| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ktls enables us to offload encryption/decryption to the kernel
prerequisites:
- configured with `--enable-ktls`
- tls module `modprobe tls` check with 'lsmod | grep tls'
- per connection:
gnutls_transport_set_int{2} must be set
When prerequisities are met then ktls is used by default.
If GnuTLS encounters a error during KTLS initialization, it will
not use ktls and fallback to userspace.
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
|
|
| |
The libkcapi 1.3.0 brings a couple of changes needed for GnuTLS:
* fix: remove prctl PR_SET_DUMPABLE to allow library to be debugged
* fix: ensure that sendmsg is always used as fallback when vmsplice cannot be used
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The patch set adds the backend implementation to use the Linux kernel
crypto API via the AF_ALG interface. The GnuTLS AF_ALG extension uses
libkcapi [1] as the backend library which implements the actual kernel
communication.
[1] http://www.chronox.de/libkcapi.html
The symmetric cipher support, the hashing and the MAC support are
validated to work correctly using NIST CAVS test vectors.
The AEAD cipher support was tested by connecting to a remote host using
gnutls-cli (the following log strips out unrelated information):
Processed 143 CA certificate(s).
...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
...
- Description: (TLS1.2)-(ECDHE-SECP384R1)-(RSA-SHA512)-(AES-256-GCM)
- Session ID: 9E:5E:FC:09:2A:4E:2A:3D:22:44:68:42:C3:F6:2D:AB:F9:67:08:CE:6D:EE:E4:A2:EF:80:43:FE:3B:D9:1E:FE
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP384R1
- Curve size: 384 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA512
- Cipher: AES-256-GCM
- MAC: AEAD
- Options: extended master secret, safe renegotiation,
- Handshake was completed
- Simple Client Mode:
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Co-authored-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Hedgehog5040 <krenzelok.frantisek@gmail.com>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
| |
This allows us to remove several backports, including XTS, CFB8,
raw-ChaCha, CMAC64, Curve448, and the GOST curves and hashes.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This effectively reverts !400 and ensures that we no longer tolerate
invalid DER time. This complements the previous commit by Lili Quan
and ensures we provide the --disable-strict-der-time backwards compatibility
option.
Resolves: #207
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This ensures 'GUILE_PKG' & co. behaves as we want. Previously we had
problem in CI when using 'guile.m4' coming from potentially old distro
packages, as discussed in issue !1020:
https://gitlab.com/gnutls/gnutls/merge_requests/1020#note_194443890
* m4/guile.m4: New file, from Guile's 'stable-2.2' branch,
commit 9846178c69445142ef0b9432417453d2d4de6635.
* .x-sc_prohibit_test_minus_ao: New file.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
In order to make the CI functional again. The version number update
seems to conflict with tests/tls13/prf-early.sh
This reverts commit d34d93b8713cf10235ce7016fd69b6932b0752c0.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
| |
|
|
| |
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
As the protocol has been finalized, and the implementation is
stable and interoperable, there is no need to enable it conditionally.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
| |
It can be re-enabled by specifying --enable-ssl3-support on configure script.
This is the first step before removing support for the protocol completely.
Relates #103
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
| |
|
|
|
|
|
|
|
|
| |
The new option enables TLS1.3 draft-28 support unconditionally.
Updated the test suite to run when TLS1.3 is enabled by default,
and added a CI run with TLS1.3 enabled.
Resolves #424
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
|
|
|
|
|
|
| |
Nettle version 3.4 was released more than a half year ago, require it to
compile GnuTLS library. It allows us to remove bundled code that was
merged into that release.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces session resumption under TLS 1.3. For that,
it enables the psk_ke_modes extension when we enable session
tickets. It enables sending session tickets in addition to
PSK usernames. The detection of resumption vs pure PSK is done by
comparing the indexes sent with the index received by the server.
TLS 1.3 session tickets are always sent to the peer unless the
GNUTLS_NO_TICKETS is specified.
Resolves #290
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
| |
This will simplify handling of the x25519 key exchange.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
| |
Having these files in the git repository causes unnecessary changes
after "make bootstrap".
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Update gtk-doc.make, m4/gtk-doc.m4 and doc/reference/Makefile.am from
gtk-doc git head (that is 1.26 +
c08cc78562c59082fc83b55b58747177510b7a70).
Disable gtkdoc-check.
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
| |
|
|
|
|
|
| |
This version fixes a bug which prevented including the branch coverage
into output.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
This is a macro to allow checking the security of a hash algorithm
with respect to signing certificates.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
| |
Resolves #178
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
|
