summaryrefslogtreecommitdiff
path: root/doc
Commit message (Collapse)AuthorAgeFilesLines
* global: add API to retrieve library configuration at run timeDaiki Ueno2022-01-162-0/+3
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* doc: generate man-pages from JSONDaiki Ueno2022-01-153-47/+441
| | | | | | | This replaces man-pages generation previously provided by the autogen -Tagman.tpl command with a Python script (gen-cmd-man.py). Signed-off-by: Daiki Ueno <ueno@gnu.org>
* doc: generate texinfo files from JSONDaiki Ueno2022-01-1527-174/+1418
| | | | | | | This replaces texinfo generation previously provided by the autogen -Tagtexi.tpl command with a Python script (gen-cmd-texi.py). Signed-off-by: Daiki Ueno <ueno@gnu.org>
* fips: add functions to inspect thread-local FIPS operation stateDaiki Ueno2022-01-073-0/+40
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* Fix gtk-doc build, use http URI in sgml master.Andreas Metzler2022-01-061-1/+1
| | | | Signed-off-by: Andreas Metzler <ametzler@bebt.de>
* doc: updated copyrights for 2022Alon Bar-Lev2022-01-021-2/+2
| | | | Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
* KTLS: APIFrantisek Krenzelok2021-12-152-0/+3
| | | | | | | ktls is enabled by default, we can check if inicialization was succesfull with gnutls_transport_is_ktls_enabled Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
* Update symbolsaja-certificate-transparencyAnder Juaristi2021-12-042-0/+18
| | | | Signed-off-by: Ander Juaristi <a@juaristi.eus>
* priority: support allowlisting in configuration fileDaiki Ueno2021-11-293-2/+95
| | | | | | | | | | | | This adds a new mode of interpreting the [overrides] section. If "override-mode" is set to "allowlisting" in the [global] section, all the algorithms (hashes, signature algorithms, curves, and versions) are initially marked as insecure/disabled. Then the user can enable them by specifying allowlisting keywords such as "secure-hash" in the [overrides] section. Signed-off-by: Daiki Ueno <ueno@gnu.org> Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>
* gnutls_early_{cipher,prf_hash}_get: new functionsDaiki Ueno2021-05-132-0/+6
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* global: rename GNUTLS_NO_EXPLICIT_INIT to GNUTLS_NO_IMPLICIT_INITDaiki Ueno2021-05-031-1/+1
| | | | | | The old envvar still has effect but has been marked as deprecated. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* priority: add option to disable TLS 1.3 middlebox compatibility modeDaiki Ueno2021-04-171-0/+4
| | | | | | | This adds a new option %DISABLE_TLS13_COMPAT_MODE to disable TLS 1.3 compatibility mode at run-time. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* build: doc: install missing image file gnutls-crypto-layers.pngAndreas Metzler2021-03-201-0/+1
| | | | Signed-off-by: Andreas Metzler <ametzler@bebt.de>
* examples: avoid memory leak in ex-verifyDaiki Ueno2021-03-151-1/+6
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* examples: avoid memory leak in tlsproxyDaiki Ueno2021-03-151-0/+8
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* build: don't remove distributed stamp files on "make clean"Daiki Ueno2021-02-171-4/+1
| | | | | | | | | | Those files are created by the maintainers and should remain after "make clean" when the distribution tarball is used. Reported by christian wagner in: https://gitlab.com/gnutls/gnutls/-/issues/1088 Signed-off-by: Daiki Ueno <ueno@gnu.org>
* doc: Add some missing algorithm keywords to priority string tableDosenpfand2021-02-071-85/+87
| | | | Signed-off-by: Markus Gasser <m@sad.bz>
* Update year of copyright notices in doc/gnutls.texiFiona Klute2021-01-071-2/+2
| | | | | | | Static analysis in CI checks if this is up to date, and fails if not. This fixes the failure. Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
* alert: add callback to intercept alert messagesDaiki Ueno2020-11-192-0/+3
| | | | | | | This adds gnutls_alert_set_read_function(), to allow QUIC implementations to be notified when an alert message is sent. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* handshake: add callback to get notified with traffic secret changeDaiki Ueno2020-11-192-0/+3
| | | | | | | | For the use with QUIC, the change of traffic secrets must be notified _after_ a new epoch is set up for reading or writing, and we can't simply reuse the keylog mechanism. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* handshake: add functions to read/write handshake messages directlyDaiki Ueno2020-11-192-0/+7
| | | | | | | | This adds a couple of functions, gnutls_handshake_set_read_function() and gnutls_handshake_write(), to allow QUIC implementations to directly interact with the TLS state machine. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* Adds a new API gnutls_session_set_verify_output_function() that allows TLS ↵Sahana Prasad2020-11-102-0/+3
| | | | | | | | | applications to have a way to pass the gnutls_verify_output_function() as a callback so that the full path of the certificate chain to the trusted root can be avaiable as output. Signed-off-by: Sahana Prasad <sahana@redhat.com>
* doc/examples/ex-ocsp-client.c: check malloc return valueDaiki Ueno2020-10-181-0/+4
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* src/cli: adds new option '--ca-auto-retrieve' that can be used with ↵Sahana Prasad2020-09-022-0/+6
| | | | | | | | | | gnutls-cli to automatically download missing intermediate CAs in a certificate chain lib/cred-cert.c : adds set and get APIs to get user data in the gnutls_x509_trust_list_set_getissuer_function() callback. Signed-off-by: Sahana Prasad <sahana@redhat.com>
* doc: assorted typo fixestmp-typo-fixesDaiki Ueno2020-08-125-6/+6
| | | | | | Spotted by codespell. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* dhe: check if DH params in SKE match the FIPS approved algorithmstmp-sp800-56ar3Daiki Ueno2020-06-2724-0/+313
| | | | | | | | SP800-56A rev. 3 restricts the FIPS compliant clients to use only approved DH parameters, defined in RFC 7919 and RFC 3526. This adds a check in the handling of ServerKeyExchange if DHE is negotiated. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* devel/libgnutls-latest-x86_64.abi, doc, NEWS, and manpage updatesSahana Prasad2020-06-032-0/+3
| | | | Signed-off-by: Sahana Prasad <sahana@redhat.com>
* Merge branch 'tmp-fileio' into 'master'Daiki Ueno2020-05-302-6/+6
|\ | | | | | | | | lib: improve external file loading See merge request gnutls/gnutls!1261
| * build: write "FILE *fp" instead of "FILE *fd"tmp-fileioDaiki Ueno2020-05-301-5/+5
| | | | | | | | | | | | | | This makes it clear that "fd" is not a file descriptor but a FILE pointer. Suggested by Tim Rühsen. Signed-off-by: Daiki Ueno <ueno@gnu.org>
| * gnulib: update git submoduleDaiki Ueno2020-05-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | This brings in the new fopen-gnu module and the RF_SENSITIVE flag for fread_file and read_file. This also adds the following changes to be consistent with the latest changes in Gnulib: - the callers of fread_file and read_file to be adjusted for the FLAGS argument - "attribute.h" needs to be used extensively Signed-off-by: Daiki Ueno <ueno@gnu.org>
* | fips: make FIPS140-2 mode enablement logic simplerDaiki Ueno2020-05-201-4/+18
|/ | | | | | | | | | | | | | Previously, to enable the FIPS140-2 mode, both /etc/system-fips and the fips=1 kernel command line need to be set. While this was designed to be consistent, the convention is not well followed by the other crypto libraries and the former tends to be ignored. This aligns the behavior to the latter, i.e. if fips=1 is set, the library enables the FIPS140-2 mode regardless of the existence of /etc/system-fips. Suggested by Alexander Sosedkin. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* pkcs7: add function to display signature informationDmitry Baryshkov2020-05-142-0/+3
| | | | | | | Basically export print_pkcs7_info() in a way usable by external applications. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* gnutls_ext_get_name2: new functionDaiki Ueno2020-04-212-0/+3
| | | | | | | | This adds a generalized version of gnutls_ext_get_name, which can retrieve the name of the extension, even if it is registered per session. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Merge branch 'tmp-get-keylog-func' into 'master'Daiki Ueno2020-03-252-0/+3
|\ | | | | | | | | gnutls_session_get_keylog_function: new function See merge request gnutls/gnutls!1220
| * gnutls_session_get_keylog_function: new functiontmp-get-keylog-funcDaiki Ueno2020-03-222-0/+3
| | | | | | | | | | | | | | | | This adds a way to retrieve the keylog function set by gnutls_session_set_keylog_function() to allow application protocols to implement custom logging facility. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | psk: Allow non-NULL PSK usernamesAnder Juaristi2020-03-232-0/+12
|/ | | | | | | | | | | | | | | | | | | | | | | This commit closes #586. Two new functions are introduced: gnutls_psk_server_get_username2() and gnutls_psk_set_client_username2(), which are identical in behavior to those named similarly (without the final '2'), but allow arbitrary gnutls datums (not strings) to be used as usernames. Two new callback functions are also introduced, with their respective setters: gnutls_psk_set_server_credentials_function2() and gnutls_psk_set_client_credentials_function2(). In addition, the password file format is extended so that non-string usernames can be specified. A leading '#' character tells GnuTLS that the username should be interpreted as a raw byte string (encoded in HEX). Example: #deadbeef:9e32cf7786321a828ef7668f09fb35db Signed-off-by: Ander Juaristi's avatarAnder Juaristi <a@juaristi.eus>
* state: add function to get the current hash algorithmtmp-prf-getDaiki Ueno2020-03-192-0/+3
| | | | | | | | This is particularly useful when the application applies key derivation function by itself with the same underlying hash algorithm as the session. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* keylogfile: simplify the callback mechanismtmp-keylog-funcDaiki Ueno2020-02-222-4/+3
| | | | | | | | | | This partially reverts commit 97117556 with a simpler interface. The original intention of having the callback mechanism was to reuse it for monitoring QUIC encryption changes. However, it turned out to be insufficient because such changes must be emitted after a new epoch is ready. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* keylogfile: generalize with a callbacktmp-keylog-hookDaiki Ueno2020-02-072-0/+4
| | | | | | | | | This refactors the keylogfile mechanism by adding a callback to get notified when a new secret is derived and installed. That way, consumers can implement custom logging feature per session, which is particularly useful in QUIC implementation. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* crypto-api: add generic crypto functions for KDFDaiki Ueno2020-02-042-0/+9
| | | | | | | | | | This exposes HKDF and PBKDF2 functions from the library. Instead of defining a single KDF interface as in PKCS #11, this patch defines 3 distinct functions for HKDF-Extract, HKDF-Expand, and PBKDF2 derivation, so that we can take advantage of compile time checking of necesssary parameters. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* algorithms: implement X448 key exchange and Ed448 signature schemeDaiki Ueno2020-01-236-3/+91
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Merge branch 'override-default-priority' into 'master'Nikos Mavrogiannopoulos2020-01-131-0/+16
|\ | | | | | | | | libgnutls: Add system-wide default-priority-string override. See merge request gnutls/gnutls!1158
| * libgnutls: Add system-wide default-priority-string override.Dimitri John Ledkov2020-01-131-0/+16
| | | | | | | | Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
* | Merge branch 'gost-priorities' into 'master'Dmitry Eremin-Solenikov2020-01-122-7/+28
|\ \ | |/ |/| | | | | Extend GOST priority settings and documentation See merge request gnutls/gnutls!1160
| * priority: add new GOST-ALL shortcutDmitry Eremin-Solenikov2020-01-101-0/+5
| | | | | | | | | | | | | | Add GOST-ALL as an alias for CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL and GROUP-GOST-ALL. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * priority: add more GOST shortcutsDmitry Eremin-Solenikov2020-01-091-3/+6
| | | | | | | | | | | | | | | | Add shortcuts for GOST ciphers, MACs and KXes. For now they contain only one item, but this list will be expanded as support for GOST-CTR-ACPKM ciphersuites will be added. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * lib/priority: add SIGN-GOST-ALL keywordDmitry Eremin-Solenikov2020-01-091-0/+1
| | | | | | | | | | | | | | Add SIGN-GOST-ALL keyword containing all defined GOST signature algorithms. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * doc: document GOST priority optionsDmitry Eremin-Solenikov2020-01-081-4/+5
| | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * doc: document GOST cipher and MAC algorithmsDmitry Eremin-Solenikov2020-01-081-0/+11
| | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | doc: clarify thread safeness in gnutls_global_init()Nikos Mavrogiannopoulos2020-01-091-1/+3
|/ | | | | | | | | This documents and clarifies the thread safeness of gnutls_global_init() and its constraints. Resolves: #900 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status