Daiki Ueno [Wed, 7 Aug 2019 13:55:44 +0000 (15:55 +0200)]
nettle: prohibit deterministic ECDSA/DSA under FIPS except selftests
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Mon, 5 Aug 2019 13:21:55 +0000 (15:21 +0200)]
nettle: enable deterministic ECDSA/DSA during FIPS selftests
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Mon, 29 Jul 2019 12:01:11 +0000 (14:01 +0200)]
pk: implement deterministic ECDSA/DSA
This exposes the deterministic ECDSA/DSA functionality through the
GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Wed, 7 Aug 2019 12:37:00 +0000 (14:37 +0200)]
privkey_sign_prehashed: remove unused argument
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Mon, 29 Jul 2019 13:10:51 +0000 (15:10 +0200)]
privkey_sign_raw_data: remove unnecessary local variable
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Mon, 29 Jul 2019 12:00:30 +0000 (14:00 +0200)]
nettle: add functions for deterministic ECDSA/DSA
This adds functions to perform deterministic ECDSA/DSA, namely
_gnutls_{ecdsa,dsa}_compute_k(), which computes the k value according
to RFC 6979. The retrieved k value can be given to
nettle_{ecdsa,dsa}_sign() through a wrapper random function.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Nikos Mavrogiannopoulos [Tue, 6 Aug 2019 14:00:17 +0000 (14:00 +0000)]
Merge branch 'tmp-fixes' into 'master'
Minor fixes in 3.6.9 release
Closes #810 and #812
See merge request gnutls/gnutls!1053
Nikos Mavrogiannopoulos [Tue, 6 Aug 2019 12:07:47 +0000 (12:07 +0000)]
Merge branch 'patch-1' into 'master'
Notes about Ubuntu specific software versions not available.
See merge request gnutls/gnutls!1029
Nikos Mavrogiannopoulos [Fri, 2 Aug 2019 19:57:40 +0000 (21:57 +0200)]
read_cpuid_vals: use __get_cpuid_count() only when available
This makes the functionality available on gcc 4.8.
Resolves: #812
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Fri, 2 Aug 2019 20:16:31 +0000 (22:16 +0200)]
src/Makefile.am: fix detection of .bak files
This fixes detection in a way to work in builds outside the
source directory.
Resolves: #810
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Fri, 2 Aug 2019 19:25:39 +0000 (21:25 +0200)]
configure: AS_HELP_STRING cannot print variables; don't try
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Sat, 3 Aug 2019 05:21:33 +0000 (05:21 +0000)]
Merge branch 'tmp-sign-cas' into 'master'
certtool: default to yes on signing certificates for CAs
See merge request gnutls/gnutls!1048
Karsten Ohme [Tue, 18 Jun 2019 12:17:14 +0000 (12:17 +0000)]
Notes about Ubuntu specific software versions not available.
Signed-off-by: Karsten Ohme <k_o_@users.sourceforge.net>
Tim Rühsen [Tue, 30 Jul 2019 07:38:50 +0000 (07:38 +0000)]
Merge branch 'tmp-missing-inih-license' into 'master'
Ship inih/LICENSE.txt in release tarball
See merge request gnutls/gnutls!1050
Andreas Metzler [Mon, 29 Jul 2019 15:47:42 +0000 (17:47 +0200)]
Ship inih/LICENSE.txt in release tarball
inih's license terms requires shipping a copy of the license when
redistributing the source.
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
Nikos Mavrogiannopoulos [Sat, 27 Jul 2019 19:20:53 +0000 (19:20 +0000)]
Merge branch 'mcatanzaro/#806' into 'master'
Improve documentation of gnutls_record_send()
Closes #806
See merge request gnutls/gnutls!1049
Michael Catanzaro [Fri, 26 Jul 2019 16:18:07 +0000 (11:18 -0500)]
Improve documentation of gnutls_record_send()
It's no longer required to retry this function with the same parameters
if you want to use gnutls_record_discard_queued().
Fixes #806
Signed-off-by: Michael Catanzaro <mcatanzaro@igalia.com>
Nikos Mavrogiannopoulos [Fri, 26 Jul 2019 07:57:29 +0000 (09:57 +0200)]
certtool: default to yes on signing certificates for CAs
When asking the questions for CA certificate generation, default
to yes to signing certificates. This is because that's the most
common type of CAs generated and defaulting to yes eliminates
the need for restart on error.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Thu, 25 Jul 2019 18:38:14 +0000 (20:38 +0200)]
bumped version for 3.6.9
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Dmitry Eremin-Solenikov [Mon, 22 Jul 2019 12:21:29 +0000 (12:21 +0000)]
Merge branch 'fix-gost' into 'master'
nettle/gost: support building with GOST-enabled Nettle
See merge request gnutls/gnutls!1044
Nikos Mavrogiannopoulos [Mon, 22 Jul 2019 10:43:50 +0000 (12:43 +0200)]
gnutls.h: mark AEAD ciphers as such in gnutls_cipher_algorithm_t description
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Mon, 22 Jul 2019 08:00:51 +0000 (10:00 +0200)]
abi-check: correctly bail-out on errors
Added suppressions for _MAX enumerator values.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Karsten Ohme [Fri, 21 Jun 2019 22:39:56 +0000 (00:39 +0200)]
Support for Generalname registeredID from RFC 5280 in subject alt name
Added test certificates (cert10.der) with registered ID
Updated Makefile for inclusion of test certificates
Updated SAN unknown test certificates (cert5.der)
Signed-off-by: Karsten Ohme <k_o_@users.sourceforge.net>
Nikos Mavrogiannopoulos [Sun, 21 Jul 2019 08:18:35 +0000 (10:18 +0200)]
libgnutls.abignore: added comment linking to syntax
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Sun, 21 Jul 2019 08:06:22 +0000 (10:06 +0200)]
NEWS: updated for upcoming release [ci skip]
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Fri, 19 Jul 2019 11:07:15 +0000 (11:07 +0000)]
Merge branch 'tmp-tls-fuzzer' into 'master'
Fixed alerts returned on TLS1.3 corner cases
Closes #682
See merge request gnutls/gnutls!1045
Nikos Mavrogiannopoulos [Wed, 17 Jul 2019 09:24:58 +0000 (09:24 +0000)]
Merge branch 'tmp-fix-doc-gnutls_certificate_set_retrieve_function3' into 'master'
Fix documented params for gnutls_certificate_retrieve_function3()
See merge request gnutls/gnutls!1047
Tim Rühsen [Tue, 16 Jul 2019 12:41:50 +0000 (14:41 +0200)]
Fix documented params for gnutls_certificate_retrieve_function3()
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
Nikos Mavrogiannopoulos [Sun, 14 Jul 2019 20:27:50 +0000 (22:27 +0200)]
Fixed alerts returned on TLS1.3 corner cases
This enables the tls-fuzzer tests 'test-tls13-certificate-verify.py'.
Resolves: #682
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Dmitry Eremin-Solenikov [Sun, 14 Jul 2019 09:17:18 +0000 (12:17 +0300)]
nettle/backport: fix xts-backport guarding check
Check for nettle_xts_encrypt_message() function rather than just
xts_encrypt_message(). All functions in nettle are renamed to contain
`nettle_` prefix.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Thu, 11 Jul 2019 18:37:08 +0000 (21:37 +0300)]
nettle/gost: support building with GOST-enabled Nettle
Nettle library starts to gain support for GOST algorithms. Support
building GnuTLS with GOST-enabled nettle library.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Tim Rühsen [Fri, 12 Jul 2019 09:08:36 +0000 (09:08 +0000)]
Merge branch 'guile-reauth' into 'master'
Support post-handshake reauthentication in the Guile bindings
See merge request gnutls/gnutls!1026
Daiki Ueno [Thu, 11 Jul 2019 17:10:24 +0000 (17:10 +0000)]
Merge branch 'tmp-session-ticket-valgrind' into 'master'
ext/session_ticket: eliminate redundant memcpy
See merge request gnutls/gnutls!1040
Daiki Ueno [Thu, 11 Jul 2019 07:40:28 +0000 (07:40 +0000)]
Merge branch 'tmp-pkcs11-login-error' into 'master'
pkcs11: ignore login error when traversing tokens
See merge request gnutls/gnutls!1031
Daiki Ueno [Sun, 30 Jun 2019 06:23:41 +0000 (08:23 +0200)]
tests: remove unused destructive/p11-kit-load.sh
This file is replaced with tests/p11-kit-load.sh and
tests/pkcs11/list-tokens.c.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Wed, 19 Jun 2019 15:21:16 +0000 (17:21 +0200)]
pkcs11: ignore login error when traversing tokens
If a token is a general access device, it is expected that login
attempt to that token returns error:
https://github.com/p11-glue/p11-kit/blob/master/trust/module.c#L852
On the other hand, _pkcs11_traverse_tokens treats the error as fatal
and stops iteration. This behavior prevents object search without
token specifier if such tokens are registered in the system.
Reported by Stanislav Zidek in
https://bugzilla.redhat.com/show_bug.cgi?id=
1705478
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Mon, 8 Jul 2019 14:54:56 +0000 (16:54 +0200)]
ext/session_ticket: avoid calling memcpy on overlapping memory areas
In _gnutls_encrypt_session_ticket, ticket.encrypted_state is allocated
from ticket_data->data, thus those memory areas may overlap. Using
memcpy here leads to undefined behavior.
Spotted by valgrind run on ppc64le.
==95231== Source and destination overlap in memcpy(0x47ce3a2, 0x47ce3a2, 160)
==95231== at 0x408A840: memcpy (vg_replace_strmem.c:1023)
==95231== by 0x424EE9F: pack_ticket (session_ticket.c:139)
==95231== by 0x424FA4F: _gnutls_encrypt_session_ticket (session_ticket.c:335)
==95231== by 0x4199E3B: generate_session_ticket (session_ticket.c:249)
==95231== by 0x419A333: _gnutls13_send_session_ticket (session_ticket.c:307)
==95231== by 0x40F8817: _gnutls13_handshake_server (handshake-tls13.c:511)
==95231== by 0x4110DEB: handshake_server (handshake.c:3331)
==95231== by 0x410C70B: gnutls_handshake (handshake.c:2727)
==95231== by 0x10009EBF: retry_handshake (serv.c:1306)
==95231== by 0x1000AB67: tcp_server (serv.c:1500)
==95231== by 0x10009E5B: main (serv.c:1297)
==95231==
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Nikos Mavrogiannopoulos [Wed, 10 Jul 2019 08:31:48 +0000 (08:31 +0000)]
Merge branch 'tmp-mark-infinite-loops' into 'master'
lib: mark infinite loops explicitly
See merge request gnutls/gnutls!1043
Nikos Mavrogiannopoulos [Tue, 9 Jul 2019 08:06:47 +0000 (10:06 +0200)]
lib: mark infinite loops explicitly
There were few infinite loop constructions which were checking
for an always true condition. Make sure that this construction
is marked explicitly as while(1) to assist static analysers, or
reviewers.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Tue, 9 Jul 2019 11:29:33 +0000 (11:29 +0000)]
Merge branch 'tmp-coverage' into 'master'
tests: improve coverage of CRQ related functions
See merge request gnutls/gnutls!1042
Nikos Mavrogiannopoulos [Tue, 9 Jul 2019 07:56:24 +0000 (09:56 +0200)]
tests: improve coverage of CRQ related functions
That adds sanity check of crq-related functions that were not included
in the testsuite at all.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Tue, 9 Jul 2019 04:16:53 +0000 (04:16 +0000)]
Merge branch 'tmp-var' into 'master'
encode_ber_digest_info: added sanity check
See merge request gnutls/gnutls!1041
Nikos Mavrogiannopoulos [Tue, 9 Jul 2019 04:16:10 +0000 (04:16 +0000)]
Merge branch 'tmp-fix-ocsp' into 'master'
Improve the OCSP (status request) and interop testing
See merge request gnutls/gnutls!1024
Nikos Mavrogiannopoulos [Mon, 8 Jul 2019 17:33:50 +0000 (19:33 +0200)]
encode_ber_digest_info: added sanity check
Issue found using oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15665
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Wed, 3 Jul 2019 19:04:23 +0000 (21:04 +0200)]
doc update [ci skip]
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Thu, 13 Jun 2019 07:13:22 +0000 (09:13 +0200)]
testcompat-openssl: added interop test with DTLS 1.2
This tests AES-CBC ciphersuites in isolation, as they are
prioritized lower than AES-GCM. We want to test them explicitly
because they have different behavior under EtM.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Fri, 7 Jun 2019 21:22:52 +0000 (23:22 +0200)]
tests: added sanity check for rfc7633 behavior
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Fri, 7 Jun 2019 14:51:30 +0000 (16:51 +0200)]
tests: status-request-missing: renamed to rfc7633-missing
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Fri, 7 Jun 2019 14:39:53 +0000 (16:39 +0200)]
status-request-ext: run under all TLS versions
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Fri, 7 Jun 2019 14:35:11 +0000 (16:35 +0200)]
tests: status-request: cleanup
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Fri, 7 Jun 2019 14:34:21 +0000 (16:34 +0200)]
tests: status-request-missing: run for all TLS versions
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Dmitry Eremin-Solenikov [Mon, 1 Jul 2019 22:08:51 +0000 (22:08 +0000)]
Merge branch 'tmp-cli-debug' into 'master'
gnutls-cli-debug: test whether RSA key exchange is supported
Closes #449
See merge request gnutls/gnutls!1039
Nikos Mavrogiannopoulos [Sun, 30 Jun 2019 07:19:02 +0000 (07:19 +0000)]
Merge branch 'tmp-fix-desc' into 'master'
gnutls_session_get_desc: avoid printing a NULL value
See merge request gnutls/gnutls!1038
Daiki Ueno [Sun, 30 Jun 2019 05:16:51 +0000 (05:16 +0000)]
Merge branch 'tmp-fips-drbg-continuous' into 'master'
nettle/rnd-fips: add FIPS 140-2 continuous RNG test
See merge request gnutls/gnutls!1034
Nikos Mavrogiannopoulos [Sat, 29 Jun 2019 19:02:11 +0000 (21:02 +0200)]
gnutls-cli-debug: test whether RSA key exchange is supported
Resolves: #449
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Fri, 28 Jun 2019 19:08:32 +0000 (21:08 +0200)]
gnutls_session_get_desc: avoid printing a NULL value
When gnutls_session_set_premaster() is used (under openconnect),
it is possible that gnutls_session_get_desc will print a string like
this: "(DTLS1.2)-(ECDHE-(null))-(AES-256-GCM)"
With this change we ensure that we do not print null values.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Dmitry Eremin-Solenikov [Sat, 29 Jun 2019 09:09:35 +0000 (09:09 +0000)]
Merge branch 'mac-gmac' into 'master'
lib: add support for AES-GMAC
Closes #781
See merge request gnutls/gnutls!1036
Nikos Mavrogiannopoulos [Fri, 28 Jun 2019 19:36:40 +0000 (19:36 +0000)]
Merge branch 'tmp-fix-gnutls_x509_crt_list_import2' into 'master'
Fix gnutls_x509_crt_list_import2() documentation
Closes #794
See merge request gnutls/gnutls!1037
Daiki Ueno [Fri, 21 Jun 2019 13:49:26 +0000 (15:49 +0200)]
nettle/rnd-fips: add FIPS 140-2 continuous RNG test
This adds a continuous random number generator test as defined in FIPS
140-2 4.9.2, by iteratively fetching fixed sized block from the system
and comparing consecutive blocks.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Dmitry Eremin-Solenikov [Fri, 28 Jun 2019 13:54:30 +0000 (16:54 +0300)]
lib: document gnutls_hmac_fast vs nonce relationship
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Thu, 27 Jun 2019 21:27:01 +0000 (00:27 +0300)]
tests/gnutls_hmac_fast: run test for AES-UMAC-96/-128
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Mon, 24 Jun 2019 21:12:29 +0000 (00:12 +0300)]
nettle: return true for gnutls_mac_exists(AES-CMAC*)
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Fri, 28 Jun 2019 13:28:58 +0000 (16:28 +0300)]
NEWS: add an entry for AES-GMAC algorithms
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Thu, 27 Jun 2019 21:27:01 +0000 (00:27 +0300)]
tests/gnutls_hmac_fast: run test for AES-GMAC-128/-192/-256
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Fri, 28 Jun 2019 13:19:15 +0000 (16:19 +0300)]
nettle/mac: fail mac calculation if nonce is required but not provided
Fail _wrap_nettle_mac_set_nonce() and _wrap_nettle_mac_fast() if MAC
requires nonce, but it was not supplied.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Thu, 27 Jun 2019 21:27:04 +0000 (00:27 +0300)]
nettle/mac: in mac_fast call set_nonce after set_key
Calling set_nonce before set_key is plain incorrect. For GMAC key is not
initialized. For UMAC set_key will reset nonce to empty.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Mon, 24 Jun 2019 17:29:31 +0000 (20:29 +0300)]
lib: add support for AES-GMAC
Add support for computing AES-GMAC using MAC API, as requested by Samba
for SMB3 support.
Resolves: #781
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Nikos Mavrogiannopoulos [Fri, 28 Jun 2019 12:59:19 +0000 (14:59 +0200)]
tests: gnutls_x509_crt_list_import: verify that return code is as documented
That checks whether the return code of gnutls_x509_crt_list_import()
contains the number of loaded certificates.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Fri, 28 Jun 2019 06:20:31 +0000 (08:20 +0200)]
gnutls_x509_crt_list_import2: updated doc to reflect the actual return value options
Resolves: #794
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Thu, 27 Jun 2019 12:47:12 +0000 (12:47 +0000)]
Merge branch 'tmp-asm' into 'master'
Updated asm files to latest version under cryptogams license
See merge request gnutls/gnutls!989
Nikos Mavrogiannopoulos [Mon, 29 Apr 2019 13:28:28 +0000 (15:28 +0200)]
Align _gnutls_x86_cpuid_s as OPENSSL_ia32cap_P would be
We were not setting the third array member correctly, though
this didn't have any impact to previous implementations as they
did not rely on it. This also moves away from the custom implementation
of cpuid (which was limited), and we now rely on the compiler's
version.
This effectively enables support for SHA_NI.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Fri, 26 Apr 2019 12:43:19 +0000 (14:43 +0200)]
Updated asm files to latest version under cryptogams license
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Dmitry Eremin-Solenikov [Wed, 26 Jun 2019 15:12:41 +0000 (15:12 +0000)]
Merge branch 'hmac-copy' into 'master'
gnutls_hmac_copy() API
Closes #787
See merge request gnutls/gnutls!1035
Dmitry Eremin-Solenikov [Wed, 26 Jun 2019 11:24:42 +0000 (14:24 +0300)]
NEWS: document gnutls_hash/hmac_copy addition
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Nikos Mavrogiannopoulos [Wed, 26 Jun 2019 09:27:27 +0000 (11:27 +0200)]
gnutls_hash/hmac_copy: check its usability in all cases
During the test suite run we require that all supported
MAC and hash algorithms implement the copy function.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Wed, 26 Jun 2019 09:20:25 +0000 (11:20 +0200)]
accelerated ciphers: implement hmac and hash copy
This implements the new API to all internal implementations.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Dmitry Eremin-Solenikov [Wed, 26 Jun 2019 08:00:39 +0000 (11:00 +0300)]
lib: add support for gnutls_hash_copy()
Add gnutls_hash_copy() function for copying message digest context.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Mon, 24 Jun 2019 14:42:10 +0000 (17:42 +0300)]
crypto-selftests: add test for gnutls_hmac_copy()
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Mon, 24 Jun 2019 14:38:56 +0000 (17:38 +0300)]
api: add gnutls_hmac_copy() function
Add gnutls_hmac_copy() API to duplicate MAC handler state, which is
necessary for SMB3 support.
Resolves: #787
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Tue, 29 Nov 2016 22:34:14 +0000 (01:34 +0300)]
Add MAC copying support to nettle backend
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Tue, 29 Nov 2016 22:32:30 +0000 (01:32 +0300)]
Add MAC api to support copying of instances
GOST ciphersuites requires continuously computing MAC of all the
previously sent or received data. The easies way to support that is to
add support for copy function, that creates MAC instance with the same
internal state.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Nikos Mavrogiannopoulos [Thu, 20 Jun 2019 15:37:49 +0000 (15:37 +0000)]
Merge branch 'tmp-inih' into 'master'
Enhance the configuration file capabilities
Closes #587
See merge request gnutls/gnutls!1013
Nikos Mavrogiannopoulos [Thu, 20 Jun 2019 15:26:28 +0000 (15:26 +0000)]
Merge branch 'makefile-patch' into 'master'
Corrected call for updating ABI files
See merge request gnutls/gnutls!1033
Nikos Mavrogiannopoulos [Wed, 29 May 2019 08:36:24 +0000 (10:36 +0200)]
updated auto-generated files
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Thu, 4 Apr 2019 14:25:37 +0000 (16:25 +0200)]
config: added ability to override and mark algorithms as disabled
This allows the system administrator or the distributor to use
the gnutls configuration file to mark hashes, signature algorithms,
TLS versions, curves, groups, ciphers KX, and MAC algorithms as
insecure (the last four only in the context of a TLS session).
It also allows to set a minimum profile which the applications
cannot fall below.
The options intentionally do not allow marking algorithms as
secure so that the configuration file cannot be used as an attack
vector. This change also makes sure that unsupported and disabled protocols
during compile time (e.g., SSL3.0), do not get listed by gnutls-cli.
The configuration file feature can be disabled at compile time
with an empty --with-system-priority-file.
This patch it introduces the function gnutls_get_system_config_file()
allowing applications to check whether a configuration file
was used.
Resolves: #587
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Wed, 3 Apr 2019 09:59:37 +0000 (11:59 +0200)]
Use inih to parse configuration file
This introduces the inih copylib, and makes our configuration
file parsing more flexible.
Relates: #587
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Thu, 20 Jun 2019 12:32:43 +0000 (12:32 +0000)]
Merge branch 'tmp-deprecate-registration-apis' into 'master'
Marked the crypto backend registration APIs as deprecated
Closes #789
See merge request gnutls/gnutls!1032
Nikos Mavrogiannopoulos [Wed, 19 Jun 2019 19:38:32 +0000 (21:38 +0200)]
Marked the crypto backend registration APIs as deprecated
This is to warn for a future conversion of these APIs to a no-op.
Resolves: #789
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Daiki Ueno [Thu, 20 Jun 2019 08:03:27 +0000 (08:03 +0000)]
Merge branch 'tmp-small-records-tests' into 'master'
tests: improve record_size_limit tests
See merge request gnutls/gnutls!1023
Nikos Mavrogiannopoulos [Wed, 19 Jun 2019 14:20:26 +0000 (14:20 +0000)]
gnutls-cli-debug.sh: sanity check of %ALLOW_SMALL_RECORDS test
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Daiki Ueno [Fri, 7 Jun 2019 09:39:53 +0000 (11:39 +0200)]
tlsfuzzer: test both with and without %ALLOW_SMALL_RECORDS
The option changes the behavior of the server, it would make sense to
check both with and without %ALLOW_SMALL_RECORDS.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Fri, 7 Jun 2019 13:10:36 +0000 (15:10 +0200)]
tlsfuzzer: use fixed HTTP response for record_size_limit tests
Previously those tests assumed varying sizes of connection information
gnutls-serv sends. This is too brittle and if the default algorithm
has changed the tests need to be updated.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Fri, 7 Jun 2019 12:54:58 +0000 (14:54 +0200)]
gnutls-serv: add --httpdata option to respond with fixed sized data
By default, the gnutls-server --http responds with the connection
information. While this is useful for manual testing, fixed content
would be more desirable for automated testing.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Fri, 7 Jun 2019 09:37:37 +0000 (11:37 +0200)]
gnutls-cli-debug: check if %ALLOW_SMALL_RECORDS is required
This adds a new test against the server to check if
%ALLOW_SMALL_RECORDS is required to continue communicating with the
server. The test is in two parts: one to check if the server accepts
records with the default size (512 bytes) and the other is to check if
%ALLOW_SMALL_RECORDS helps if the previuos test fails.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Wed, 19 Jun 2019 12:36:31 +0000 (14:36 +0200)]
gnutls-serv: add --recordsize option
This adds a means to set maximum record size to receive. If the size
is less than our default (< 512), --priority with %ALLOW_SMALL_RECORDS
also needs to be specified.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Karsten Ohme [Wed, 19 Jun 2019 05:51:16 +0000 (07:51 +0200)]
Corrected call for updating ABI files
Signed-off-by: Karsten Ohme <k_o_@users.sourceforge.net>
Nikos Mavrogiannopoulos [Sun, 16 Jun 2019 12:08:54 +0000 (14:08 +0200)]
doc: updated p11-kit links [ci skip]
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Sat, 15 Jun 2019 18:08:08 +0000 (18:08 +0000)]
Merge branch 'tmp-ametzler-doc-syntax-fix' into 'master'
CONTRIBUTING.md: Fix syntax error [ci skip]
See merge request gnutls/gnutls!1028
Andreas Metzler [Sat, 15 Jun 2019 09:38:46 +0000 (11:38 +0200)]
CONTRIBUTING.md: Fix syntax error [ci skip]
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
Nikos Mavrogiannopoulos [Fri, 14 Jun 2019 08:27:16 +0000 (08:27 +0000)]
Merge branch 'tmp-fix-raw-flag-in-newapi' into 'master'
gnutls_privkey_sign_hash2: accept the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA flag
See merge request gnutls/gnutls!1025