Dmitry Eremin-Solenikov [Fri, 28 Jun 2019 13:19:15 +0000 (16:19 +0300)]
nettle/mac: fail mac calculation if nonce is required but not provided
Fail _wrap_nettle_mac_set_nonce() and _wrap_nettle_mac_fast() if MAC
requires nonce, but it was not supplied.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Thu, 27 Jun 2019 21:27:04 +0000 (00:27 +0300)]
nettle/mac: in mac_fast call set_nonce after set_key
Calling set_nonce before set_key is plain incorrect. For GMAC key is not
initialized. For UMAC set_key will reset nonce to empty.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Mon, 24 Jun 2019 17:29:31 +0000 (20:29 +0300)]
lib: add support for AES-GMAC
Add support for computing AES-GMAC using MAC API, as requested by Samba
for SMB3 support.
Resolves: #781
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Nikos Mavrogiannopoulos [Fri, 28 Jun 2019 12:59:19 +0000 (14:59 +0200)]
tests: gnutls_x509_crt_list_import: verify that return code is as documented
That checks whether the return code of gnutls_x509_crt_list_import()
contains the number of loaded certificates.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Fri, 28 Jun 2019 06:20:31 +0000 (08:20 +0200)]
gnutls_x509_crt_list_import2: updated doc to reflect the actual return value options
Resolves: #794
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Thu, 27 Jun 2019 12:47:12 +0000 (12:47 +0000)]
Merge branch 'tmp-asm' into 'master'
Updated asm files to latest version under cryptogams license
See merge request gnutls/gnutls!989
Nikos Mavrogiannopoulos [Mon, 29 Apr 2019 13:28:28 +0000 (15:28 +0200)]
Align _gnutls_x86_cpuid_s as OPENSSL_ia32cap_P would be
We were not setting the third array member correctly, though
this didn't have any impact to previous implementations as they
did not rely on it. This also moves away from the custom implementation
of cpuid (which was limited), and we now rely on the compiler's
version.
This effectively enables support for SHA_NI.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Fri, 26 Apr 2019 12:43:19 +0000 (14:43 +0200)]
Updated asm files to latest version under cryptogams license
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Dmitry Eremin-Solenikov [Wed, 26 Jun 2019 15:12:41 +0000 (15:12 +0000)]
Merge branch 'hmac-copy' into 'master'
gnutls_hmac_copy() API
Closes #787
See merge request gnutls/gnutls!1035
Dmitry Eremin-Solenikov [Wed, 26 Jun 2019 11:24:42 +0000 (14:24 +0300)]
NEWS: document gnutls_hash/hmac_copy addition
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Nikos Mavrogiannopoulos [Wed, 26 Jun 2019 09:27:27 +0000 (11:27 +0200)]
gnutls_hash/hmac_copy: check its usability in all cases
During the test suite run we require that all supported
MAC and hash algorithms implement the copy function.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Wed, 26 Jun 2019 09:20:25 +0000 (11:20 +0200)]
accelerated ciphers: implement hmac and hash copy
This implements the new API to all internal implementations.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Dmitry Eremin-Solenikov [Wed, 26 Jun 2019 08:00:39 +0000 (11:00 +0300)]
lib: add support for gnutls_hash_copy()
Add gnutls_hash_copy() function for copying message digest context.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Mon, 24 Jun 2019 14:42:10 +0000 (17:42 +0300)]
crypto-selftests: add test for gnutls_hmac_copy()
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Mon, 24 Jun 2019 14:38:56 +0000 (17:38 +0300)]
api: add gnutls_hmac_copy() function
Add gnutls_hmac_copy() API to duplicate MAC handler state, which is
necessary for SMB3 support.
Resolves: #787
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Tue, 29 Nov 2016 22:34:14 +0000 (01:34 +0300)]
Add MAC copying support to nettle backend
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Dmitry Eremin-Solenikov [Tue, 29 Nov 2016 22:32:30 +0000 (01:32 +0300)]
Add MAC api to support copying of instances
GOST ciphersuites requires continuously computing MAC of all the
previously sent or received data. The easies way to support that is to
add support for copy function, that creates MAC instance with the same
internal state.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Nikos Mavrogiannopoulos [Thu, 20 Jun 2019 15:37:49 +0000 (15:37 +0000)]
Merge branch 'tmp-inih' into 'master'
Enhance the configuration file capabilities
Closes #587
See merge request gnutls/gnutls!1013
Nikos Mavrogiannopoulos [Thu, 20 Jun 2019 15:26:28 +0000 (15:26 +0000)]
Merge branch 'makefile-patch' into 'master'
Corrected call for updating ABI files
See merge request gnutls/gnutls!1033
Nikos Mavrogiannopoulos [Wed, 29 May 2019 08:36:24 +0000 (10:36 +0200)]
updated auto-generated files
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Thu, 4 Apr 2019 14:25:37 +0000 (16:25 +0200)]
config: added ability to override and mark algorithms as disabled
This allows the system administrator or the distributor to use
the gnutls configuration file to mark hashes, signature algorithms,
TLS versions, curves, groups, ciphers KX, and MAC algorithms as
insecure (the last four only in the context of a TLS session).
It also allows to set a minimum profile which the applications
cannot fall below.
The options intentionally do not allow marking algorithms as
secure so that the configuration file cannot be used as an attack
vector. This change also makes sure that unsupported and disabled protocols
during compile time (e.g., SSL3.0), do not get listed by gnutls-cli.
The configuration file feature can be disabled at compile time
with an empty --with-system-priority-file.
This patch it introduces the function gnutls_get_system_config_file()
allowing applications to check whether a configuration file
was used.
Resolves: #587
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Wed, 3 Apr 2019 09:59:37 +0000 (11:59 +0200)]
Use inih to parse configuration file
This introduces the inih copylib, and makes our configuration
file parsing more flexible.
Relates: #587
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Thu, 20 Jun 2019 12:32:43 +0000 (12:32 +0000)]
Merge branch 'tmp-deprecate-registration-apis' into 'master'
Marked the crypto backend registration APIs as deprecated
Closes #789
See merge request gnutls/gnutls!1032
Nikos Mavrogiannopoulos [Wed, 19 Jun 2019 19:38:32 +0000 (21:38 +0200)]
Marked the crypto backend registration APIs as deprecated
This is to warn for a future conversion of these APIs to a no-op.
Resolves: #789
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Daiki Ueno [Thu, 20 Jun 2019 08:03:27 +0000 (08:03 +0000)]
Merge branch 'tmp-small-records-tests' into 'master'
tests: improve record_size_limit tests
See merge request gnutls/gnutls!1023
Nikos Mavrogiannopoulos [Wed, 19 Jun 2019 14:20:26 +0000 (14:20 +0000)]
gnutls-cli-debug.sh: sanity check of %ALLOW_SMALL_RECORDS test
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Daiki Ueno [Fri, 7 Jun 2019 09:39:53 +0000 (11:39 +0200)]
tlsfuzzer: test both with and without %ALLOW_SMALL_RECORDS
The option changes the behavior of the server, it would make sense to
check both with and without %ALLOW_SMALL_RECORDS.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Fri, 7 Jun 2019 13:10:36 +0000 (15:10 +0200)]
tlsfuzzer: use fixed HTTP response for record_size_limit tests
Previously those tests assumed varying sizes of connection information
gnutls-serv sends. This is too brittle and if the default algorithm
has changed the tests need to be updated.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Fri, 7 Jun 2019 12:54:58 +0000 (14:54 +0200)]
gnutls-serv: add --httpdata option to respond with fixed sized data
By default, the gnutls-server --http responds with the connection
information. While this is useful for manual testing, fixed content
would be more desirable for automated testing.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Fri, 7 Jun 2019 09:37:37 +0000 (11:37 +0200)]
gnutls-cli-debug: check if %ALLOW_SMALL_RECORDS is required
This adds a new test against the server to check if
%ALLOW_SMALL_RECORDS is required to continue communicating with the
server. The test is in two parts: one to check if the server accepts
records with the default size (512 bytes) and the other is to check if
%ALLOW_SMALL_RECORDS helps if the previuos test fails.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Wed, 19 Jun 2019 12:36:31 +0000 (14:36 +0200)]
gnutls-serv: add --recordsize option
This adds a means to set maximum record size to receive. If the size
is less than our default (< 512), --priority with %ALLOW_SMALL_RECORDS
also needs to be specified.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Karsten Ohme [Wed, 19 Jun 2019 05:51:16 +0000 (07:51 +0200)]
Corrected call for updating ABI files
Signed-off-by: Karsten Ohme <k_o_@users.sourceforge.net>
Nikos Mavrogiannopoulos [Sun, 16 Jun 2019 12:08:54 +0000 (14:08 +0200)]
doc: updated p11-kit links [ci skip]
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Sat, 15 Jun 2019 18:08:08 +0000 (18:08 +0000)]
Merge branch 'tmp-ametzler-doc-syntax-fix' into 'master'
CONTRIBUTING.md: Fix syntax error [ci skip]
See merge request gnutls/gnutls!1028
Andreas Metzler [Sat, 15 Jun 2019 09:38:46 +0000 (11:38 +0200)]
CONTRIBUTING.md: Fix syntax error [ci skip]
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
Nikos Mavrogiannopoulos [Fri, 14 Jun 2019 08:27:16 +0000 (08:27 +0000)]
Merge branch 'tmp-fix-raw-flag-in-newapi' into 'master'
gnutls_privkey_sign_hash2: accept the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA flag
See merge request gnutls/gnutls!1025
Ludovic Courtès [Wed, 12 Jun 2019 09:37:39 +0000 (11:37 +0200)]
guile: Add support for post-handshake reauthentication.
* guile/modules/gnutls/build/enums.scm (%connection-flag-enum): New
variable.
(%gnutls-enums): Add it.
* guile/modules/gnutls.in: Export 'reauthenticate',
'connection-flag->string', and all the 'connection-flag/' bindings.
* guile/src/core.c (scm_gnutls_make_session): Add rest arguments FLAGS
and honor it.
(scm_gnutls_reauthenticate): New function.
* guile/tests/reauth.scm: New file.
* guile/Makefile.am (TESTS): Add it.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Ludovic Courtès [Wed, 12 Jun 2019 09:32:19 +0000 (11:32 +0200)]
guile: Loop or poll upon GNUTLS_E_AGAIN and GNUTLS_E_INTERRUPTED.
* guile/src/core.c (do_fill_port) [USING_GUILE_BEFORE_2_2]: Loop while
'gnutls_record_recv' returns GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED.
(read_from_session_record_port) [!USING_GUILE_BEFORE_2_2]: Likewise, and
return -1 if SCM_GNUTLS_SESSION_TRANSPORT_IS_FD and we got GNUTLS_E_AGAIN.
(session_record_port_fd) [!USING_GUILE_BEFORE_2_2]: New function.
(scm_init_gnutls_session_record_port_type) [!USING_GUILE_BEFORE_2_2]:
Call 'scm_set_port_read_wait_fd'.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Ludovic Courtès [Fri, 7 Jun 2019 09:06:18 +0000 (11:06 +0200)]
guile: Add bindings for 'gnutls_error_is_fatal'.
* guile/src/errors.c (scm_gnutls_fatal_error_p): New function.
* guile/modules/gnutls.in: Export 'fatal-error?'.
* guile/tests/errors.scm: test 'fatal-error?'.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Ludovic Courtès [Fri, 7 Jun 2019 08:34:42 +0000 (10:34 +0200)]
guile: Update list of error values.
* guile/modules/gnutls/build/enums.scm (%error-enum): Update list of
error constants.
* guile/modules/gnutls.in (gnutls): Adjust exports accordingly.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Nikos Mavrogiannopoulos [Wed, 12 Jun 2019 17:39:09 +0000 (17:39 +0000)]
Merge branch 'tmp-aes-cbc-selftest' into 'master'
fips: run selftests over overridden AES-CBC algorithm
See merge request gnutls/gnutls!1027
Nikos Mavrogiannopoulos [Wed, 12 Jun 2019 14:32:12 +0000 (14:32 +0000)]
Merge branch 'guile-deprecate-openpgp' into 'master'
guile: Deprecate OpenPGP bindings.
See merge request gnutls/gnutls!1021
Daiki Ueno [Wed, 12 Jun 2019 12:02:05 +0000 (14:02 +0200)]
fips: run selftests over overridden AES-CBC algorithm
Previously, we only tested nettle's AES-CBC in
_gnutls_fips_perform_self_checks1(), which is called before the
implementation is overridden. This adds an AES-CBC self-test in
_gnutls_fips_perform_self_checks2() so it can test the actual
implementation.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Ludovic Courtès [Thu, 6 Jun 2019 16:30:28 +0000 (18:30 +0200)]
guile: Deprecate OpenPGP bindings.
* guile/modules/gnutls.in (define-deprecated): New macro.
Use it for all the *openpgp* bindings.
* guile/src/core.c: Rename *openpgp* bindings with a '%' prefix.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Nikos Mavrogiannopoulos [Mon, 10 Jun 2019 20:12:09 +0000 (22:12 +0200)]
gnutls_privkey_sign_hash2: accept the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA flag
Previously this flag was ignored, although documented not to.
This patch also enables the tests sign-verify-newapi and sign-verify-data-newapi
which were supposed to test this interface, but were never enabled.
This was caught by Andreas Metzler.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Thu, 30 May 2019 11:49:22 +0000 (13:49 +0200)]
tests: removed debugging output from GETPORT
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Sat, 8 Jun 2019 17:19:03 +0000 (19:19 +0200)]
.gitlab-ci.yml: include top log files in all build failures [ci skip]
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Tim Rühsen [Fri, 7 Jun 2019 13:29:42 +0000 (13:29 +0000)]
Merge branch 'guile-remove-alloca' into 'master'
Remove unbounded uses of alloca in the Guile bindings
Closes #684
See merge request gnutls/gnutls!1022
Ludovic Courtès [Fri, 7 Jun 2019 08:16:02 +0000 (10:16 +0200)]
guile: Remove unbounded uses of 'alloca'.
* guile/src/core.c (ALLOCA_MAX_SIZE, FAST_ALLOC): New macros.
(set_certificate_file):
(scm_gnutls_set_certificate_credentials_x509_key_files_x)
(scm_gnutls_set_srp_server_credentials_files_x)
(scm_gnutls_set_srp_client_credentials_x)
(scm_gnutls_srp_base64_encode, scm_gnutls_srp_base64_decode)
(scm_gnutls_set_psk_server_credentials_file_x)
(scm_gnutls_pkcs8_import_x509_private_key)
(scm_gnutls_x509_certificate_matches_hostname_p)
(scm_gnutls_import_openpgp_private_key): Use 'FAST_ALLOC' instead of
'alloca'.
* guile/src/utils.c: Remove unneeded <alloca.h> include.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Ludovic Courtès [Fri, 7 Jun 2019 08:11:12 +0000 (10:11 +0200)]
guile: Always provide 'scm_gc_malloc_pointerless'.
* guile/src/core.c (scm_gc_malloc_pointerless)
[!HAVE_SCM_GC_MALLOC_POINTERLESS]: New macro.
(make_session_record_port): Remove #ifdef HAVE_SCM_GC_MALLOC_POINTERLESS.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Daiki Ueno [Thu, 6 Jun 2019 13:33:11 +0000 (13:33 +0000)]
Merge branch 'tmp-keyupdate-fixes' into 'master'
tls13/key_update: ignore multiple key updates instead of error
See merge request gnutls/gnutls!1019
Daiki Ueno [Wed, 5 Jun 2019 14:48:39 +0000 (16:48 +0200)]
tls13/key_update: ignore multiple key updates instead of error
This fixes the multiple KeyUpdate messages handling in commit
65e2aa80d114d4bef095d129c2eda475e473244a, where illegal_parameter is
sent even if the limit doesn't exceed.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Tim Rühsen [Tue, 4 Jun 2019 11:04:33 +0000 (11:04 +0000)]
Merge branch 'tmp-fix-travis2' into 'master'
Prefix gcc attributes with 'attr_'
See merge request gnutls/gnutls!1017
Tim Rühsen [Mon, 3 Jun 2019 19:53:05 +0000 (21:53 +0200)]
Prefix gcc attributes with 'attr_'
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
Nikos Mavrogiannopoulos [Mon, 3 Jun 2019 11:26:18 +0000 (13:26 +0200)]
gnutls_prf_early: corrected Since version [ci skip]
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Tim Rühsen [Sun, 2 Jun 2019 15:13:42 +0000 (15:13 +0000)]
Merge branch 'tmp-fix-travis' into 'master'
Fix warn_unused_result for clang < 4
See merge request gnutls/gnutls!1016
Tim Rühsen [Sun, 2 Jun 2019 10:42:16 +0000 (12:42 +0200)]
Fix warn_unused_result for clang < 4
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
Tim Rühsen [Sun, 2 Jun 2019 09:38:13 +0000 (09:38 +0000)]
Merge branch 'tmp-fedora30' into 'master'
.gitlab-ci.yml: switched fedora to latest version
See merge request gnutls/gnutls!1015
Nikos Mavrogiannopoulos [Sat, 1 Jun 2019 14:18:50 +0000 (16:18 +0200)]
.gitlab-ci.yml: switched fedora to latest version
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Fri, 31 May 2019 20:22:28 +0000 (20:22 +0000)]
Merge branch 'tmp-releases' into 'master'
RELEASES.md: document the releases policy
See merge request gnutls/gnutls!1011
Dmitry Eremin-Solenikov [Fri, 31 May 2019 17:55:37 +0000 (17:55 +0000)]
Merge branch 'tmp-fix-libopts' into 'master'
Do not regenerate autogen files if --enable-local-libopts is given
Closes #772
See merge request gnutls/gnutls!1010
Tim Rühsen [Thu, 30 May 2019 13:52:40 +0000 (13:52 +0000)]
Merge branch 'tmp-fix-touch' into 'master'
Makefile.am: do not create files when it shouldn't
See merge request gnutls/gnutls!1014
Nikos Mavrogiannopoulos [Thu, 30 May 2019 12:42:52 +0000 (14:42 +0200)]
Makefile.am: do not create files when it shouldn't
If a pdf or html file is not distributed, previously `make dist`
would create a file called '*.pdf' which did not make sense. This
addresses this problem.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Sat, 25 May 2019 19:17:27 +0000 (21:17 +0200)]
Do not regenerate autogen files if --enable-local-libopts is given
This addresses issue on installed systems which have autogen but
use --enable-local-libopts. In these systems if the installed autogen
would not match the local libopts library version compilation would
fail because the auto-generated files depend on the corresponding to
autogen version libopts internals.
Resolves: #772
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Tim Rühsen [Wed, 29 May 2019 14:15:33 +0000 (14:15 +0000)]
Merge branch 'tmp-datum-cleanup' into 'master'
Datum.c cleanup
See merge request gnutls/gnutls!1002
Nikos Mavrogiannopoulos [Mon, 27 May 2019 13:16:52 +0000 (15:16 +0200)]
Remove malloc from gnutls_srp_set_server_fake_salt_seed()
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Tim Rühsen [Mon, 20 May 2019 10:49:51 +0000 (12:49 +0200)]
gnutls_session_set_data(): Check for allocation error
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
Tim Rühsen [Mon, 20 May 2019 10:46:54 +0000 (12:46 +0200)]
_gnutls_set_[str]datum: Cleanup, add function attributes
_gnutls_set_datum(): Do not change output 'dat' on error
_gnutls_set_strdatum: Likewise, cleanup code
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
Tim Rühsen [Tue, 21 May 2019 09:17:39 +0000 (11:17 +0200)]
Add nonnull, nonnull_all and warn_unusd_result attributes in lib/gnutls_int.h
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
Nikos Mavrogiannopoulos [Tue, 28 May 2019 05:05:46 +0000 (07:05 +0200)]
doc: do not distribute pdf files
It compicates the 'make dist' phase and does not add much
value as the files are available from the web site.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Tue, 28 May 2019 04:45:56 +0000 (06:45 +0200)]
released 3.6.8
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Mon, 27 May 2019 20:34:42 +0000 (22:34 +0200)]
minor updates in the latex version of the manual [ci skip]
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Mon, 27 May 2019 19:29:44 +0000 (21:29 +0200)]
doc update [ci skip]
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Sun, 26 May 2019 19:35:19 +0000 (21:35 +0200)]
RELEASES.md: document the releases policy [ci skip]
This adds a file to document the policy on releases based on
the discussions taken place in the last face to face meeting.
https://gitlab.com/gnutls/gnutls/wikis/
face2face-meeting-fosdem2019
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Fri, 24 May 2019 14:12:14 +0000 (14:12 +0000)]
Merge branch 'tmp-avoid-libs-in-libsvar' into 'master'
Do not add libraries in the global LIBS in configure
Closes #735
See merge request gnutls/gnutls!1008
Nikos Mavrogiannopoulos [Fri, 24 May 2019 10:59:13 +0000 (12:59 +0200)]
.gitlab-ci.yml: ensure that the LIBS variable is empty after a configure run
We do not use this variable as it is global and applies to all of
tests, applications and library, and when it is set it is usually due to
bugs in configure.ac.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Thu, 23 May 2019 19:20:49 +0000 (21:20 +0200)]
Do not add libraries in the global LIBS in configure
This ensures that libraries are linked with the programs
requiring them.
Resolves: #735
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Daiki Ueno [Fri, 24 May 2019 06:33:38 +0000 (06:33 +0000)]
Merge branch 'tmp-version-override' into 'master'
tests: prf-early fixes the global version
See merge request gnutls/gnutls!1009
Nikos Mavrogiannopoulos [Thu, 23 May 2019 09:41:45 +0000 (11:41 +0200)]
bumped version
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Fri, 24 May 2019 03:46:18 +0000 (05:46 +0200)]
tests: prf-early fixes the global version
This allows having fixed data in the hello message involved.
That required exposing the variable holding the global gnutls
version number for testing.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Thu, 23 May 2019 19:32:58 +0000 (21:32 +0200)]
certtool: corrected typo in manual [ci skip]
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Thu, 23 May 2019 19:11:58 +0000 (21:11 +0200)]
Revert "bumped version"
In order to make the CI functional again. The version number update
seems to conflict with tests/tls13/prf-early.sh
This reverts commit
d34d93b8713cf10235ce7016fd69b6932b0752c0.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Thu, 23 May 2019 13:29:23 +0000 (15:29 +0200)]
tests: prf-early.sh: use the static flag of datefudge
This eliminates unexpected failures of the test in slower systems.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Thu, 23 May 2019 13:41:19 +0000 (15:41 +0200)]
tlsfuzzer: reverted accidental move to incorrect version
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Thu, 23 May 2019 09:44:12 +0000 (11:44 +0200)]
NEWS: doc update
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Nikos Mavrogiannopoulos [Thu, 23 May 2019 09:41:45 +0000 (11:41 +0200)]
bumped version
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Simo Sorce [Wed, 22 May 2019 19:08:45 +0000 (15:08 -0400)]
Pass down Q for FFDHE in al pre TLS1.3 as well
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 21 May 2019 13:40:01 +0000 (09:40 -0400)]
Check Q for FFDHE primes in prime-check
These are mersenne primes so q = (p - 1) / 2
We check that p = (q * 2) + 1
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 20 May 2019 21:13:12 +0000 (17:13 -0400)]
Always pass in and check Q in TLS 1.3
In FIPS mode do an extra check that we did have Q, but it is always
passed into the tls13 derive function from the callers.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 17 May 2019 18:05:37 +0000 (14:05 -0400)]
Add plumbing to handle Q parameter in DH exchanges
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 14 May 2019 22:38:33 +0000 (18:38 -0400)]
Add test to ensure ECDH exchange behaves correctly
This test ensures that public keys are properly tested for validity
before a ECDH exchange is computed.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 10 May 2019 18:49:05 +0000 (14:49 -0400)]
Add test to ensure DH exchange behaves correctly
This test ensures that public keys are properly tested for validity
before a DH exchange is computed.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 3 May 2019 16:32:56 +0000 (12:32 -0400)]
Add Full Public Key Check for DH
This is for NIST SP800-56A requirements and FIPS CAVS testing.
GnuTLS never passes in a non-empty Q for normal operations, but tests will
and if Q is passed in it needs to be checked.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 1 May 2019 14:57:51 +0000 (10:57 -0400)]
Fix Copy&Paste error
Signed-off-by: Simo Sorce <simo@redhat.com>
Nikos Mavrogiannopoulos [Thu, 23 May 2019 09:05:26 +0000 (09:05 +0000)]
Merge branch 'tmp-keyupdate-fixes' into 'master'
Fix handling of malformed KeyUpdate messages
Closes #699
See merge request gnutls/gnutls!1005
Daiki Ueno [Thu, 23 May 2019 08:20:23 +0000 (08:20 +0000)]
Merge branch 'tmp-small-records' into 'master'
priority: add new option to allow small records (>= 64)
See merge request gnutls/gnutls!1006
Nikos Mavrogiannopoulos [Thu, 23 May 2019 04:11:12 +0000 (04:11 +0000)]
Merge branch 'tmp-remove-unused-flag' into 'master'
pubkey: remove deprecated OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA
Closes #754
See merge request gnutls/gnutls!1004
Daiki Ueno [Wed, 22 May 2019 08:39:27 +0000 (10:39 +0200)]
tls13/key_update: increase handling limit from 1 to 8
The limit was too small when testing the capability of handling
multiple KeyUpdate messages with tlsfuzzer.
This requires a change in the rate limit logic, as previously it
doesn't count the KeyUpdate messages despite the name of
KEY_UPDATES_PER_SEC.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Daiki Ueno [Wed, 22 May 2019 10:16:52 +0000 (10:16 +0000)]
Merge branch 'tmp-privkey-tls13' into 'master'
server auth: disable TLS 1.3 if no signature algorithm is usable
Closes #731
See merge request gnutls/gnutls!987
Daiki Ueno [Wed, 22 May 2019 09:51:57 +0000 (11:51 +0200)]
tlsfuzzer: use %ALLOW_SMALL_RECORDS for testing
Signed-off-by: Daiki Ueno <dueno@redhat.com>