| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous issuer callback API had a drawback: the callback is
supposed to add CA to the trust list by itself. This was error-prone,
because the callback must check the new CA is trusted by the already
added CA. This instead moves the responsibility to the library.
This also rewrites the chain amendment logic in a side-effect free
manner. The application can assume that the trust information stored
on gnutls_x509_trust_list_t shouldn't change after the verification.
The missingissuer test has been extended to cover all the possible
patterns exhaustively.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
| |
GCC 10 warns this:
tests.c:702:2: error: 'siginterrupt' is deprecated: Use sigaction with SA_RESTART instead [-Werror=deprecated-declarations]
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
| |
The previous code didn't modify the pointer to the realloc'ed region
nor check overflow before calling realloc.
Spotted by Anderson Sasaki in:
<https://gitlab.com/gnutls/gnutls/-/merge_requests/1345#note_439063374>.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
| |
This also moves the hex encoding of key to write_key for readability
and makes file stream closing robuster.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
| |
Printing UTCTime really needs last 2 digits of the year.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
| |
gnutls-cli to
automatically download missing intermediate CAs in a certificate chain
lib/cred-cert.c : adds set and get APIs to get user data in the
gnutls_x509_trust_list_set_getissuer_function() callback.
Signed-off-by: Sahana Prasad <sahana@redhat.com>
|
|
|
|
|
|
| |
add option `--crlf` to gnutls-serv to disable replacing a received CRLF
by LF in echo mode (fixes #1073).
Signed-off-by: Albrecht Dreß <albrecht.dress@arcor.de>
|
|\
| |
| |
| |
| | |
doc: assorted typo fixes
See merge request gnutls/gnutls!1305
|
| |
| |
| |
| |
| |
| | |
Spotted by codespell.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| | |
| | |
| | |
| | | |
cert-session: ensure that invalid flag is always set
See merge request gnutls/gnutls!1304
|
| |/
| |
| |
| |
| |
| |
| |
| | |
According to the documentation, the GNUTLS_CERT_INVALID flag must
always be set in case of verification failure, together with the flag
indicating the actual error cause.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| |/
|/|
| |
| |
| |
| | |
Fix two issues about certtool and passwords
Closes #933 and #888
See merge request gnutls/gnutls!1268
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Do not encrypt certificate bag if the user has specified empty password
(--password ''). Encryption can be turned on by specifying
--empty-password.
Fixes #888
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make pin_callback() use cinfo->password if it is set (via command line
or from template).
Fixes #933
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | | |
build: minor fixes
See merge request gnutls/gnutls!1287
|
| | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \ \
| |/ /
|/| |
| | |
| | | |
refine tests for ancient servers which support both SSL 3.0 and TLS 1.0, but both only with %NO_EXTENSIONS
See merge request gnutls/gnutls!1251
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
both only with %NO_EXTENSIONS
This is a follow-up to !1221.
See #958 and https://gitlab.com/openconnect/openconnect/-/issues/145 for a
real-world example of ancient Cisco servers with these deficiencies.
With !1221 only, gnutls-cli-debug reports that these ancient servers only support
SSL 3.0 (but without extensions). Information after this point is
largely erroneous:
$ gnutls-cli-debug ***vpn.***.com
GnuTLS debug client 3.6.12
Checking ***vpn.***.com:443
whether the server accepts default record size (512 bytes)... no
whether %ALLOW_SMALL_RECORDS is required... no
for SSL 3.0 (RFC6101) support... yes
for SSL 3.0 with extensions... no
With this additional change, gnutls-cli-debug correctly reports that such a
server also supports TLS 1.0 (but again with extensions disabled). Below
I've marked some of the significant fields that have changed:
$ gnutls-cli-debug ***vpn.***.com
GnuTLS debug client 3.6.12
Checking ***vpn.***.com:443
whether the server accepts default record size (512 bytes)... no
whether %ALLOW_SMALL_RECORDS is required... no
for SSL 3.0 (RFC6101) support... yes
for SSL 3.0 with extensions... no
whether we need to disable TLS 1.2... yes
whether we need to disable TLS 1.1... yes
# This is now correct:
whether we need to disable TLS 1.0... no
# This is now correct:
whether %NO_EXTENSIONS is required... yes
# This is now correct:
for TLS 1.0 (RFC2246) support... yes
for TLS 1.1 (RFC4346) support... no
fallback from TLS 1.1 to... failed
for TLS 1.2 (RFC5246) support... no
# This is now correct:
for known TLS or SSL protocols support... yes
TLS1.2 neg fallback from TLS 1.6 to... failed (server requires fallback dance)
for inappropriate fallback (RFC7507) support... no
for HTTPS server name... ******
for certificate chain order... sorted
for Safe renegotiation support (SCSV)... no
for version rollback bug in RSA PMS... no
for version rollback bug in Client Hello... no
whether the server ignores the RSA PMS version... no
whether small records (512 bytes) are tolerated on handshake... yes
whether cipher suites not in SSL 3.0 spec are accepted... yes
whether a bogus TLS record version in the client hello is accepted... yes
whether the server understands TLS closure alerts... partially
whether the server supports session resumption... yes
for anonymous authentication support... no
for ephemeral Diffie-Hellman support... no
for RFC7919 Diffie-Hellman support... no
for AES-GCM cipher (RFC5288) support... no
for AES-CCM cipher (RFC6655) support... no
for AES-CCM-8 cipher (RFC6655) support... no
for AES-CBC cipher (RFC3268) support... no
for CAMELLIA-GCM cipher (RFC6367) support... no
for CAMELLIA-CBC cipher (RFC5932) support... no
# This is now correct:
for 3DES-CBC cipher (RFC2246) support... yes
# This is now correct:
for ARCFOUR 128 cipher (RFC2246) support... yes
for CHACHA20-POLY1305 cipher (RFC7905) support... no
for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... no
for MD5 MAC support... yes
for SHA1 MAC support... yes
for SHA256 MAC support... no
for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... no
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It turned out that AutoGen treats numbers that exceed INT_MAX in a
platform dependent way. In this case, 4294967295 (UINT_MAX) is
treated as is on 64-bit platforms, while it is interpreted as "-1" on
32-bit platforms. This causes a problem when the program
documentation is compiled under multilib environment.
Reported by Ivan Molodetskikh in:
https://bugzilla.redhat.com/show_bug.cgi?id=1841844
and the cause was identified by Anderson Toshiyuki Sasaki.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This makes it clear that "fd" is not a file descriptor but a FILE
pointer. Suggested by Tim Rühsen.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This brings in the new fopen-gnu module and the RF_SENSITIVE flag for
fread_file and read_file. This also adds the following changes to be
consistent with the latest changes in Gnulib:
- the callers of fread_file and read_file to be adjusted for the FLAGS
argument
- "attribute.h" needs to be used extensively
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
| |
| |
| |
| |
| | |
Use new function to remove code duplication.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | | |
accelerated: use AES-NI for AES-XTS when available
See merge request gnutls/gnutls!1244
|
| | |
| | |
| | |
| | | |
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This introduces the --waitresumption command line option which makes the
client to wait for the resumption data until a ticket is received under
TLS1.3. The client will block if no ticket is received. The new option
has no effect if the option --resume is not provided.
This is useful to force the client to wait for the resumption data when
the server takes long to send the ticket, allowing the session
resumption to be tested. This is a common scenario in CI systems where
the testing machines have limited resources.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We don't want to automatically update the copyright year as this
prevents reproducible builds.
Instead, 'make update-copyright-year' has to be executed at the
start of each new year and the changes have to be pushed.
Closes #980
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\ \
| |/
| |
| |
| | |
improve gnutls-cli-debug testing of old SSL 3.0 servers
See merge request gnutls/gnutls!1221
|
| |
| |
| |
| |
| |
| |
| |
| | |
in SSL 3.0)
See #958
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
|
| |
| |
| |
| |
| |
| | |
See #958
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
servers don't accept them
See #958
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
|
|/
|
|
|
|
|
|
| |
Previously, when gnutls-serv was executed with the --echo option, it
would exit when a message to be echoed was received. Moreover, the
server would output "Memory error" although no error occurred.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
|
|
|
|
|
|
|
| |
Note that there's a small modification to the behavior of the existing
--ocsp-save option: If there is no stapled OCSP response the output
file is still created and will be empty.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
|
|\
| |
| |
| |
| | |
algorithms: implement X448 key exchange and Ed448 signature scheme
See merge request gnutls/gnutls!984
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|/
|
|
|
|
|
|
| |
When gnutls-cli-debug is run on systems where a particular algorithm
is disabled, ensure that we don't stop the testing; in that case
we ignore the test.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
|
|
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|
|
|
|
|
|
| |
Fix building gnutls-cli (benchmark part) with GOST keys support being
disabled.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
|
|
|
| |
Support gnutls-cli when building GnuTLS with OCSP and ANON
authentication API disabled.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
|
|
| |
Support gnutls-serv when building GnuTLS with OCSP API disabled.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
| |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
| |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
|
|
|
| |
Use newly added gnutls_hmac_get_key_size() to get key size instead of
assuming that key size = block size (incorrect for GOST 28147 IMIT).
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\
| |
| |
| |
| | |
certtool: always set extensions from template
See merge request gnutls/gnutls!1130
|