summaryrefslogtreecommitdiff
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* build: write "FILE *fp" instead of "FILE *fd"tmp-fileioDaiki Ueno2020-05-304-89/+89
| | | | | | | This makes it clear that "fd" is not a file descriptor but a FILE pointer. Suggested by Tim Rühsen. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* gnulib: update git submoduleDaiki Ueno2020-05-294-32/+29
| | | | | | | | | | | This brings in the new fopen-gnu module and the RF_SENSITIVE flag for fread_file and read_file. This also adds the following changes to be consistent with the latest changes in Gnulib: - the callers of fread_file and read_file to be adjusted for the FLAGS argument - "attribute.h" needs to be used extensively Signed-off-by: Daiki Ueno <ueno@gnu.org>
* certtool: use gnutls_pkcs7_print_signature_infoDmitry Baryshkov2020-05-141-81/+7
| | | | | | Use new function to remove code duplication. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* Merge branch 'aesni-xts' into 'master'Daiki Ueno2020-05-081-0/+8
|\ | | | | | | | | accelerated: use AES-NI for AES-XTS when available See merge request gnutls/gnutls!1244
| * benchmark: enable AES-XTS cipherAnderson Toshiyuki Sasaki2020-05-061-0/+8
| | | | | | | | Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* | gnutls-cli: Add option to wait for resumption dataAnderson Toshiyuki Sasaki2020-05-072-6/+21
|/ | | | | | | | | | | | | | This introduces the --waitresumption command line option which makes the client to wait for the resumption data until a ticket is received under TLS1.3. The client will block if no ticket is received. The new option has no effect if the option --resume is not provided. This is useful to force the client to wait for the resumption data when the server takes long to send the ticket, allowing the session resumption to be tested. This is a common scenario in CI systems where the testing machines have limited resources. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* New make target 'update-copyright-year'tmp-reproducible-buildTim Rühsen2020-05-011-1/+1
| | | | | | | | | | | | We don't want to automatically update the copyright year as this prevents reproducible builds. Instead, 'make update-copyright-year' has to be executed at the start of each new year and the changes have to be pushed. Closes #980 Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Merge branch 'better_SSL3.0_tests' into 'master'Nikos Mavrogiannopoulos2020-03-273-2/+46
|\ | | | | | | | | improve gnutls-cli-debug testing of old SSL 3.0 servers See merge request gnutls/gnutls!1221
| * add additional tests of SSL 3.0 (with extensions, and with cipher suites not ↵Daniel Lenski2020-03-223-1/+42
| | | | | | | | | | | | | | | | in SSL 3.0) See #958 Signed-off-by: Daniel Lenski <dlenski@gmail.com>
| * test_ssl3: minimize cipher suites to those actually included in SSL 3.0Daniel Lenski2020-03-221-2/+5
| | | | | | | | | | | | See #958 Signed-off-by: Daniel Lenski <dlenski@gmail.com>
| * SSL 3.0 (RFC6101) doesn't actually appear to require extensions, and some ↵Daniel Lenski2020-03-221-1/+1
| | | | | | | | | | | | | | | | servers don't accept them See #958 Signed-off-by: Daniel Lenski <dlenski@gmail.com>
* | gnutls-serv: Do not exit when a message to be echoed is receivedAnderson Toshiyuki Sasaki2020-03-241-2/+2
|/ | | | | | | | Previously, when gnutls-serv was executed with the --echo option, it would exit when a message to be echoed was received. Moreover, the server would output "Memory error" although no error occurred. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* gnutls-cli: Add option to store all stapled OCSP responsesFiona Klute2020-02-082-16/+91
| | | | | | | | Note that there's a small modification to the behavior of the existing --ocsp-save option: If there is no stapled OCSP response the output file is still created and will be empty. Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
* Merge branch 'tmp-ed448' into 'master'Daiki Ueno2020-01-244-3/+8
|\ | | | | | | | | algorithms: implement X448 key exchange and Ed448 signature scheme See merge request gnutls/gnutls!984
| * algorithms: implement X448 key exchange and Ed448 signature schemeDaiki Ueno2020-01-234-3/+8
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | gnutls-cli-debug: ignore tests when algorithms are unavailableNikos Mavrogiannopoulos2020-01-181-2/+13
|/ | | | | | | | When gnutls-cli-debug is run on systems where a particular algorithm is disabled, ensure that we don't stop the testing; in that case we ignore the test. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls-cli: Log all stapled OCSP responses when running with --verboseFiona Klute2020-01-111-6/+15
| | | | Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
* certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not setTim Rühsen2020-01-031-1/+2
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* cli: fix building with GOST disabledDmitry Eremin-Solenikov2019-12-291-0/+2
| | | | | | | Fix building gnutls-cli (benchmark part) with GOST keys support being disabled. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* cli: support building with OCSP and ANON disabledDmitry Eremin-Solenikov2019-12-293-13/+52
| | | | | | | Support gnutls-cli when building GnuTLS with OCSP and ANON authentication API disabled. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* serv: support building with OCSP disabledDmitry Eremin-Solenikov2019-12-292-2/+32
| | | | | | Support gnutls-serv when building GnuTLS with OCSP API disabled. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* benchmark: enable benchmarking of GOST CNT ciphersuite/KXDmitry Eremin-Solenikov2019-12-271-0/+55
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* benchmark: support benchmarking GOST ciphers/MACsDmitry Eremin-Solenikov2019-12-271-0/+12
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* benchmark: use mac key size instead of block sizeDmitry Eremin-Solenikov2019-12-271-4/+4
| | | | | | | Use newly added gnutls_hmac_get_key_size() to get key size instead of assuming that key size = block size (incorrect for GOST 28147 IMIT). Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Merge branch 'tmp-certtool-crq' into 'master'Nikos Mavrogiannopoulos2019-12-231-1/+2
|\ | | | | | | | | certtool: always set extensions from template See merge request gnutls/gnutls!1130
| * certtool: always set extensions from templateNikos Mavrogiannopoulos2019-12-231-1/+2
| | | | | | | | | | | | | | | | | | Previously we would only set these extensions specific with add_extension when generating using --generate-certificate. The change makes sure these options are considered even when generating an extension from a certificate request. Issue reported on the mailing list. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | Merge branch 'tmp-gnutls-cli' into 'master'Dmitry Eremin-Solenikov2019-12-233-14/+34
|\ \ | | | | | | | | | | | | Improvements in gnutls-cli --benchmark-tls-kx See merge request gnutls/gnutls!1128
| * | gnutls-cli: improved output of --benchmark-tls-kxtmp-gnutls-cliNikos Mavrogiannopoulos2019-12-201-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is now printed in a way that separates the tests. Example: ``` (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) - 179.19 transactions/sec - avg. handshake time: 5.57 ms - standard deviation: 0.57 (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) - 182.24 transactions/sec - avg. handshake time: 5.48 ms - standard deviation: 0.64 ``` Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | gnutls-cli: benchmark-tls-kx can work with sub-ms accuracyNikos Mavrogiannopoulos2019-12-203-13/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | This allows micro and nanoseconds to be reported if necessary, and it changes reporting of sample variance to standard deviation giving a possibly better overview as it is in the same units as the average. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | Merge branch 'tmp-fix-serv-exit' into 'master'Nikos Mavrogiannopoulos2019-12-232-20/+32
|\ \ \ | |_|/ |/| | | | | | | | | | | | | | gnutls-serv: do not exit on command failure Closes #868 See merge request gnutls/gnutls!1129
| * | gnutls-serv: do not exit on command failureNikos Mavrogiannopoulos2019-12-072-20/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If gnutls_reauth() or gnutls_heartbeat_ping() fail, gnutls-serv would simply quit. This prevents using this tool in a test environment like tlsfuzzer. Ensure that we don't quit on error. Resolves: #868 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | Merge branch 'tmp-check-same-certs' into 'master'Nikos Mavrogiannopoulos2019-12-203-0/+28
|\ \ \ | |_|/ |/| | | | | | | | | | | | | | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements Closes #877 See merge request gnutls/gnutls!1140
| * | certtool: added option to apply a certificate verification profileNikos Mavrogiannopoulos2019-12-193-0/+28
| |/ | | | | | | | | | | This applies to the --verify and --verify-chain commands. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC testsDmitry Eremin-Solenikov2019-12-203-5/+97
|/ | | | | | | Add test for VKO-GOST-12, GOST28147-TC26Z-CNT and GOST28147-TC26Z-IMIT support by the server. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* libopts: include new files into disttmp-libopts-fixNikos Mavrogiannopoulos2019-12-021-1/+1
| | | | | | | | | This also includes --enable-local-libopts flag to make dist to catch future regressions. Resolves: #867 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Write OCSP status request debug information to logfile, if setFiona Klute2019-12-011-1/+1
| | | | | | | The status information not part of the payload data and should be separate when using --logfile. Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
* Send log messages about loading client credentials to logfile, if setFiona Klute2019-12-011-2/+2
| | | | Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
* certtool: always include the CRL distribution points on CAsNikos Mavrogiannopoulos2019-11-251-9/+10
| | | | | | | | | Previously we would omit the CRL distribution points from a non-self signed CA certificate, even if contained in the template. Resolves: #765 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Merge branch 'tmp-update-ci-to-f31' into 'master'Nikos Mavrogiannopoulos2019-11-0255-1529/+2322
|\ | | | | | | | | Update CI to F31 See merge request gnutls/gnutls!1113
| * updated to libopts 5.18.16Nikos Mavrogiannopoulos2019-10-3055-1529/+2322
| | | | | | | | | | | | | | This fixes compilation in Fedora 30 which ships with this version of autogen. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Merge branch 'logfile-doc-improvement' into 'master'Nikos Mavrogiannopoulos2019-10-311-1/+1
|\ \ | |/ |/| | | | | | | | | doc: describe how to make gnutls-cli quiet for pipe usage Closes #845 See merge request gnutls/gnutls!1108
| * doc: describe how to make gnutls-cli quiet for pipe usageBjörn Jacke2019-10-251-1/+1
| | | | | | | | Signed-off-by: Bjoern Jacke <bjacke@samba.org>
* | serv: move closing TABLE tag after actual table endDmitry Eremin-Solenikov2019-10-271-1/+3
|/ | | | | | Move closing TABLE tag after printing information on cipher and MAC. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* src: fix noreturn-related warningDmitry Eremin-Solenikov2019-10-182-2/+2
| | | | | | | | | | | | | Recent autogen started adding '#include <stdnoreturn.h>' into -args.h files. However in GnuTLS tools code this results in the following warnings, because stdnoreturn.h unconditionally redefines 'noreturn' to _Noreturn: warning: '_Noreturn' attribute directive ignored Use __noreturn__ attribute instead as does Gnulib. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* p11tool: print mechanism info in list-mechanismsDmitry Eremin-Solenikov2019-10-092-1/+61
| | | | | | Print key size range and flags in mechanisms list. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Implemented raw public key support for gnutls-serv application.Tom Vrancken2019-10-042-6/+101
| | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* Implemented raw public key support for gnutls-cli application.Tom Vrancken2019-10-043-53/+223
| | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* certtool: ensure that PKCS#8 file does not contain key descriptionNikos Mavrogiannopoulos2019-09-281-3/+6
| | | | | | Resolves: #840 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls-cli-debug: fix early break for no version supported checkDmitry Eremin-Solenikov2019-09-023-60/+56
| | | | | | | | | | | | | | | | Currently gnutls-cli-debug code hardodes index of tests, after which it will check if any known protocols (SSL 3.0/TLS1.[0123]) are supported by the server. However this number is hardcoded and thus easy to break. This is exactly what happened after adding %ALLOW_SMALL_RECORDS check. Two tests were added in front of tests lists without updating this index. So let's make this check robust by adding another test which will return fatal error if no known protocols are supported. While we are at it, also simplify tests loop by removing internal loop completely and controlling opening/closing a socket with a flag. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* src/Makefile.am: fix detection of .bak filesNikos Mavrogiannopoulos2019-08-051-6/+5
| | | | | | | | | This fixes detection in a way to work in builds outside the source directory. Resolves: #810 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>