There are gnulib tests which fail on travis systems but are
not necessary for gnutls.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Fixes #531

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

This backports the cleanups in gnutls_x509_trust_list_add_crls()
from 3.6.x, and addresses a use-after-free.

Resolves #554

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Nikos Mavrogiannopoulos authored Jun 27, 2018 and Nikos Mavrogiannopoulos committed Jul 17, 2018

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Nikos Mavrogiannopoulos authored Dec 06, 2017 and Nikos Mavrogiannopoulos committed Jul 17, 2018

Nettle switched prototypes for base64_encode_raw() as follows:
-base64_encode_raw(uint8_t *dst, size_t length, const uint8_t *src);
+base64_encode_raw(char *dst, size_t length, const uint8_t *src);

That means we need to cast fist param to void if we want to avoid
warnings on different platforms.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

This avoids any incompatibilities between abi-compliance-checker
and abi-dumper.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Andreas Metzler authored Sep 27, 2017 and Nikos Mavrogiannopoulos committed Jul 16, 2018

Update gtk-doc.make, m4/gtk-doc.m4 and doc/reference/Makefile.am from
gtk-doc git head (that is 1.26 +
c08cc78562c59082fc83b55b58747177510b7a70).
Disable gtkdoc-check.

Signed-off-by: Andreas Metzler <ametzler@bebt.de>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

3.5.x: backport fixes in record layer decoding

See merge request !663

We don't support SHA512 in the 3.5.x branch.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

These ciphersuites are deprecated since the introduction of AEAD
ciphersuites, and are only necessary for compatibility with older
servers. Since older servers already support hmac-sha1 there is
no reason to keep these ciphersuites enabled by default, as they
increase our attack surface.

Relates #456

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

This improves protection against lucky13-type of attacks when
encrypt-then-mac is not in use.

Resolves #456

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

The existing lucky13 attack count-measures did not work correctly for
SHA384 HMAC.

The overall impact of that should not be significant as SHA384 is prioritized
lower than SHA256 or SHA1 and thus it is not typically negotiated, unless a
client prioritizes a SHA384 MAC, or a server only supports SHA384, and in both
cases the vulnerability is only present if Encrypt-then-MAC (RFC7366) is unsupported
by the peer.

Relates #455

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Nikos Mavrogiannopoulos authored Aug 11, 2017 and Nikos Mavrogiannopoulos committed May 26, 2018

We now use the ${ac_cv_sizeof_unsigned_long_int} variable which
gives the numbers used in the host system, not the build one.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Nikos Mavrogiannopoulos authored Jul 17, 2017 and Nikos Mavrogiannopoulos committed May 26, 2018

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

gcc7 is more verbose on fallthrough warnings, and this patch set
cleans up the current state by making use of the attribute when
necessary.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

The warnings it produces have little value in our use of string functions.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Nikos Mavrogiannopoulos authored Sep 07, 2017 and Nikos Mavrogiannopoulos committed May 26, 2018

That is, combine syntax-check with the static analyzers run. That
provides more parallelism per build and reduces the overall time
spent on a successful run.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

This allows a more descriptive name to any downloaded artifacts.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Nikos Mavrogiannopoulos authored Aug 10, 2017 and Nikos Mavrogiannopoulos committed May 26, 2018

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Nikos Mavrogiannopoulos authored Jul 17, 2017 and Nikos Mavrogiannopoulos committed May 26, 2018

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

That is, prevent re-using a static PIN if it has already been
known to be wrong. Introduced tests of that behavior.

Resolves #425

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

That enables the nettle version macros to operate.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Resolves #406

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>