| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
ktls is enabled by default, we can check if inicialization was
succesfull with gnutls_transport_is_ktls_enabled
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|\
| |
| |
| |
| |
| |
| | |
priority: support allowlisting in configuration file
Closes #1172
See merge request gnutls/gnutls!1427
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds a new mode of interpreting the [overrides] section. If
"override-mode" is set to "allowlisting" in the [global] section, all
the algorithms (hashes, signature algorithms, curves, and versions)
are initially marked as insecure/disabled. Then the user can enable
them by specifying allowlisting keywords such as "secure-hash" in the
[overrides] section.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds the following refactoring:
- avoid side-effects during parsing the config file, by separating
application phase; the parsed configuration can be applied globally
with cfg_apply, after validation
- make _gnutls_*_mark_{disabled,insecure} take an ID instead of the
name
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
build: update to use the latest valgrind-tests module from Gnulib
Closes #1253
See merge request gnutls/gnutls!1488
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adjust the existing valgrind invocations in the test suite with:
https://www.gnu.org/software/gnulib/manual/html_node/Valgrind-options.html
- make --suppressions option to per directory, using AM_VALGRINDFLAGS
- use LOG_VALGRIND for LOG_COMPILER
- quote '$(LOG_VALGRIND)' in TESTS_ENVIRONMENT
- move gl_VALGRIND_TESTS_DEFAULT_NO call before gl_INIT
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| |/
|/|
| |
| | |
sockets: fixed building for Windows with compilers without VLA support (alternative version)
See merge request gnutls/gnutls!1490
|
| |
| |
| |
| | |
Signed-off-by: Evgeny Grin <k2k@narod.ru>
|
|/
|
|
| |
Signed-off-by: Evgeny Grin <k2k@narod.ru>
|
|\
| |
| |
| |
| | |
locks: couple of improvements using Gnulib glthread
See merge request gnutls/gnutls!1485
|
| |
| |
| |
| |
| |
| |
| | |
As the library now uses static mutexes, rwlocks, and onces, it doesn't
make much sense to only replace dynamic mutex usage.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This makes sure that the global variables are initialized only once.
Most of those variables are initialized at ELF constructor, though a
couple of occasions they are initialized on-demand: the global keylog
file pointer and TPM2 TCTI context. To properly protect the
initialization this patch uses gl_once provided by Gnulib.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| |
| |
| |
| | |
Remove GNUTLS_STATIC_RWLOCK_*LOCK macros and respect return values of
rwlock primitives.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|/
|
|
|
|
|
| |
As Gnulib provides portability wrappers of mutex implementations, we
don't need to provide similar wrappers by ourselves.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\
| |
| |
| |
| |
| |
| | |
Port openconnect TPM2 code
Closes #594
See merge request gnutls/gnutls!1460
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This introduces transparent loading of TPM2 keys which are in PEM
form by gnutls_privkey_import_x509_raw() and higher level functions
which wrap it.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Co-authored-by: David Woodhouse <dwmw2@infradead.org>
Co-authored-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| |/
|/|
| |
| | |
tests: pass $abs_top_builddir more consistently
See merge request gnutls/gnutls!1484
|
|/
|
|
|
|
|
|
|
| |
`$abs_top_builddir` has been used all across tests' subdirectories
(through tests/scripts/common.sh)
but has only been defined for tests/suite/ ones.
Defining it in other Makefiles where `top_builddir` is being passed.
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
|\
| |
| |
| |
| | |
priority: rework config reloading logic and locking
See merge request gnutls/gnutls!1483
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The previous reloading logic relied on the existence of [priority]
section (in the initial loading) as an indicator whether the file is
loaded. This didn't work well in the following cases:
- when the section didn't exist initially and then is added later
- when the section existed initially and then is removed later
To handle these cases, this change adds a new flag
system_priority_file_loaded which can be used together with the mtime
check.
This also adds an rwlock to protect global configuration.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|/
|
|
|
|
|
|
| |
This reverts commit 890c6937a3cfb4a0704bc815324221ec4cb89840.
Considering the entire logic around reloading the config file, the fix
was suboptimal.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\
| |
| |
| |
| | |
devel: update release procedure taking into account of abi-dump
See merge request gnutls/gnutls!1481
|
| |
| |
| |
| |
| |
| |
| | |
As the *.abi files have been moved into a separate repository, we need
an extra step to update the repository for new release.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| | |
| | |
| | |
| | | |
priority: fix potential race in reloading system-wide config
See merge request gnutls/gnutls!1482
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
_gnutls_update_system_priorities is called from gnutls_priority_set*
functions every time when the SYSTEM keyword is used and updates a
global variable system_wide_priority_strings if the configuration
changes. Although the critical path is protected with mtime check, it
should also hold a lock to avoid occasional race condition in
multi-thread programs. This also clears
system_wide_priority_strings_init upon unloading and before reloading
the config file (thanks to Alexander Sosedkin).
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \ \
| |/ /
|/| |
| | |
| | | |
.gitlab-ci.yml: add caching to cppcheck
See merge request gnutls/gnutls!1480
|
|/ /
| |
| |
| | |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
|\ \
| |/
|/|
| |
| | |
make insecure-hash filter out ciphersuites on ->prf as well
See merge request gnutls/gnutls!1479
|
| |
| |
| |
| | |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
|/
|
|
| |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
|\
| |
| |
| |
| | |
ktls: basic implementation of SW mode
See merge request gnutls/gnutls!1451
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ktls enables us to offload encryption/decryption to the kernel
prerequisites:
- configured with `--enable-ktls`
- tls module `modprobe tls` check with 'lsmod | grep tls'
- per connection:
gnutls_transport_set_int{2} must be set
When prerequisities are met then ktls is used by default.
If GnuTLS encounters a error during KTLS initialization, it will
not use ktls and fallback to userspace.
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|\
| |
| |
| |
| | |
devel: move .abi files into a separate repository
See merge request gnutls/gnutls!1478
|
| |
| |
| |
| |
| |
| | |
This will produce more compact abixml output.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|/
|
|
|
|
|
|
| |
Changes to the .abi files are a bit too noisy to track in the main
repository. This moves the files out of this repository and embed it
as a git submodule.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\
| |
| |
| |
| | |
fix mingw64 detection
See merge request gnutls/gnutls!1476
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
__MINGW64__ is only defined for 64 bits builds of mingw64 [1].
The intended test what to only use the CertEnumCRLsInStoreFunc via LoadLibrary
for some ancient mingw32 build and never for mingw64.
__MINGW64_VERSION_MAJOR is a proper define to identify mingw64 against mingw32.
[1] https://sourceforge.net/p/predef/wiki/Compilers/
Co-authored-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>
|
|\
| |
| |
| |
| | |
certtool: generate, parse, and manipulate X25519 and X448 pubkeys, privkeys, and certificates
See merge request gnutls/gnutls!1428
|
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes an ASAN warning in fuzz/gnutls_private_key_parser_fuzzer
when run against the malformed private key
fuzz/gnutls_private_key_parser_fuzzer.in/10a5c92fa30ddb6cbb4286d7699b2b7a7e032b17
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
| |
| |
| |
| | |
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
These certs should work just fine for the purposes of cryptographic
e-mail (S/MIME).
These usage flags are also used in the end-entity certificates found
in https://datatracker.ietf.org/doc/draft-ietf-lamps-samples/
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
| |
| |
| |
| | |
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
| |
| |
| |
| |
| |
| | |
This is a simple extension of the certtool command-line interface.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
| |
| |
| |
| |
| |
| |
| | |
This is related to #1227 -- but in this case, it's enforcing a
requirement of RFC 8410 §5.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
_gnutls_x509_read_ecdh_pubkey is basically a clone of
_gnutls_x509_read_eddsa_pubkey. Another form of implementation
would be to collapse these two static functions into a common
function for all "CFRG" curves.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
| |
| |
| |
| | |
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|