| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| |
| |
| |
| |
| | |
psk: Add basic support for RFC 9258 external PSK importer interface
Closes #1355
See merge request gnutls/gnutls!1741
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a minimal, callback-based API to import external PSK,
following RFC 9258. The client and the server importing external PSK
are supposed to set a callback to retrieve PSK, which returns flags
that may indicate the PSK is imported, along with the key:
typedef int gnutls_psk_client_credentials_function3(
gnutls_session_t session,
gnutls_datum_t *username, gnutls_datum_t *key,
gnutls_psk_key_flags *flags);
typedef int gnutls_psk_server_credentials_function3(
gnutls_session_t session,
const gnutls_datum_t *username, gnutls_datum_t *key,
gnutls_psk_key_flags *flags);
Those callbacks are responsible to call
gnutls_psk_format_imported_identity() for external PSKs to build a
serialized PSK identity, and set GNUTLS_PSK_KEY_EXT in flags if the
identity is an imported one.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| | |
build: switch to using clang-format instead of GNU indent
See merge request gnutls/gnutls!1727
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GNU indent yields weird output when using the Linux kernel coding
style as in the below examples, which affects code readability.
- Too long lines cause unexpected indentation:
if (!
(priv->flags &
GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED)
&& (priv->flags & GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT)
&& data.size > 0) {
- Unary operators (`-` and `+`) after a type cast are not recognized
properly: `(time_t)-1` becomes `(time-t) - 1`
- Long conditionals are wrapped before binary operators, such as `&&`
or `||`. This is not mandatory in the style, but all the occurrences
are replaced with that style
This switches to using clang-format instead, with the configuration
used in the Linux kernel as of commit
596ff4a09b8981790e15572e8e7bc904df5835e7:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/.clang-format
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| | |
doc: mention ClientHello extensions shuffling
See merge request gnutls/gnutls!1738
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |/
|
|
|
|
|
|
|
|
| |
This reduces the number of calls to gnutls_rnd(GNUTLS_RND_RANDOM)
based on the assumption that extension indices fit in uint8_t.
This also renames the priority string modifier from %NO_EXTS_SHUFFLE
to %NO_SHUFFLE_EXTENSIONS.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| | |
add test for gnutls_certificate_set_x509_trust
See merge request gnutls/gnutls!1740
|
| |/
|
|
| |
Signed-off-by: xuraoqing <xuraoqing@huawei.com>
|
| |\
| |
| |
| |
| | |
Use faketime instead of datefudge
See merge request gnutls/gnutls!1716
|
| | |
| |
| |
| | |
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
| | |
| |
| |
| | |
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
| | |
| |
| |
| |
| |
| | |
also switch timeout/wrapper order
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
| | |
| |
| |
| |
| |
| | |
Also switch setsid/wrapper order
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
| | |
| |
| |
| |
| |
| | |
Prefer faketime, fall back to datefudge.
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
| |/
|
|
|
|
|
| |
Change all timestamps passed to "datefudge -s" to "YYYY-MM-DD hh:mm:ss"
format for compatibility with faketime -f ("Freeze clock" advanced format)
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
| |\
| |
| |
| |
| | |
Fix for issue #1471: Add configurable timeout to gnutls-serv
See merge request gnutls/gnutls!1726
|
| |/
|
|
|
|
|
|
| |
This adds --timeout option to gnutls-serv to control the inactivity
interval, which would be useful for testing.
Fixes: #1471
Signed-off-by: maratheatharva <atharvamarathe8@gmail.com>
|
| |\
| |
| |
| |
| | |
fips: add additional pbkdf limit checks as defined in SP 800-132
See merge request gnutls/gnutls!1736
|
| | |
| |
| |
| |
| |
| |
| |
| | |
- Make sure to always use approved iteration count
- Check that salt < 16 return non-approved
- Check that iteration count < 1000 returns non-approved
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
|
| | |
| |
| |
| | |
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
|
| |\ \
| |/
|/|
| |
| |
| |
| | |
added clientHello extension permutation
Closes #1465
See merge request gnutls/gnutls!1737
|
| |/
|
|
|
|
|
|
|
| |
This adds a mechanism to randomize the order of TLS extensions in the
ClientHello to make fingerprinting harder. The mechanism is enabled by
default and a new priority keyword %NO_EXTS_SHUFFLE has been added to
turn it off.
Signed-off-by: peonix <ajeetsinghchahar2@gmail.com>
|
| |\
| |
| |
| |
| | |
src: print_info: prefer gnutls_psk_server_get_username2
See merge request gnutls/gnutls!1730
|
| | |
| |
| |
| |
| |
| |
| | |
This happens when gnutls_psk_server_get_username is called from a
client. Also simplify the embedded NUL-byte check with memchr.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
gnutls_psk_server_get_username only supports NUL-terminated usernames,
while we added support for non-NULL terminated usernames in
d00638997fa269a975095d852633b48b2b64fbf9.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| | |
| | |
| | |
| | | |
Modifier GNUTLS_NO_EXTENSIONS renamed to GNUTLS_NO_DEFAULT_EXTENSIONS
See merge request gnutls/gnutls!1734
|
| | | |
| | |
| | |
| | | |
Signed-off-by: peonix <ajeetsinghchahar2@gmail.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: peonix <ajeetsinghchahar2@gmail.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: peonix <ajeetsinghchahar2@gmail.com>
|
| |/ /
| |
| |
| | |
Signed-off-by: peonix <ajeetsinghchahar2@gmail.com>
|
| |\ \
| | |
| | |
| | |
| | | |
add DER crl list import test
See merge request gnutls/gnutls!1733
|
| | | |
| | |
| | |
| | | |
Signed-off-by: xuraoqing <xuraoqing@huawei.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: xuraoqing <xuraoqing@huawei.com>
|
| |\ \ \
| |/ /
| | /
| |/
|/| |
add get dn by oid test
See merge request gnutls/gnutls!1731
|
| |/
|
|
| |
Signed-off-by: xuraoqing <xuraoqing@huawei.com>
|
| |\
| |
| |
| |
| | |
test:tls13/key_limits: rewrite key_limits testcase as single process
See merge request gnutls/gnutls!1728
|
| |/
|
|
| |
Signed-off-by: Yongye Zhu <zyy1102000@gmail.com>
|
| |\
| |
| |
| |
| | |
.gitlab-ci.yml: make use of .pre stage
See merge request gnutls/gnutls!1729
|
| |/
|
|
|
|
|
|
|
|
| |
Jobs in the .pre stage run before any other jobs:
https://docs.gitlab.com/ee/ci/yaml/index.html#stage-pre
As commit-check is lightweight and a prerequisite for merging MRs,
this moves it from the test stage to .pre.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| |
| |
| | |
pkcs11: respect Mozilla's time-based distrust upon issuer lookup
Closes #912
See merge request gnutls/gnutls!1725
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This implements the basic logic needed to support time-based distrust
of CA, according to [1].
1. https://wiki.mozilla.org/CA/Additional_Trust_Changes#Distrust_After
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| |/
|/|
| |
| | |
add CRL issuer get test
See merge request gnutls/gnutls!1722
|
