| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This adds a couple of configure options, --with-fips140-module-name
and --with-fips140-module-version, which packagers can use to embed
FIPS module information in the library.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| |
| |
| | |
pkcs12: use the correct MAC algorithm for GOST key generation
Closes #1225
See merge request gnutls/gnutls!1514
|
| | |
| |
| |
| |
| |
| |
| | |
According to the latest TC-26 requirements, the MAC algorithm used for
PBKDF2 should always be HMAC_GOSTR3411_2012_512.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| |/
|/|
| |
| | |
Minor build fixes before the 3.7.3 release
See merge request gnutls/gnutls!1511
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Spotted by GCC analyzer:
common.c:552:17: warning: use of NULL 'out.data' where non-null expected [CWE-476] [-Wanalyzer-null-argument]
552 | memcpy(output_data, out.data, (size_t) out.size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When compiled with gcc -fanalyzer, it reports:
cert.c: In function '_gnutls_pcert_to_auth_info':
cert.c:85:17: error: dereference of NULL 'info' [CWE-476] [-Werror=analyzer-null-dereference]
85 | if (info->raw_certificate_list != NULL) {
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| |/
|/|
| |
| | |
accelerated: fix CPU feature detection for Intel CPUs
See merge request gnutls/gnutls!1487
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes read_cpuid_vals to correctly read the CPUID quadruple, as
well as to set the bit the ustream CRYPTOGAMS uses to identify Intel
CPUs.
Suggested by Rafael Gieschke in:
https://gitlab.com/gnutls/gnutls/-/issues/1282
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| | |
Otherwise it clears _gnutls_x86_cpuid_s which may already hold valid
CPUID detected for Intel and AMD CPUs.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| | |
| | |
| | |
| | | |
certtool: --to-p12: use modern algorithms by default
See merge request gnutls/gnutls!1499
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | |
| | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Pedro Monreal <pmonrealgonzalez@suse.de>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This installs service indicator state transitions in certain public
key operations in gnutls_crypto_pk_st, namely:
* fallible operations
- encrypt
- sign
- generate_keys
- derive
* infallible operations
- decrypt, decrypt2
- verify
other operations, such as generate_params, are not considered as
crypto operation. Note that fallible operations above mean that those
return value could indicate error, while infallible operations do not
have distinction between errors and failures: decrypt/verify failures
are treated as a successful completion of the operation.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Pedro Monreal <pmonrealgonzalez@suse.de>
|
| |/ /
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |/
|
|
| |
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
| |\
| |
| |
| |
| | |
wrap_nettle_hash_fast: avoid calling _update with zero-length input
See merge request gnutls/gnutls!1503
|
| | |
| |
| |
| |
| |
| |
| | |
As Nettle's hash update functions internally call memcpy, providing
zero-length input may cause undefined behavior.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| |/
|/|
| |
| | |
gnutls_{hash,hmac}_copy: mention the functions do not always work
See merge request gnutls/gnutls!1502
|
| | |
| |
| |
| |
| |
| |
| |
| | |
It is known that some built-in accelerated implementation, such as
AF_ALG, does not support copying hash/hmac contexts. This expands the
documentation to suggest checking the return value of those functions.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| | |
| | |
| | |
| | | |
ktls: API
See merge request gnutls/gnutls!1477
|
| | | |
| | |
| | |
| | |
| | |
| | | |
ktls enum flags API
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
ktls is enabled by default, we can check if inicialization was
succesfull with gnutls_transport_is_ktls_enabled
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |/ /
| |
| |
| |
| |
| | |
Mirrors https://gitlab.com/gnutls/gnutls/-/merge_requests/1466
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| | |
This eliminates the need of precalculating the payload size, to make
it easier to adapt to new format.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |/
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Ander Juaristi <a@juaristi.eus>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit implements import and export functions for the X.509
Certificate Transparency Signed Certificate Timestamp (SCT) extension
(RFC 6962).
A new constant GNUTLS_X509EXT_OID_CT_SCT is introduced
with the value "1.3.6.1.4.1.11129.2.4.2".
The following new public API functions are introduced:
- gnutls_x509_ext_ct_scts_init
- gnutls_x509_ext_ct_scts_deinit
- gnutls_x509_ext_ct_import_scts
- gnutls_x509_ext_ct_export_scts
- gnutls_x509_ct_sct_get_version
- gnutls_x509_ct_sct_get
Signed-off-by: Ander Juaristi <a@juaristi.eus>
|
| |\
| |
| |
| |
| |
| |
| | |
priority: support allowlisting in configuration file
Closes #1172
See merge request gnutls/gnutls!1427
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds a new mode of interpreting the [overrides] section. If
"override-mode" is set to "allowlisting" in the [global] section, all
the algorithms (hashes, signature algorithms, curves, and versions)
are initially marked as insecure/disabled. Then the user can enable
them by specifying allowlisting keywords such as "secure-hash" in the
[overrides] section.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds the following refactoring:
- avoid side-effects during parsing the config file, by separating
application phase; the parsed configuration can be applied globally
with cfg_apply, after validation
- make _gnutls_*_mark_{disabled,insecure} take an ID instead of the
name
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Evgeny Grin <k2k@narod.ru>
|
| |/
|
|
| |
Signed-off-by: Evgeny Grin <k2k@narod.ru>
|
| |
|
|
|
|
|
| |
As the library now uses static mutexes, rwlocks, and onces, it doesn't
make much sense to only replace dynamic mutex usage.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
|
|
|
| |
This makes sure that the global variables are initialized only once.
Most of those variables are initialized at ELF constructor, though a
couple of occasions they are initialized on-demand: the global keylog
file pointer and TPM2 TCTI context. To properly protect the
initialization this patch uses gl_once provided by Gnulib.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
| |
Remove GNUTLS_STATIC_RWLOCK_*LOCK macros and respect return values of
rwlock primitives.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
| |
As Gnulib provides portability wrappers of mutex implementations, we
don't need to provide similar wrappers by ourselves.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
|
|
|
| |
This introduces transparent loading of TPM2 keys which are in PEM
form by gnutls_privkey_import_x509_raw() and higher level functions
which wrap it.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Co-authored-by: David Woodhouse <dwmw2@infradead.org>
Co-authored-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous reloading logic relied on the existence of [priority]
section (in the initial loading) as an indicator whether the file is
loaded. This didn't work well in the following cases:
- when the section didn't exist initially and then is added later
- when the section existed initially and then is removed later
To handle these cases, this change adds a new flag
system_priority_file_loaded which can be used together with the mtime
check.
This also adds an rwlock to protect global configuration.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
|
| |
This reverts commit 890c6937a3cfb4a0704bc815324221ec4cb89840.
Considering the entire logic around reloading the config file, the fix
was suboptimal.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
_gnutls_update_system_priorities is called from gnutls_priority_set*
functions every time when the SYSTEM keyword is used and updates a
global variable system_wide_priority_strings if the configuration
changes. Although the critical path is protected with mtime check, it
should also hold a lock to avoid occasional race condition in
multi-thread programs. This also clears
system_wide_priority_strings_init upon unloading and before reloading
the config file (thanks to Alexander Sosedkin).
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |
|
|
| |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ktls enables us to offload encryption/decryption to the kernel
prerequisites:
- configured with `--enable-ktls`
- tls module `modprobe tls` check with 'lsmod | grep tls'
- per connection:
gnutls_transport_set_int{2} must be set
When prerequisities are met then ktls is used by default.
If GnuTLS encounters a error during KTLS initialization, it will
not use ktls and fallback to userspace.
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
