves #561
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| |
| |
| | |
Cleanup and fixes
Closes #453
See merge request gnutls/gnutls!779
|
| |
| |
| |
| | |
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
| |
| |
| |
| | |
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
| |
| |
| |
| | |
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
| |
| |
| |
| |
| |
| | |
consistency reasons with its client couterpart.
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
| |
| |
| |
| |
| |
| | |
certificate_credential_append_keypair().
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
| |
| |
| |
| | |
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
| |
| |
| |
| | |
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
| |
| |
| |
| | |
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
| |
| |
| |
| | |
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
| |
| |
| |
| | |
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
|\ \
| |/
|/|
| |
| |
| |
| | |
update tlsfuzzer scripts to latest version
Closes #591
See merge request gnutls/gnutls!774
|
| |
| |
| |
| |
| |
| |
| | |
When a key share extension is not seen under TLS1.3, send
the missing extension alert.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\ \
| |/
|/|
| |
| |
| |
| | |
pkcs11 uris: the scheme is case insensitive
Closes #590
See merge request gnutls/gnutls!616
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Makes the comparisons of the URI scheme to use c_strcasecmp
from gnulib. It also replaces various straw strcasecmp with
the gnulib variant. This ensures that comparison will be
reliable irrespective of the locale.
Resolves #590
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When a certificate callback is used and no certificate is provided
by it, return an error rather than trying to use it (and crashing)
later. Note that this affects only an "illegal" code path when
a server would have provided no certificate, something which must
not happen on a real-world server.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|/
|
|
|
|
|
|
|
| |
This introduces the GNUTLS_AUTO_REAUTH gnutls_init() flag and makes
re-authentication under TLS simpler to enable and use.
Resolves #571
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| |
| |
| | |
gnutls_priority_set: do not override version on handshake
Closes #580
See merge request gnutls/gnutls!765
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When handshake is in progress, do not override the default TLS
version in the session. This allows gnutls_priority_set to be called
in the post_client_hello function without breaking the handshake.
Resolves #580
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Although there are no ciphers defined for TLS1.3 which would overflow
the assumed bound, an explicit check is necessary to avoid that code
be a liability in future updates.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|/
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| |
| |
| | |
Use ASCII version of strcasecmp() in library code
Closes #570
See merge request gnutls/gnutls!764
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
strcasecmp() has side effects in some locales.
What we really need is c_strcasecmp() from Gnulib for comparing
ASCII strings.
Fixes #570
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\ \
| |/
|/|
| |
| | |
manpage generation cleanup
See merge request gnutls/gnutls!760
|