GitLab

tests: updated tlsfuzzer tests to latest version

See merge request !1276

gnutls_aead_cipher_init: fix potential memleak

Closes #1010

See merge request !1274

AIA callback to retrieve missing chain certificates

See merge request !1262

excluded some tests from test-certificate-malformed.py
Signed-off-by: KrenzelokFrantisek <[email protected]>

serv: omit upper bound of --maxearlydata option definition

See merge request !1273

Signed-off-by: Sahana Prasad <[email protected]>

Signed-off-by: Sahana Prasad <[email protected]>

Signed-off-by: Sahana Prasad <[email protected]>

Release 3.6.14 [ci skip]

See merge request !1272

Signed-off-by: Daiki Ueno <[email protected]>

stek: differentiate initial state from valid time window of TOTP

See merge request !1275

This adds a valgrind client request for
session->key.session_ticket_key to make sure that it is not used
without initialization.
Signed-off-by: Daiki Ueno <[email protected]>

There was a confusion in the TOTP implementation in stek.c.  When the
mechanism is initialized at the first time, it records the timestamp
but doesn't initialize the key.  This removes the timestamp recording
at the initialization phase, so the key is properly set later.
Signed-off-by: Daiki Ueno <[email protected]>

Upon failure this function returns without freeing memory allocated
internally.  This makes sure that it is released and do not touch the
output handle argument.
Signed-off-by: Daiki Ueno <[email protected]>

When _gnutls_aead_cipher_init() fails, the function returns without
freeing the allocted handle.  This was once fixed in commit
502be130 but regressed after a code
reorganization in commit 2eef509c.

Reported by Miroslav Lichvar.
Signed-off-by: Daiki Ueno <[email protected]>

It turned out that AutoGen treats numbers that exceed INT_MAX in a
platform dependent way.  In this case, 4294967295 (UINT_MAX) is
treated as is on 64-bit platforms, while it is interpreted as "-1" on
32-bit platforms.  This causes a problem when the program
documentation is compiled under multilib environment.

Reported by Ivan Molodetskikh in:
https://bugzilla.redhat.com/show_bug.cgi?id=1841844
and the cause was identified by Anderson Toshiyuki Sasaki.
Signed-off-by: Daiki Ueno <[email protected]>

_gnutls_pkcs11_verify_crt_status: check validity against system cert

See merge request !1271

Signed-off-by: Daiki Ueno <[email protected]>

gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN
to trigger the fallback verification path if the signer of the last
certificate is not in the trust store.  Previously, it doesn't take
into account of the condition where the certificate is expired.
Signed-off-by: Daiki Ueno <[email protected]>

To verify a certificate chain, this function replaces known
certificates with the ones in the system trust store if possible.

However, if it is found, the function checks the validity of the
original certificate rather than the certificate found in the trust
store.  That reveals a problem in a scenario that (1) a certificate is
signed by multiple issuers and (2) one of the issuers' certificate has
expired and included in the input chain.

This patch makes it a little robuster by actually retrieving the
certificate from the trust store and perform check against it.
Signed-off-by: Daiki Ueno <[email protected]>

use bcrypt for the windows random generator instead of wincrypt

See merge request !1255

configure.ac: add -fno-builtin-strcmp if valgrind is enabled

Closes #944

See merge request !1264

lib: add support for AES-192-GCM

See merge request !1267

.travis.yml: use several different OSX versions

See merge request !1269

configure: check that -no_weak_links works with FD_SET

Closes #966

See merge request !1266

lib: improve external file loading

See merge request !1261

This makes it clear that "fd" is not a file descriptor but a FILE
pointer.  Suggested by Tim Rühsen.
Signed-off-by: Daiki Ueno <[email protected]>

Signed-off-by: Daiki Ueno <[email protected]>

This makes use of the RF_SENSITIVE flag newly added to read_file
function when reading potentially senstive information from a file.
Signed-off-by: Daiki Ueno <[email protected]>

This makes use of the "e" flag of fopen, provided by the Gnulib's
fopen-gnu module.

Reported by Remi Denis-Courmont in:
#985
and fix suggested by Tim Rühsen.
Signed-off-by: Daiki Ueno <[email protected]>

This brings in the new fopen-gnu module and the RF_SENSITIVE flag for
fread_file and read_file.  This also adds the following changes to be
consistent with the latest changes in Gnulib:
- the callers of fread_file and read_file to be adjusted for the FLAGS
  argument
- "attribute.h" needs to be used extensively
Signed-off-by: Daiki Ueno <[email protected]>

CryptoAPI is a deprecated API [1] that is forbidden in UWP builds.

Rewrite the CryptoAPI calls in bcrypt.

bcrypt is used instead of CryptoAPI when targeting Windows Vista and above.

https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptdecryptSigned-off-by: Steve Lhomme <[email protected]>

Signed-off-by: Dmitry Baryshkov <[email protected]>

win32: allow using ncrypt in UWP builds

See merge request !1256

No functional change. The has been simply moved.
Signed-off-by: Steve Lhomme <[email protected]>

Allow statically linking ncrypt (win32)

See merge request !1254

If _WIN32_WINNT is higher or equal to 0x0600, Vista API's are allowed during
the build. We can assume that the minimum platform the code will run on is
Vista [1]

In that case there's no need to call API's (ncrypt) dynamically when it can be
done statically.

[1] https://docs.microsoft.com/en-us/cpp/porting/modifying-winver-and-win32-winntSigned-off-by: Steve Lhomme <[email protected]>

fips: make FIPS140-2 mode enablement logic simpler

See merge request !1253

tests: build datefudge-check during make all

Closes #920

See merge request !1265

Add support for AES-192 in GCM mode.
Signed-off-by: Dmitry Baryshkov <[email protected]>