summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* handshake: add missing initialization of local variableDaiki Ueno2019-03-271-0/+2
| | | | | | | Resolves: #704 Signed-off-by: Daiki Ueno <dueno@redhat.com> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'sha3_selftests' into 'master'Nikos Mavrogiannopoulos2019-03-261-0/+25
|\ | | | | | | | | fips140: Perform SHA-3 self tests See merge request gnutls/gnutls!958
| * fips140: Perform SHA-3 self testsAnderson Toshiyuki Sasaki2019-03-261-0/+25
| | | | | | | | | | | | | | It is required to perform the self tests to validate SHA-3 implementation. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* | Merge branch 'tmp-increase-nr-of-tickets' into 'master'Nikos Mavrogiannopoulos2019-03-265-31/+58
|\ \ | |/ |/| | | | | | | | | handshake: increase the default number of tickets we send to 2 Closes #596 See merge request gnutls/gnutls!942
| * handshake: increase the default number of tickets we send to 2tmp-increase-nr-of-ticketsNikos Mavrogiannopoulos2019-03-205-31/+58
| | | | | | | | | | | | | | | | | | | | | | This makes it easier for clients which perform multiple connections to the server to use the tickets sent by a default server. That's because 2 tickets allow for 2 new connections (if one is using each ticket once as recommended), which in turn lead to 4 new and so on. Resolves: #596 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Merge branch 'tmp-improve-session-resumption' into 'master'Nikos Mavrogiannopoulos2019-03-225-10/+34
|\ \ | | | | | | | | | | | | | | | | | | Improved estimation of wait in gnutls_session_get_data2 Closes #706 See merge request gnutls/gnutls!936
| * | Improved estimation of wait in gnutls_session_get_data2tmp-improve-session-resumptionNikos Mavrogiannopoulos2019-03-195-10/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously we would wait an arbitrary value of 50ms for the server to send session tickets. This change makes the client wait for the estimated single trip time + 60 ms for the server to calculate the session tickets. This improves the chance to obtain tickets from internet servers during the call of gnutls_session_get_data2(). Resolves: #706 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | _x509_en/decode_provable_seed: clarified purpose of functions [ci skip]Nikos Mavrogiannopoulos2019-03-201-0/+6
| |/ |/| | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Merge branch 'tmp-fix-pkcs11-so' into 'master'Nikos Mavrogiannopoulos2019-03-191-1/+1
|\ \ | |/ |/| | | | | | | | | pkcs11: security officer login implies writable session Closes #721 See merge request gnutls/gnutls!953
| * pkcs11: security officer login implies writable sessiontmp-fix-pkcs11-soNikos Mavrogiannopoulos2019-03-151-1/+1
| | | | | | | | | | | | | | | | | | According to the PKCS#11 v2.30, 6.7.1 there are no read-only Security Officer sessions. Resolves: #721 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Removed all FIXME comments in code [ci skip]Nikos Mavrogiannopoulos2019-03-1612-33/+13
|/ | | | | | | | We expand informational comments on limitations, but with removing FIXME (keyword didn't help fixing these), and remove completely unhelpful comments, obsolete ones, or comments about ideas. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Use https:// in lib/, src/, and m4/Tim Rühsen2019-03-1312-20/+20
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Use https:// for www.gnu.org and www.example.comTim Rühsen2019-03-13422-422/+422
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Merge branch 'tmp-explicit-sanity-checks' into 'master'Nikos Mavrogiannopoulos2019-03-062-4/+24
|\ | | | | | | | | cleanup: _gnutls_recv_handshake: added explicit sanity checks See merge request gnutls/gnutls!937
| * _gnutls_recv_handshake: added explicit sanity checkstmp-explicit-sanity-checksNikos Mavrogiannopoulos2019-02-232-4/+24
| | | | | | | | | | | | | | | | | | Although, this function acts on the message provided as expected and thus it should never call a message parsing function on unexpected messages, we make a more explicit sanity check. This unifies the sanity checks existing within the involved functions. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | Merge branch 'tmp-cert-req' into 'master'Daiki Ueno2019-03-064-2/+18
|\ \ | | | | | | | | | | | | | | | | | | TLS 1.3: utilize "certificate_required" alert Closes #715 See merge request gnutls/gnutls!946
| * | tls13/certificate: utilize "certificate_required" alerttmp-cert-reqDaiki Ueno2019-03-054-2/+14
| | | | | | | | | | | | | | | | | | | | | This could make errors more distinguishable when the client sends no certificates or a bad certificate. Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * | alert: recognize "certificate_required"Daiki Ueno2019-03-042-0/+4
| | | | | | | | | | | | | | | | | | This may be sent if the server received an empty Certificate message. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | | Merge branch 'tmp-doc-update-iv' into 'master'Nikos Mavrogiannopoulos2019-03-052-12/+16
|\ \ \ | |/ / |/| | | | | | | | | | | | | | Improve documentation for gnutls_cipher_get_iv_size and AEAD ciphers Closes #717 See merge request gnutls/gnutls!941
| * | Clarifications on AEAD cipherstmp-doc-update-ivNikos Mavrogiannopoulos2019-03-011-10/+12
| | | | | | | | | | | | | | | | | | Relates: #716 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | Improve documentation for gnutls_cipher_get_iv_sizeNikos Mavrogiannopoulos2019-03-011-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | This clarifies what is returned and what is to be expected on algorithms with variable IV sizes. Resolves: #717 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | fips140: Ignore newlines read at the end of HMAC fileAnderson Toshiyuki Sasaki2019-03-041-0/+7
| | | | | | | | | | | | | | | | | | | | | This makes the integrity check to ignore newlines appended after the HMAC value. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* | | fips140: Fix the names of files used in integrity checksAnderson Toshiyuki Sasaki2019-03-041-3/+3
| | | | | | | | | | | | | | | | | | | | | The names of the libraries haven't been updated when the soname version were bumped. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* | | Merge branch 'tmp-false-start-clarifications' into 'master'Nikos Mavrogiannopoulos2019-03-027-19/+84
|\ \ \ | |/ / |/| | | | | | | | | | | | | | Fixed operation under multiple threads Closes #713 See merge request gnutls/gnutls!935
| * | Protected _gnutls_epoch_get from _gnutls_epoch_gc on false startNikos Mavrogiannopoulos2019-03-023-7/+37
| | | | | | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | gnutls_record_send2: try to ensure integrity of operations on false and ↵Nikos Mavrogiannopoulos2019-03-025-10/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | early start This adds a double check in the sanity check of gnutls_record_send2() for the initial_negotiation_completed value, making sure that the check will be successful even in parallel operation of send/recv. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | Make false start and early start multi-thread recv/send safeNikos Mavrogiannopoulos2019-03-021-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | An application that is sending and receiving from different threads after handshake is complete cannot take advantage of false start because gnutls_record_send2() detects operations during the handshake process as invalid. Because in early start and false start the remaining handshake process needs only to receive data, and the sending side is already set-up, this error detection is bogus. With this patch we remove it. Resolves: #713 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| * | doc: added more information on operation under multiple threadsNikos Mavrogiannopoulos2019-03-022-1/+4
| | | | | | | | | | | | | | | | | | Relates: #713 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | pkcs11: clarify GNUTLS_PKCS11_TOKEN_MODNAME presence [ci skip]tmp-token-modname-clarificationsNikos Mavrogiannopoulos2019-02-261-1/+2
|/ / | | | | | | | | | | Resolves: #633 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Merge branch 'tmp-reset-after-free' into 'master'Tim Rühsen2019-02-2331-72/+14
|\ \ | | | | | | | | | | | | Automatically NULLify after gnutls_free() See merge request gnutls/gnutls!923
| * | gnutls_x509_crt_init: Fix dereference of NULL pointertmp-reset-after-freeTim Rühsen2019-02-221-1/+1
| | | | | | | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
| * | Remove redundant resets of variables after free()Tim Rühsen2019-02-2230-71/+9
| | | | | | | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
| * | Automatically NULLify after gnutls_free()Tim Rühsen2019-02-221-0/+4
| | | | | | | | | | | | | | | | | | | | | This method prevents direct use-after-free and double-free issues. Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | | Merge branch 'tmp-cleanup-cert' into 'master'Tim Rühsen2019-02-231-26/+12
|\ \ \ | |_|/ |/| | | | | | | | Cleanup lib/auth/cert.c as suggested by cppcheck See merge request gnutls/gnutls!924
| * | Cleanup lib/auth/cert.c as suggested by cppchecktmp-cleanup-certTim Rühsen2019-02-131-26/+12
| | | | | | | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | | Merge branch 'tmp-downgrade-sentinel' into 'master'Daiki Ueno2019-02-221-0/+15
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | handshake: defer setting downgrade sentinel until version is selected Closes #689 See merge request gnutls/gnutls!918
| * | | ext/supported_versions: regenerate server randomDaiki Ueno2019-02-221-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a call to _gnutls_gen_server_random() in handling the "supported_versions" extension, so that the TLS 1.3 downgrade sentinel is set only when the earlier versions are selected. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | | | Merge branch 'use_topendir_fixed' into 'master'Tim Rühsen2019-02-224-13/+56
|\ \ \ \ | |_|_|/ |/| | | | | | | | | | | Re-introduce topendir on Windows with Unicode support See merge request gnutls/gnutls!932
| * | | lib: x509: Minor directory browsing simplificationHugo Beauzée-Luyssen2019-02-211-6/+3
| | | | | | | | | | | | | | | | Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
| * | | Revert "Revert "verify-high2: Fix cert dir iteration on Win32""Hugo Beauzée-Luyssen2019-02-211-2/+49
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 681330882da19099eea360fab141cab937c45677. Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr> This revert also contains the fix to the original commit (invalid utf8->utf16 conversion) and a minor simplification of the _treaddir loop.
| * | | iconv: Allow _gnutls_utf8_to_ucs2 to output little endianHugo Beauzée-Luyssen2019-02-213-5/+4
| |/ / | | | | | | | | | Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
* | | lib: Provide _Thread_local on MSVCHugo Beauzée-Luyssen2019-02-201-0/+2
|/ / | | | | | | Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
* | gnutls_record_set_max_size: make it work on server sidetmp-fix-record-size-limit-resumptionDaiki Ueno2019-02-141-5/+4
| | | | | | | | | | | | | | | | The record_size_limit extension can also be specified by the server to indicate the maximum plaintext. Also add test cases for asymmetric settings between server and client. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | ext/record_size_limit: account for content type octet in TLS 1.3Daiki Ueno2019-02-141-3/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | In TLS 1.3, the protocol maximum of plaintext size is 2^14+1, while it is 2^14 in TLS 1.2. To accommodate that, this introduces the following invariant: - when the maximum is set by the user with gnutls_record_set_max_size(), store it as is. The value range is [511, 16834]. - when the maximum is negotiated through record_size_limit extension, it can be [512, 16385]. In TLS 1.3, subtract by 1 to fit in [511, 16384]. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | decrypt_packet_tls13: add check for max plaintext sizeDaiki Ueno2019-02-141-0/+9
| | | | | | | | | | | | | | There is check in _gnutls_recv_in_buffers already, but for TLS 1.3 we need to take account of the padding. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | record: reject too large plaintext after decryptionDaiki Ueno2019-02-141-0/+9
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | constate: reset max_record_recv_size upon renegotiationDaiki Ueno2019-02-141-0/+9
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | session_pack: reset max_record_recv_size when packingDaiki Ueno2019-02-141-3/+12
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | ext/record_size_limit: don't confuse with negotiated/user-supplied maximumDaiki Ueno2019-02-142-14/+35
| | | | | | | | | | | | | | | | As documented in gnutls_int.h, max_record_send_size is for tracking the user-supplied maximum, while max_record_recv_size for the protocol negotiated maximum. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | ext/max_record: server shouldn't send it with record_size_limitDaiki Ueno2019-02-144-8/+11
| | | | | | | | | | | | | | | | | | Otherwise, the connection will be disconnected by the client, as suggested in RFC: A client MUST treat receipt of both "max_fragment_length" and "record_size_limit" as a fatal error, and it SHOULD generate an "illegal_parameter" alert. Signed-off-by: Daiki Ueno <dueno@redhat.com>
View Lorry Controller Status