| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
| |
This replaces man-pages generation previously provided by the autogen
-Tagman.tpl command with a Python script (gen-cmd-man.py).
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
| |
This replaces texinfo generation previously provided by the autogen
-Tagtexi.tpl command with a Python script (gen-cmd-texi.py).
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
|
|
|
| |
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
|
|
|
|
|
|
|
| |
ktls is enabled by default, we can check if inicialization was
succesfull with gnutls_transport_is_ktls_enabled
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
|
|
| |
Signed-off-by: Ander Juaristi <a@juaristi.eus>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a new mode of interpreting the [overrides] section. If
"override-mode" is set to "allowlisting" in the [global] section, all
the algorithms (hashes, signature algorithms, curves, and versions)
are initially marked as insecure/disabled. Then the user can enable
them by specifying allowlisting keywords such as "secure-hash" in the
[overrides] section.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
| |
The old envvar still has effect but has been marked as deprecated.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
| |
This adds a new option %DISABLE_TLS13_COMPAT_MODE to disable TLS 1.3
compatibility mode at run-time.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
| |
Those files are created by the maintainers and should remain after
"make clean" when the distribution tarball is used.
Reported by christian wagner in:
https://gitlab.com/gnutls/gnutls/-/issues/1088
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Markus Gasser <m@sad.bz>
|
|
|
|
|
|
|
| |
Static analysis in CI checks if this is up to date, and fails if
not. This fixes the failure.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
|
|
|
|
|
|
|
| |
This adds gnutls_alert_set_read_function(), to allow QUIC
implementations to be notified when an alert message is sent.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
| |
For the use with QUIC, the change of traffic secrets must be notified
_after_ a new epoch is set up for reading or writing, and we can't
simply reuse the keylog mechanism.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
| |
This adds a couple of functions, gnutls_handshake_set_read_function()
and gnutls_handshake_write(), to allow QUIC implementations to
directly interact with the TLS state machine.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
| |
applications
to have a way to pass the gnutls_verify_output_function() as a callback so that the full
path of the certificate chain to the trusted root can be avaiable as output.
Signed-off-by: Sahana Prasad <sahana@redhat.com>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
| |
gnutls-cli to
automatically download missing intermediate CAs in a certificate chain
lib/cred-cert.c : adds set and get APIs to get user data in the
gnutls_x509_trust_list_set_getissuer_function() callback.
Signed-off-by: Sahana Prasad <sahana@redhat.com>
|
|
|
|
|
|
| |
Spotted by codespell.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
| |
SP800-56A rev. 3 restricts the FIPS compliant clients to use only
approved DH parameters, defined in RFC 7919 and RFC 3526. This adds a
check in the handling of ServerKeyExchange if DHE is negotiated.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Sahana Prasad <sahana@redhat.com>
|
|\
| |
| |
| |
| | |
lib: improve external file loading
See merge request gnutls/gnutls!1261
|
| |
| |
| |
| |
| |
| |
| | |
This makes it clear that "fd" is not a file descriptor but a FILE
pointer. Suggested by Tim Rühsen.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This brings in the new fopen-gnu module and the RF_SENSITIVE flag for
fread_file and read_file. This also adds the following changes to be
consistent with the latest changes in Gnulib:
- the callers of fread_file and read_file to be adjusted for the FLAGS
argument
- "attribute.h" needs to be used extensively
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, to enable the FIPS140-2 mode, both /etc/system-fips and
the fips=1 kernel command line need to be set. While this was
designed to be consistent, the convention is not well followed by the
other crypto libraries and the former tends to be ignored. This
aligns the behavior to the latter, i.e. if fips=1 is set, the library
enables the FIPS140-2 mode regardless of the existence of
/etc/system-fips.
Suggested by Alexander Sosedkin.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
| |
Basically export print_pkcs7_info() in a way usable by external
applications.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|
|
|
|
|
|
|
| |
This adds a generalized version of gnutls_ext_get_name, which can
retrieve the name of the extension, even if it is registered per
session.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\
| |
| |
| |
| | |
gnutls_session_get_keylog_function: new function
See merge request gnutls/gnutls!1220
|
| |
| |
| |
| |
| |
| |
| |
| | |
This adds a way to retrieve the keylog function set by
gnutls_session_set_keylog_function() to allow application protocols to
implement custom logging facility.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit closes #586.
Two new functions are introduced: gnutls_psk_server_get_username2()
and gnutls_psk_set_client_username2(), which are identical in behavior
to those named similarly (without the final '2'), but allow arbitrary
gnutls datums (not strings) to be used as usernames.
Two new callback functions are also introduced, with their respective
setters: gnutls_psk_set_server_credentials_function2() and
gnutls_psk_set_client_credentials_function2().
In addition, the password file format is extended so that non-string
usernames can be specified. A leading '#' character tells GnuTLS that the
username should be interpreted as a raw byte string (encoded in HEX).
Example:
#deadbeef:9e32cf7786321a828ef7668f09fb35db
Signed-off-by: Ander Juaristi's avatarAnder Juaristi <a@juaristi.eus>
|
|
|
|
|
|
|
|
| |
This is particularly useful when the application applies key
derivation function by itself with the same underlying hash algorithm
as the session.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This partially reverts commit 97117556 with a simpler interface. The
original intention of having the callback mechanism was to reuse it
for monitoring QUIC encryption changes. However, it turned out to be
insufficient because such changes must be emitted after a new epoch is
ready.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This refactors the keylogfile mechanism by adding a callback to get
notified when a new secret is derived and installed. That way,
consumers can implement custom logging feature per session, which is
particularly useful in QUIC implementation.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This exposes HKDF and PBKDF2 functions from the library. Instead of
defining a single KDF interface as in PKCS #11, this patch defines 3
distinct functions for HKDF-Extract, HKDF-Expand, and PBKDF2
derivation, so that we can take advantage of compile time checking of
necesssary parameters.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\
| |
| |
| |
| | |
libgnutls: Add system-wide default-priority-string override.
See merge request gnutls/gnutls!1158
|
| |
| |
| |
| | |
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
|
|\ \
| |/
|/|
| |
| | |
Extend GOST priority settings and documentation
See merge request gnutls/gnutls!1160
|
| |
| |
| |
| |
| |
| |
| | |
Add GOST-ALL as an alias for CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL,
SIGN-GOST-ALL and GROUP-GOST-ALL.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Add shortcuts for GOST ciphers, MACs and KXes. For now they contain only
one item, but this list will be expanded as support for GOST-CTR-ACPKM
ciphersuites will be added.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |
| |
| |
| |
| |
| |
| | |
Add SIGN-GOST-ALL keyword containing all defined GOST signature
algorithms.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|/
|
|
|
|
|
|
|
| |
This documents and clarifies the thread safeness of gnutls_global_init()
and its constraints.
Resolves: #900
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|