| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| |
| |
| |
| |
| | |
gnutls_x509_crt_get_dn: clarify null-termination of the output
Closes #1191 and #1187
See merge request gnutls/gnutls!1418
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It turned out that distro package building process might perform
post-processing (e.g., strip) of the shared libraries after install,
and that may cause inconsistency with the installed .hmac files.
Let's not try too hard on this but defer the final hmac calculation to
distributions. It is still useful to keep our own fipshmac as it
makes it easier to run FIPS tests.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |/
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| |
| |
| | |
handshake: fix timing of sending early data
Closes #1146
See merge request gnutls/gnutls!1416
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, the client was sending early data after receiving a Server
Hello message, which not only negates the benefit of 0-RTT, but also
was a logic error as it can only be decrypted by the server when the
initial handshake and the resuming handshake agree on the same
ciphersuites. This fixes that behavior in the following ways:
- extend the session data format to include the selected ciphersuites,
even in TLS 1.3
- setup the epoch for early data, right before the client sending
early data (also right after the server deciding to accept early
data).
- extend the test case to use different ciphersuites in the initial
and resuming handshakes
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| |/
|/|
| |
| | |
Minor Guile bindings improvements.
See merge request gnutls/gnutls!1413
|
| | |
| |
| |
| |
| |
| |
| | |
* guile/modules/gnutls/build/tests.scm (run-test): Display the PID when
throwing an exception.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| | |
* guile/src/core.c: Use 'uint8_t' instead of 'scm_t_uint8', which is
deprecated in Guile 3.0.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There's one case where 'register_weak_reference' is called several times
on the same object, in 'set-certificate-credentials-x509-keys!', where
PRIVKEY could have been GC'd before CRED.
* guile/src/core.c (register_weak_reference): Add TO to the weak
references of FROM instead of overriding them.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This is a followup to 872409857351f28b1e3c21526bfa6606c918b176.
* guile/src/core.c (scm_init_gnutls): Remove leftover comment.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
|
| |\ \
| | |
| | |
| | |
| | | |
crypto-selftests: tolerate errors of gnutls_{hash,hmac}_copy
See merge request gnutls/gnutls!1412
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| | |
Some hardware accelerated implementations, such as afalg, cannot
support the copy operation. This patch turns it a soft-error, as the
code below is already checking if the copy is non-NULL, before
performing any operation on it.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| |/
|/|
| |
| |
| |
| | |
afalg: minor follow-up fixes
Closes #1209 and #1207
See merge request gnutls/gnutls!1414
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| | |
That would make it easier to spot any uninitialized memory access with
valgrind.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |/
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| |
| |
| | |
handshake: don't regenerate legacy_session_id in second CH after HRR
Closes #1210
See merge request gnutls/gnutls!1411
|
| |/
|
|
|
|
|
|
| |
According to RFC 8446 4.1.2, the client must send the same Client
Hello after Hello Retry Request, except for the certain extensions,
and thus legacy_session_id must be preserved.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| | |
Add Linux kernel AF_ALG backend
See merge request gnutls/gnutls!1404
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The _gnutls_cipher_init function currently assumes that all the cipher
implementations have .setiv method. This is not the case for
AEAD-only implementations such as afalg.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The patch set adds the backend implementation to use the Linux kernel
crypto API via the AF_ALG interface. The GnuTLS AF_ALG extension uses
libkcapi [1] as the backend library which implements the actual kernel
communication.
[1] http://www.chronox.de/libkcapi.html
The symmetric cipher support, the hashing and the MAC support are
validated to work correctly using NIST CAVS test vectors.
The AEAD cipher support was tested by connecting to a remote host using
gnutls-cli (the following log strips out unrelated information):
Processed 143 CA certificate(s).
...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
...
- Description: (TLS1.2)-(ECDHE-SECP384R1)-(RSA-SHA512)-(AES-256-GCM)
- Session ID: 9E:5E:FC:09:2A:4E:2A:3D:22:44:68:42:C3:F6:2D:AB:F9:67:08:CE:6D:EE:E4:A2:EF:80:43:FE:3B:D9:1E:FE
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP384R1
- Curve size: 384 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA512
- Cipher: AES-256-GCM
- MAC: AEAD
- Options: extended master secret, safe renegotiation,
- Handshake was completed
- Simple Client Mode:
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Co-authored-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Hedgehog5040 <krenzelok.frantisek@gmail.com>
|
| |\ \
| |/
|/|
| |
| |
| |
| | |
priority: add option to disable TLS 1.3 middlebox compatibility mode
Closes #1208
See merge request gnutls/gnutls!1410
|
| |/
|
|
|
|
|
| |
This adds a new option %DISABLE_TLS13_COMPAT_MODE to disable TLS 1.3
compatibility mode at run-time.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| |
| |
| | |
build: avoid potential integer overflow in array allocation
Closes #1179
See merge request gnutls/gnutls!1392
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This relies on _gnutls_reallocarray for all occasions of array
allocations, so that they can benefit from the built-in overflow
checks.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| | |
Use explicit error value, as rv is not set in this code path.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | | |
keys-win: free certificate context in gnutls_system_key_iter_deinit
Closes #1197
See merge request gnutls/gnutls!1406
|
| | |/
| |
| |
| |
| |
| |
| | |
Suggested by Bjørn Christensen in:
https://gitlab.com/gnutls/gnutls/-/issues/1197
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| |/
|/|
| |
| | |
build: doc: install missing image file gnutls-crypto-layers.png
See merge request gnutls/gnutls!1405
|
| |/
|
|
| |
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
| |\
| |
| |
| |
| | |
Fix resource leaks spotted by coverity
See merge request gnutls/gnutls!1403
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| |/
|/|
| |
| |
| |
| | |
gnulib: update git submodule
Closes #1190
See merge request gnutls/gnutls!1402
|
| |/
|
|
|
|
|
|
| |
This brings in the fix for parse-datetime test failures on NetBSD:
https://lists.gnu.org/archive/html/bug-gnulib/2021-03/msg00069.html
https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=35f8ff2e1162bf3ee60d99b6812f2ae10f3f2898
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| |
| |
| | |
sysrng-linux: re-open /dev/urandom every time
Closes #1188
See merge request gnutls/gnutls!1396
|
| | |
| |
| |
| | |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
