| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
| |
Those functions has been deprecated in 3.6.9 as they do not have
active use cases.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Co-authored-by: Daiki Ueno <ueno@gnu.org>
|
|\
| |
| |
| |
| |
| |
| | |
Adds a new API gnutls_session_set_verify_output_function() that allows TLS applications
Closes #1012
See merge request gnutls/gnutls!1339
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
applications
to have a way to pass the gnutls_verify_output_function() as a callback so that the full
path of the certificate chain to the trusted root can be avaiable as output.
Signed-off-by: Sahana Prasad <sahana@redhat.com>
|
|/
|
|
|
|
|
| |
This allows us to remove several backports, including XTS, CFB8,
raw-ChaCha, CMAC64, Curve448, and the GOST curves and hashes.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
| |
gnutls-cli to
automatically download missing intermediate CAs in a certificate chain
lib/cred-cert.c : adds set and get APIs to get user data in the
gnutls_x509_trust_list_set_getissuer_function() callback.
Signed-off-by: Sahana Prasad <sahana@redhat.com>
|
|
|
|
|
|
|
| |
Reported by Andreas Metzler in:
https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004650.html
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Sahana Prasad <sahana@redhat.com>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
| |
Add support for AES-192 in GCM mode.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|
|
|
|
|
|
| |
Basically export print_pkcs7_info() in a way usable by external
applications.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|
|
|
|
|
|
|
|
| |
This adds a couple of new cipher algorithms GNUTLS_CIPHER_AES_128_SIV
and GNUTLS_CIPHER_AES_256_SIV, exposing nettle_siv_cmac_aes{128,256}*
functions. Note that they can only used with the AEAD interface and
authentication tags are prepended (not appended) to the ciphertext.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| | |
improve gnutls-cli-debug testing of old SSL 3.0 servers
See merge request gnutls/gnutls!1221
|
| |
| |
| |
| | |
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
|
|\ \
| | |
| | |
| | |
| | | |
gnutls_session_get_keylog_function: new function
See merge request gnutls/gnutls!1220
|
| |/
| |
| |
| |
| |
| |
| |
| | |
This adds a way to retrieve the keylog function set by
gnutls_session_set_keylog_function() to allow application protocols to
implement custom logging facility.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|/
|
|
| |
Signed-off-by: Ander Juaristi <a@juaristi.eus>
|
|
|
|
|
|
|
|
| |
This is particularly useful when the application applies key
derivation function by itself with the same underlying hash algorithm
as the session.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This partially reverts commit 97117556 with a simpler interface. The
original intention of having the callback mechanism was to reuse it
for monitoring QUIC encryption changes. However, it turned out to be
insufficient because such changes must be emitted after a new epoch is
ready.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This refactors the keylogfile mechanism by adding a callback to get
notified when a new secret is derived and installed. That way,
consumers can implement custom logging feature per session, which is
particularly useful in QUIC implementation.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This exposes HKDF and PBKDF2 functions from the library. Instead of
defining a single KDF interface as in PKCS #11, this patch defines 3
distinct functions for HKDF-Extract, HKDF-Expand, and PBKDF2
derivation, so that we can take advantage of compile time checking of
necesssary parameters.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\
| |
| |
| |
| | |
algorithms: implement X448 key exchange and Ed448 signature scheme
See merge request gnutls/gnutls!984
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \
| |/
|/|
| |
| |
| |
| | |
tls13: fix issues with client OCSP responses
Closes #876
See merge request gnutls/gnutls!1169
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The TLS1.3 protocol requires the server to advertise an empty
OCSP status request extension on its certificate verify message
for an OCSP response to be sent by the client. We now always
send this extension to allow clients attaching those responses.
Resolves: #876
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In client side ensure we see a request for OCSP from servers before
sending one.
Relates: #876
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|/
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| | |
libgnutls: Add system-wide default-priority-string override.
See merge request gnutls/gnutls!1158
|
| |
| |
| |
| | |
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
|
|\ \
| |/
|/|
| |
| | |
Extend GOST priority settings and documentation
See merge request gnutls/gnutls!1160
|
| |
| |
| |
| |
| |
| |
| | |
Use +GOST-ALL shortcut to enable GOST ciphersuites. Also document newly
added GOST shortcuts.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
Provide flag to identify sessions that an OCSP response was requested
Closes #829
See merge request gnutls/gnutls!1131
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
That adds the flag GNUTLS_SFLAGS_CLI_REQUESTED_OCSP which can be
checked by a server application to determine whether the
client has requested stapled OCSP responses.
This includes minor cleanups in the status request handling code.
Resolves: #829
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
According to RFC5280 a certificate must not include more than
one instance of a particular extension. We were previously printing
warnings when such extensions were found, but that is insufficient
to flag such certificates. Instead, refuse to import them.
Resolves: #887
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This effectively reverts !400 and ensures that we no longer tolerate
invalid DER time. This complements the previous commit by Lili Quan
and ensures we provide the --disable-strict-der-time backwards compatibility
option.
Resolves: #207
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously we would only set these extensions specific with add_extension
when generating using --generate-certificate. The change makes sure these
options are considered even when generating an extension from a certificate
request. Issue reported on the mailing list.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
When running the test suite we do not apply the global
gnutls configration as it may change options that are
tested.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If a CA is found in the trusted list, check in addition to
time validity, whether the algorithms comply to the expected
level. This addresses the problem of accepting CAs which would
have been marked as insecure otherwise.
Resolves: #877
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
| |
| |
| |
| |
| | |
This applies to the --verify and --verify-chain commands.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
According to RFC5280 we should reject such certificates.
Resolves: #870
Signed-off-by: Lili Quan <13132239506@163.com>
|
|/
|
|
| |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|