summaryrefslogtreecommitdiff
path: root/doc
Commit message (Collapse)AuthorAgeFilesLines
* src/cli: adds new option '--ca-auto-retrieve' that can be used with ↵Sahana Prasad2020-09-022-0/+6
| | | | | | | | | | gnutls-cli to automatically download missing intermediate CAs in a certificate chain lib/cred-cert.c : adds set and get APIs to get user data in the gnutls_x509_trust_list_set_getissuer_function() callback. Signed-off-by: Sahana Prasad <sahana@redhat.com>
* doc: assorted typo fixestmp-typo-fixesDaiki Ueno2020-08-125-6/+6
| | | | | | Spotted by codespell. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* dhe: check if DH params in SKE match the FIPS approved algorithmstmp-sp800-56ar3Daiki Ueno2020-06-2724-0/+313
| | | | | | | | SP800-56A rev. 3 restricts the FIPS compliant clients to use only approved DH parameters, defined in RFC 7919 and RFC 3526. This adds a check in the handling of ServerKeyExchange if DHE is negotiated. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* devel/libgnutls-latest-x86_64.abi, doc, NEWS, and manpage updatesSahana Prasad2020-06-032-0/+3
| | | | Signed-off-by: Sahana Prasad <sahana@redhat.com>
* Merge branch 'tmp-fileio' into 'master'Daiki Ueno2020-05-302-6/+6
|\ | | | | | | | | lib: improve external file loading See merge request gnutls/gnutls!1261
| * build: write "FILE *fp" instead of "FILE *fd"tmp-fileioDaiki Ueno2020-05-301-5/+5
| | | | | | | | | | | | | | This makes it clear that "fd" is not a file descriptor but a FILE pointer. Suggested by Tim Rühsen. Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * gnulib: update git submoduleDaiki Ueno2020-05-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | This brings in the new fopen-gnu module and the RF_SENSITIVE flag for fread_file and read_file. This also adds the following changes to be consistent with the latest changes in Gnulib: - the callers of fread_file and read_file to be adjusted for the FLAGS argument - "attribute.h" needs to be used extensively Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | fips: make FIPS140-2 mode enablement logic simplerDaiki Ueno2020-05-201-4/+18
|/ | | | | | | | | | | | | | Previously, to enable the FIPS140-2 mode, both /etc/system-fips and the fips=1 kernel command line need to be set. While this was designed to be consistent, the convention is not well followed by the other crypto libraries and the former tends to be ignored. This aligns the behavior to the latter, i.e. if fips=1 is set, the library enables the FIPS140-2 mode regardless of the existence of /etc/system-fips. Suggested by Alexander Sosedkin. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* pkcs7: add function to display signature informationDmitry Baryshkov2020-05-142-0/+3
| | | | | | | Basically export print_pkcs7_info() in a way usable by external applications. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* gnutls_ext_get_name2: new functionDaiki Ueno2020-04-212-0/+3
| | | | | | | | This adds a generalized version of gnutls_ext_get_name, which can retrieve the name of the extension, even if it is registered per session. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Merge branch 'tmp-get-keylog-func' into 'master'Daiki Ueno2020-03-252-0/+3
|\ | | | | | | | | gnutls_session_get_keylog_function: new function See merge request gnutls/gnutls!1220
| * gnutls_session_get_keylog_function: new functiontmp-get-keylog-funcDaiki Ueno2020-03-222-0/+3
| | | | | | | | | | | | | | | | This adds a way to retrieve the keylog function set by gnutls_session_set_keylog_function() to allow application protocols to implement custom logging facility. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | psk: Allow non-NULL PSK usernamesAnder Juaristi2020-03-232-0/+12
|/ | | | | | | | | | | | | | | | | | | | | | | This commit closes #586. Two new functions are introduced: gnutls_psk_server_get_username2() and gnutls_psk_set_client_username2(), which are identical in behavior to those named similarly (without the final '2'), but allow arbitrary gnutls datums (not strings) to be used as usernames. Two new callback functions are also introduced, with their respective setters: gnutls_psk_set_server_credentials_function2() and gnutls_psk_set_client_credentials_function2(). In addition, the password file format is extended so that non-string usernames can be specified. A leading '#' character tells GnuTLS that the username should be interpreted as a raw byte string (encoded in HEX). Example: #deadbeef:9e32cf7786321a828ef7668f09fb35db Signed-off-by: Ander Juaristi's avatarAnder Juaristi <a@juaristi.eus>
* state: add function to get the current hash algorithmtmp-prf-getDaiki Ueno2020-03-192-0/+3
| | | | | | | | This is particularly useful when the application applies key derivation function by itself with the same underlying hash algorithm as the session. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* keylogfile: simplify the callback mechanismtmp-keylog-funcDaiki Ueno2020-02-222-4/+3
| | | | | | | | | | This partially reverts commit 97117556 with a simpler interface. The original intention of having the callback mechanism was to reuse it for monitoring QUIC encryption changes. However, it turned out to be insufficient because such changes must be emitted after a new epoch is ready. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* keylogfile: generalize with a callbacktmp-keylog-hookDaiki Ueno2020-02-072-0/+4
| | | | | | | | | This refactors the keylogfile mechanism by adding a callback to get notified when a new secret is derived and installed. That way, consumers can implement custom logging feature per session, which is particularly useful in QUIC implementation. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* crypto-api: add generic crypto functions for KDFDaiki Ueno2020-02-042-0/+9
| | | | | | | | | | This exposes HKDF and PBKDF2 functions from the library. Instead of defining a single KDF interface as in PKCS #11, this patch defines 3 distinct functions for HKDF-Extract, HKDF-Expand, and PBKDF2 derivation, so that we can take advantage of compile time checking of necesssary parameters. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* algorithms: implement X448 key exchange and Ed448 signature schemeDaiki Ueno2020-01-236-3/+91
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Merge branch 'override-default-priority' into 'master'Nikos Mavrogiannopoulos2020-01-131-0/+16
|\ | | | | | | | | libgnutls: Add system-wide default-priority-string override. See merge request gnutls/gnutls!1158
| * libgnutls: Add system-wide default-priority-string override.Dimitri John Ledkov2020-01-131-0/+16
| | | | | | | | Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
* | Merge branch 'gost-priorities' into 'master'Dmitry Eremin-Solenikov2020-01-122-7/+28
|\ \ | |/ |/| | | | | Extend GOST priority settings and documentation See merge request gnutls/gnutls!1160
| * priority: add new GOST-ALL shortcutDmitry Eremin-Solenikov2020-01-101-0/+5
| | | | | | | | | | | | | | Add GOST-ALL as an alias for CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL and GROUP-GOST-ALL. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * priority: add more GOST shortcutsDmitry Eremin-Solenikov2020-01-091-3/+6
| | | | | | | | | | | | | | | | Add shortcuts for GOST ciphers, MACs and KXes. For now they contain only one item, but this list will be expanded as support for GOST-CTR-ACPKM ciphersuites will be added. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * lib/priority: add SIGN-GOST-ALL keywordDmitry Eremin-Solenikov2020-01-091-0/+1
| | | | | | | | | | | | | | Add SIGN-GOST-ALL keyword containing all defined GOST signature algorithms. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * doc: document GOST priority optionsDmitry Eremin-Solenikov2020-01-081-4/+5
| | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * doc: document GOST cipher and MAC algorithmsDmitry Eremin-Solenikov2020-01-081-0/+11
| | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | doc: clarify thread safeness in gnutls_global_init()Nikos Mavrogiannopoulos2020-01-091-1/+3
|/ | | | | | | | | This documents and clarifies the thread safeness of gnutls_global_init() and its constraints. Resolves: #900 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: updated epub.texi from gnutls.texiNikos Mavrogiannopoulos2020-01-031-3/+7
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* doc: updated copyrights for 2020tmp-update-copyrightNikos Mavrogiannopoulos2020-01-011-2/+2
| | | | | | | This updates the copyright year for documentation and excludes gnulib files from the copyright check. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* crypto-api: add gnutls_hmac_get_key_size() functionDmitry Eremin-Solenikov2019-12-272-0/+3
| | | | | | Add gnutls_hmac_get_key_size() to retrieve MAC key size. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* updated auto-generated filesNikos Mavrogiannopoulos2019-12-192-0/+6
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* doc: document GROUP-GOST-ALL keywordDmitry Eremin-Solenikov2019-12-181-3/+3
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* gnutls_session_get_data2: fix operation without a timeout callbackNikos Mavrogiannopoulos2019-09-261-1/+3
| | | | | | | | | | | | | When TLS1.3 was introduced, gnutls_session_get_data2 was modified to assume that the callbacks set included the timeout one which was not previously necessary except for some special cases. This corrects that issue and makes sure that gnutls_session_get_data2() does not fail (but not necessarily succeed), if that timeout callback is not set. Resolves: #823 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* guile: Add support for Guile 3.0.Ludovic Courtès2019-09-161-3/+3
| | | | | | | | | * configure.ac: Add 3.0 to 'GUILE_PKG', as well as the previously-supported versions. * doc/gnutls-guile.texi (Guile Preparations): Update list of supported versions. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* doc: Run guile with '-q'.Ludovic Courtès2019-09-161-2/+2
| | | | | | | | This makes sure we don't load the user's ~/.guile. * doc/Makefile.am (GUILE_FOR_BUILD): Pass '-q'. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* crypto-api: add gnutls_aead_cipher_{en,de}cryptv2tmp-encryptv2Daiki Ueno2019-08-092-0/+6
| | | | | | | This adds an in-place equivalent of gnutls_aead_cipher_encrypt() and gnutls_aead_cipher_decrypt(), that works on data buffers. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* gnutls.h: mark AEAD ciphers as such in gnutls_cipher_algorithm_t descriptionNikos Mavrogiannopoulos2019-07-221-6/+8
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Align _gnutls_x86_cpuid_s as OPENSSL_ia32cap_P would beNikos Mavrogiannopoulos2019-06-271-0/+1
| | | | | | | | | | | | We were not setting the third array member correctly, though this didn't have any impact to previous implementations as they did not rely on it. This also moves away from the custom implementation of cpuid (which was limited), and we now rely on the compiler's version. This effectively enables support for SHA_NI. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib: add support for gnutls_hash_copy()Dmitry Eremin-Solenikov2019-06-262-0/+3
| | | | | | Add gnutls_hash_copy() function for copying message digest context. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* api: add gnutls_hmac_copy() functionDmitry Eremin-Solenikov2019-06-262-0/+3
| | | | | | | | | Add gnutls_hmac_copy() API to duplicate MAC handler state, which is necessary for SMB3 support. Resolves: #787 Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* updated auto-generated filesNikos Mavrogiannopoulos2019-06-202-0/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* config: added ability to override and mark algorithms as disabledNikos Mavrogiannopoulos2019-06-204-2/+163
| | | | | | | | | | | | | | | | | | | | | | | | | This allows the system administrator or the distributor to use the gnutls configuration file to mark hashes, signature algorithms, TLS versions, curves, groups, ciphers KX, and MAC algorithms as insecure (the last four only in the context of a TLS session). It also allows to set a minimum profile which the applications cannot fall below. The options intentionally do not allow marking algorithms as secure so that the configuration file cannot be used as an attack vector. This change also makes sure that unsupported and disabled protocols during compile time (e.g., SSL3.0), do not get listed by gnutls-cli. The configuration file feature can be disabled at compile time with an empty --with-system-priority-file. This patch it introduces the function gnutls_get_system_config_file() allowing applications to check whether a configuration file was used. Resolves: #587 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: updated p11-kit links [ci skip]Nikos Mavrogiannopoulos2019-06-163-4/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* doc: do not distribute pdf filesNikos Mavrogiannopoulos2019-05-281-2/+2
| | | | | | | It compicates the 'make dist' phase and does not add much value as the files are available from the web site. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* minor updates in the latex version of the manual [ci skip]Nikos Mavrogiannopoulos2019-05-276-6/+15
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Add plumbing to handle Q parameter in DH exchangesSimo Sorce2019-05-233-0/+8
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Added profile to correspond to the future security parameterNikos Mavrogiannopoulos2019-05-201-1/+1
| | | | | | | | | | It seems that the FUTURE security level parameter was added without a corresponding verification profile. This patch address the issue by introducing it. Resolves: #770 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Check all memory allocation in examples and certtooltmp-check-allocationsNikos Mavrogiannopoulos2019-05-143-0/+5
| | | | | | Resolves: #739 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* ext/record_size_limit: distinguish sending and receiving limitstmp-record-sizesDaiki Ueno2019-05-142-0/+3
| | | | | | | | | | | | | | | | The previous behavior was that both sending and receiving limits are negotiated to be the same value. It was problematic when: - client sends a record_size_limit with a large value in CH - server sends a record_size_limit with a smaller value in EE - client updates the limit for both sending and receiving, upon receiving EE - server sends a Certificate message larger than the limit With this patch, each peer maintains the sending / receiving limits separately so not to confuse with the contradicting settings. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* prf: add function to retrieve early keying materialDaiki Ueno2019-04-192-0/+3
| | | | | | | | | This adds a new function gnutls_prf_early, which shall be called in a handshake hook waiting for GNUTLS_HANDSHAKE_CLIENT_HELLO. The test needs to be run in a datefudge wrapper as the early secrets depend on the current time (through PSK). Signed-off-by: Daiki Ueno <dueno@redhat.com>
View Lorry Controller Status