summaryrefslogtreecommitdiff
path: root/.gitignore
Commit message (Collapse)AuthorAgeFilesLines
* .gitignore: ignore more filesDaiki Ueno2022-01-161-0/+3
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* doc: generate texinfo files from JSONDaiki Ueno2022-01-151-1/+0
| | | | | | | This replaces texinfo generation previously provided by the autogen -Tagtexi.tpl command with a Python script (gen-cmd-texi.py). Signed-off-by: Daiki Ueno <ueno@gnu.org>
* src: remove included copy of liboptsDaiki Ueno2022-01-151-2/+0
| | | | | | | As no tools link with libopts anymore, we don't need to include it in the distribution. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* src: replace autoopts/libopts with minimal config parserDaiki Ueno2022-01-151-7/+2
| | | | | | | This replaces configuration file parsing code previously provided by <autoopts/options.h>, with a minimal compatible implementation. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* src: generate option handling code from JSONDaiki Ueno2022-01-141-23/+22
| | | | | | | | | This replaces AutoGen based command-line parser with a Python script (gen-getopt.py), which takes JSON description as the input. The included JSON files were converted one-off using the parse-autogen program: https://gitlab.com/dueno/parse-autogen. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* .gitignore: ignore tests/x509cert-ctDaiki Ueno2021-12-141-0/+1
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* ktls: basic implementation of SW modeHedgehog50402021-10-191-0/+1
| | | | | | | | | | | | | | | | | ktls enables us to offload encryption/decryption to the kernel prerequisites: - configured with `--enable-ktls` - tls module `modprobe tls` check with 'lsmod | grep tls' - per connection: gnutls_transport_set_int{2} must be set When prerequisities are met then ktls is used by default. If GnuTLS encounters a error during KTLS initialization, it will not use ktls and fallback to userspace. Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
* priority: reflect system wide config when constructing sigalgsDaiki Ueno2021-06-111-0/+1
| | | | | | | | | | Otherwise the client would advertise signature algorithms which it cannot use and cause handshake to fail. Reported by Philip Schaten in: https://lists.gnupg.org/pipermail/gnutls-help/2021-June/004711.html Signed-off-by: Daiki Ueno <ueno@gnu.org>
* Merge branch 'wip/dueno/earlydata-server' into 'master'Daiki Ueno2021-05-261-0/+1
|\ | | | | | | | | | | | | pre_shared_key: limit 0-RTT to resumption connections Closes #1239 See merge request gnutls/gnutls!1436
| * pre_shared_key: limit 0-RTT to resumption connectionsDaiki Ueno2021-05-171-0/+1
| | | | | | | | | | | | | | | | | | While RFC 8446 allows 0-RTT data in a non-resumption connection established with external PSK, it requires a mechanism to associate encryption parameters with PSK. Until we provide a new API for that, let's limit the 0-RTT use to resumption connections only. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | git: Do not ignore certtool templates.Daniel Kahn Gillmor2021-05-171-1/+1
|/ | | | | | | | | | This effectively reverts part of dc85966364994006f9337e4749d1487e4b8e16a1 in order to ensure that tests/cert-tests/templates/*.tmpl are not ignored by git. Closes: #1242 Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* .gitignore: ignore more filesDaiki Ueno2021-05-111-0/+1
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* .gitignore: ignore ctags, etags, and GNU global filesDaiki Ueno2021-04-251-0/+7
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* priority: add option to disable TLS 1.3 middlebox compatibility modeDaiki Ueno2021-04-171-0/+1
| | | | | | | This adds a new option %DISABLE_TLS13_COMPAT_MODE to disable TLS 1.3 compatibility mode at run-time. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* Add unit test for id-on-xmppAddr decoding errorSteffen Jaeckel2021-03-051-0/+1
| | | | Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
* Merge branch 'wip/dueno/valgrind' into 'master'Daiki Ueno2021-02-191-7/+0
|\ | | | | | | | | | | | | tests: enable all tests to run under valgrind Closes #1174 and #708 See merge request gnutls/gnutls!1383
| * tests: remove *hello_random_value testsDaiki Ueno2021-02-191-3/+0
| | | | | | | | | | | | | | Those tests are meaningless and merely introduces extra flakiness, now that the uninitialized random bytes are detected by valgrind. Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * tests: remove init_fds testDaiki Ueno2021-02-171-1/+0
| | | | | | | | | | | | | | This test does nothing to expose the original problem linked in the comment: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760476 Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * safe-memfuncs: rely on explicit_bzero implementation from gnulibDaiki Ueno2021-02-171-3/+0
| | | | | | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | fips: replace fipshmac usage with internal programOndrej Moris2021-02-171-0/+1
|/ | | | | | | | | | | This introduces a non-installed program "fipshmac" and uses it for generating HMAC files required in FIPS 140-2. The generated files are installed along with the main library. Resolves issues #1101. Signed-off-by: Ondrej Moris <omoris@redhat.com> Co-authored-by: Daiki Ueno <dueno@redhat.com>
* .gitignore: ignore more filesDaiki Ueno2021-02-131-0/+2
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* handshake: TLS 1.3: don't generate session ID in resumption modeDaiki Ueno2021-02-041-0/+1
| | | | | | | | | | | The commit e0bb98e1f71f94691f600839ff748d3a9f469d3e revealed that the previous code always generated session ID in the TLS 1.3 middlebox compatibility mode even when the handshake is being resumed. This could cause a difference in PSK binder calculation if the server sends an HRR in the resumption handshake. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* gnulib: update git submoduleDaiki Ueno2020-09-171-1/+2
| | | | | | | | | This brings in the build fixes of parse-datetime module: https://lists.gnu.org/archive/html/bug-gnulib/2020-07/msg00178.html https://lists.gnu.org/archive/html/bug-gnulib/2020-08/msg00001.html https://lists.gnu.org/archive/html/bug-gnulib/2020-09/msg00046.html Signed-off-by: Daiki Ueno <ueno@gnu.org>
* .gitignore: ignore more filesDaiki Ueno2020-06-151-1/+27
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* gnulib: update git submoduleDaiki Ueno2020-05-291-1/+2
| | | | | | | | | | | This brings in the new fopen-gnu module and the RF_SENSITIVE flag for fread_file and read_file. This also adds the following changes to be consistent with the latest changes in Gnulib: - the callers of fread_file and read_file to be adjusted for the FLAGS argument - "attribute.h" needs to be used extensively Signed-off-by: Daiki Ueno <ueno@gnu.org>
* nettle: avoid manual backports of CFB8, CMAC, and XTSDaiki Ueno2020-05-041-1/+1
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* fips: check library soname during configuretmp-check-sonameDaiki Ueno2020-04-241-0/+2
| | | | | | | | | | | | Previously, we hard-coded the sonames of linked libraries for FIPS integrity checking. That required downstream packagers to manually adjust the relevant code in lib/fips.c, when a new interface version of the dependent libraries (nettle, gmp) becomes available and linked to libgnutls. This patch automates that process with the configure script. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Merge branch 'tmp-no-auto-send-ticket' into 'master'Daiki Ueno2020-04-201-0/+1
|\ | | | | | | | | handshake-tls13: add session flag to disable sending session tickets See merge request gnutls/gnutls!1234
| * handshake-tls13: add session flag to disable sending session ticketstmp-no-auto-send-ticketDaiki Ueno2020-04-131-0/+1
| | | | | | | | | | | | | | | | | | While GnuTLS by default implicitly sends NewSessionTicket during handshake, application protocols like QUIC set a clear boundary between "in handshake" and "post handshake", and NST must be sent in the post handshake state. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | nettle: use new imported source files for GOST DSADmitry Baryshkov2020-04-141-1/+1
| | | | | | | | | | | | | | Provide GOST support using source files copied by script rather than manually crafted by me. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* | Compare DNs by comparing their string representationsPierre Ossman2020-04-031-0/+1
|/ | | | | | | | A binary comparison will not work in case the contents is the same but the ASN.1 type differ (e.g. PrintableString vs UTF8String). Such variations are permitted so we need to handle them. Signed-off-by: Pierre Ossman <ossman@cendio.se>
* nettle: vendor in ChaCha20 implementation from nettleDaiki Ueno2020-03-191-0/+1
| | | | | | | This enables to use bundled ChaCha20 implementation if the system nettle doesn't have nettle_chacha_set_counter. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* keylogfile: generalize with a callbacktmp-keylog-hookDaiki Ueno2020-02-071-0/+1
| | | | | | | | | This refactors the keylogfile mechanism by adding a callback to get notified when a new secret is derived and installed. That way, consumers can implement custom logging feature per session, which is particularly useful in QUIC implementation. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* crypto-api: add generic crypto functions for KDFDaiki Ueno2020-02-041-0/+1
| | | | | | | | | | This exposes HKDF and PBKDF2 functions from the library. Instead of defining a single KDF interface as in PKCS #11, this patch defines 3 distinct functions for HKDF-Extract, HKDF-Expand, and PBKDF2 derivation, so that we can take advantage of compile time checking of necesssary parameters. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* nettle: vendor in Curve448 and Ed448 implementationDaiki Ueno2020-01-231-0/+1
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tests: add test for revoked OCSP responsetmp-ocsp-revocationDaiki Ueno2020-01-101-0/+1
| | | | | | | This adds a test that exercises a failed handshake upon receipt of an OCSP response with the "revoked" status. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* crypto-api: add gnutls_aead_cipher_{en,de}cryptv2tmp-encryptv2Daiki Ueno2019-08-091-0/+1
| | | | | | | This adds an in-place equivalent of gnutls_aead_cipher_encrypt() and gnutls_aead_cipher_decrypt(), that works on data buffers. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* iov: add iterator interface for giovec_tDaiki Ueno2019-08-091-0/+1
| | | | | | | This adds an iterator interface over giovec_t array, extracting a fixed sized block. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* pk: implement deterministic ECDSA/DSADaiki Ueno2019-08-081-0/+1
| | | | | | | This exposes the deterministic ECDSA/DSA functionality through the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* pkcs11: ignore login error when traversing tokensDaiki Ueno2019-07-111-0/+1
| | | | | | | | | | | | | | | If a token is a general access device, it is expected that login attempt to that token returns error: https://github.com/p11-glue/p11-kit/blob/master/trust/module.c#L852 On the other hand, _pkcs11_traverse_tokens treats the error as fatal and stops iteration. This behavior prevents object search without token specifier if such tokens are registered in the system. Reported by Stanislav Zidek in https://bugzilla.redhat.com/show_bug.cgi?id=1705478 Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tls13/key_update: ignore multiple key updates instead of errortmp-keyupdate-fixesDaiki Ueno2019-06-051-0/+1
| | | | | | | | This fixes the multiple KeyUpdate messages handling in commit 65e2aa80d114d4bef095d129c2eda475e473244a, where illegal_parameter is sent even if the limit doesn't exceed. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* server auth: disable TLS 1.3 if no signature algorithm is usableDaiki Ueno2019-05-201-0/+1
| | | | | | | | | | This is a server side counterpart of 005a4d04145707daad9588acedfdb5f6cd97c80c. Instead of signalling an error when no algorithm is usable in TLS 1.3, it downgrades the session to TLS 1.2 with a warning. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* ext/record_size_limit: distinguish sending and receiving limitstmp-record-sizesDaiki Ueno2019-05-141-0/+1
| | | | | | | | | | | | | | | | The previous behavior was that both sending and receiving limits are negotiated to be the same value. It was problematic when: - client sends a record_size_limit with a large value in CH - server sends a record_size_limit with a smaller value in EE - client updates the limit for both sending and receiving, upon receiving EE - server sends a Certificate message larger than the limit With this patch, each peer maintains the sending / receiving limits separately so not to confuse with the contradicting settings. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tests: make datefudge check robusterDaiki Ueno2019-04-191-0/+1
| | | | | | | | | When checking datefudge availability under cross-compiling environment with a binfmt wrapper, it is not sufficient to check against the host executable. This instead uses a test executable compiled for the target architecture. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* prf: add function to retrieve early keying materialDaiki Ueno2019-04-191-0/+1
| | | | | | | | | This adds a new function gnutls_prf_early, which shall be called in a handshake hook waiting for GNUTLS_HANDSHAKE_CLIENT_HELLO. The test needs to be run in a datefudge wrapper as the early secrets depend on the current time (through PSK). Signed-off-by: Daiki Ueno <dueno@redhat.com>
* .gitignore: ignore tests/libpkcs11mock2.laNikos Mavrogiannopoulos2019-04-161-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: add post-handshake auth test using PKCS#11 tokenDaiki Ueno2019-04-071-0/+1
| | | | | | | This adds a test that exercise the client's auth rejection logic, using the RSA-PSS disabled PKCS #11 token. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Update ax_code_coverage.m4 to latest release of autoconf-archivetmp-update-ax-code-coverageTim Rühsen2019-02-221-0/+2
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* .gitignore: add test filesAlon Bar-Lev2019-01-271-2/+5
| | | | Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
* tests: check record_size_limit is reset after resumptionDaiki Ueno2019-01-231-0/+1
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>