summaryrefslogtreecommitdiff
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* serv: stop setting AI_ADDRCONFIG on getaddrinfoDaiki Ueno2021-05-211-5/+1
| | | | | | | | | AI_ADDRCONFIG is only useful when the NODE argument is given in the getaddrinfo call, as described in RFC 3493 6.1. Suggested by Andreas Metzler in: https://gitlab.com/gnutls/gnutls/-/issues/1007#note_356637206 Signed-off-by: Daiki Ueno <ueno@gnu.org>
* gnulib: parse-datetime: port build fixes from upstream gnulibDaiki Ueno2021-04-031-0/+128
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* doc: assorted typo fixesDaiki Ueno2020-09-034-5/+5
| | | | | | Spotted by codespell. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* serv, cli: ensure that invalid flag is always setDaiki Ueno2020-09-031-1/+4
| | | | | | | | According to the documentation, the GNUTLS_CERT_INVALID flag must always be set in case of verification failure, together with the flag indicating the actual error cause. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* build: avoid -Wenum-conversion warnings with GCC 10Daiki Ueno2020-08-311-3/+3
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* refine tests for ancient servers which support both SSL 3.0 and TLS 1.0, but ↵Daniel Lenski2020-08-312-5/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | both only with %NO_EXTENSIONS This is a follow-up to !1221. See #958 and https://gitlab.com/openconnect/openconnect/-/issues/145 for a real-world example of ancient Cisco servers with these deficiencies. With !1221 only, gnutls-cli-debug reports that these ancient servers only support SSL 3.0 (but without extensions). Information after this point is largely erroneous: $ gnutls-cli-debug ***vpn.***.com GnuTLS debug client 3.6.12 Checking ***vpn.***.com:443 whether the server accepts default record size (512 bytes)... no whether %ALLOW_SMALL_RECORDS is required... no for SSL 3.0 (RFC6101) support... yes for SSL 3.0 with extensions... no With this additional change, gnutls-cli-debug correctly reports that such a server also supports TLS 1.0 (but again with extensions disabled). Below I've marked some of the significant fields that have changed: $ gnutls-cli-debug ***vpn.***.com GnuTLS debug client 3.6.12 Checking ***vpn.***.com:443 whether the server accepts default record size (512 bytes)... no whether %ALLOW_SMALL_RECORDS is required... no for SSL 3.0 (RFC6101) support... yes for SSL 3.0 with extensions... no whether we need to disable TLS 1.2... yes whether we need to disable TLS 1.1... yes # This is now correct: whether we need to disable TLS 1.0... no # This is now correct: whether %NO_EXTENSIONS is required... yes # This is now correct: for TLS 1.0 (RFC2246) support... yes for TLS 1.1 (RFC4346) support... no fallback from TLS 1.1 to... failed for TLS 1.2 (RFC5246) support... no # This is now correct: for known TLS or SSL protocols support... yes TLS1.2 neg fallback from TLS 1.6 to... failed (server requires fallback dance) for inappropriate fallback (RFC7507) support... no for HTTPS server name... ****** for certificate chain order... sorted for Safe renegotiation support (SCSV)... no for version rollback bug in RSA PMS... no for version rollback bug in Client Hello... no whether the server ignores the RSA PMS version... no whether small records (512 bytes) are tolerated on handshake... yes whether cipher suites not in SSL 3.0 spec are accepted... yes whether a bogus TLS record version in the client hello is accepted... yes whether the server understands TLS closure alerts... partially whether the server supports session resumption... yes for anonymous authentication support... no for ephemeral Diffie-Hellman support... no for RFC7919 Diffie-Hellman support... no for AES-GCM cipher (RFC5288) support... no for AES-CCM cipher (RFC6655) support... no for AES-CCM-8 cipher (RFC6655) support... no for AES-CBC cipher (RFC3268) support... no for CAMELLIA-GCM cipher (RFC6367) support... no for CAMELLIA-CBC cipher (RFC5932) support... no # This is now correct: for 3DES-CBC cipher (RFC2246) support... yes # This is now correct: for ARCFOUR 128 cipher (RFC2246) support... yes for CHACHA20-POLY1305 cipher (RFC7905) support... no for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... no for MD5 MAC support... yes for SHA1 MAC support... yes for SHA256 MAC support... no for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... no Signed-off-by: Daniel Lenski <dlenski@gmail.com>
* serv: omit upper bound of --maxearlydata option definitionDaiki Ueno2020-08-311-1/+1
| | | | | | | | | | | | | | It turned out that AutoGen treats numbers that exceed INT_MAX in a platform dependent way. In this case, 4294967295 (UINT_MAX) is treated as is on 64-bit platforms, while it is interpreted as "-1" on 32-bit platforms. This causes a problem when the program documentation is compiled under multilib environment. Reported by Ivan Molodetskikh in: https://bugzilla.redhat.com/show_bug.cgi?id=1841844 and the cause was identified by Anderson Toshiyuki Sasaki. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* build: write "FILE *fp" instead of "FILE *fd"tmp-fileioDaiki Ueno2020-05-304-89/+89
| | | | | | | This makes it clear that "fd" is not a file descriptor but a FILE pointer. Suggested by Tim Rühsen. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* gnulib: update git submoduleDaiki Ueno2020-05-294-32/+29
| | | | | | | | | | | This brings in the new fopen-gnu module and the RF_SENSITIVE flag for fread_file and read_file. This also adds the following changes to be consistent with the latest changes in Gnulib: - the callers of fread_file and read_file to be adjusted for the FLAGS argument - "attribute.h" needs to be used extensively Signed-off-by: Daiki Ueno <ueno@gnu.org>
* certtool: use gnutls_pkcs7_print_signature_infoDmitry Baryshkov2020-05-141-81/+7
| | | | | | Use new function to remove code duplication. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* Merge branch 'aesni-xts' into 'master'Daiki Ueno2020-05-081-0/+8
|\ | | | | | | | | accelerated: use AES-NI for AES-XTS when available See merge request gnutls/gnutls!1244
| * benchmark: enable AES-XTS cipherAnderson Toshiyuki Sasaki2020-05-061-0/+8
| | | | | | | | Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* | gnutls-cli: Add option to wait for resumption dataAnderson Toshiyuki Sasaki2020-05-072-6/+21
|/ | | | | | | | | | | | | | This introduces the --waitresumption command line option which makes the client to wait for the resumption data until a ticket is received under TLS1.3. The client will block if no ticket is received. The new option has no effect if the option --resume is not provided. This is useful to force the client to wait for the resumption data when the server takes long to send the ticket, allowing the session resumption to be tested. This is a common scenario in CI systems where the testing machines have limited resources. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* New make target 'update-copyright-year'tmp-reproducible-buildTim Rühsen2020-05-011-1/+1
| | | | | | | | | | | | We don't want to automatically update the copyright year as this prevents reproducible builds. Instead, 'make update-copyright-year' has to be executed at the start of each new year and the changes have to be pushed. Closes #980 Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Merge branch 'better_SSL3.0_tests' into 'master'Nikos Mavrogiannopoulos2020-03-273-2/+46
|\ | | | | | | | | improve gnutls-cli-debug testing of old SSL 3.0 servers See merge request gnutls/gnutls!1221
| * add additional tests of SSL 3.0 (with extensions, and with cipher suites not ↵Daniel Lenski2020-03-223-1/+42
| | | | | | | | | | | | | | | | in SSL 3.0) See #958 Signed-off-by: Daniel Lenski <dlenski@gmail.com>
| * test_ssl3: minimize cipher suites to those actually included in SSL 3.0Daniel Lenski2020-03-221-2/+5
| | | | | | | | | | | | See #958 Signed-off-by: Daniel Lenski <dlenski@gmail.com>
| * SSL 3.0 (RFC6101) doesn't actually appear to require extensions, and some ↵Daniel Lenski2020-03-221-1/+1
| | | | | | | | | | | | | | | | servers don't accept them See #958 Signed-off-by: Daniel Lenski <dlenski@gmail.com>
* | gnutls-serv: Do not exit when a message to be echoed is receivedAnderson Toshiyuki Sasaki2020-03-241-2/+2
|/ | | | | | | | Previously, when gnutls-serv was executed with the --echo option, it would exit when a message to be echoed was received. Moreover, the server would output "Memory error" although no error occurred. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* gnutls-cli: Add option to store all stapled OCSP responsesFiona Klute2020-02-082-16/+91
| | | | | | | | Note that there's a small modification to the behavior of the existing --ocsp-save option: If there is no stapled OCSP response the output file is still created and will be empty. Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
* Merge branch 'tmp-ed448' into 'master'Daiki Ueno2020-01-244-3/+8
|\ | | | | | | | | algorithms: implement X448 key exchange and Ed448 signature scheme See merge request gnutls/gnutls!984
| * algorithms: implement X448 key exchange and Ed448 signature schemeDaiki Ueno2020-01-234-3/+8
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | gnutls-cli-debug: ignore tests when algorithms are unavailableNikos Mavrogiannopoulos2020-01-181-2/+13
|/ | | | | | | | When gnutls-cli-debug is run on systems where a particular algorithm is disabled, ensure that we don't stop the testing; in that case we ignore the test. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls-cli: Log all stapled OCSP responses when running with --verboseFiona Klute2020-01-111-6/+15
| | | | Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
* certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not setTim Rühsen2020-01-031-1/+2
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* cli: fix building with GOST disabledDmitry Eremin-Solenikov2019-12-291-0/+2
| | | | | | | Fix building gnutls-cli (benchmark part) with GOST keys support being disabled. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* cli: support building with OCSP and ANON disabledDmitry Eremin-Solenikov2019-12-293-13/+52
| | | | | | | Support gnutls-cli when building GnuTLS with OCSP and ANON authentication API disabled. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* serv: support building with OCSP disabledDmitry Eremin-Solenikov2019-12-292-2/+32
| | | | | | Support gnutls-serv when building GnuTLS with OCSP API disabled. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* benchmark: enable benchmarking of GOST CNT ciphersuite/KXDmitry Eremin-Solenikov2019-12-271-0/+55
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* benchmark: support benchmarking GOST ciphers/MACsDmitry Eremin-Solenikov2019-12-271-0/+12
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* benchmark: use mac key size instead of block sizeDmitry Eremin-Solenikov2019-12-271-4/+4
| | | | | | | Use newly added gnutls_hmac_get_key_size() to get key size instead of assuming that key size = block size (incorrect for GOST 28147 IMIT). Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Merge branch 'tmp-certtool-crq' into 'master'Nikos Mavrogiannopoulos2019-12-231-1/+2
|\ | | | | | | | | certtool: always set extensions from template See merge request gnutls/gnutls!1130
| * certtool: always set extensions from templateNikos Mavrogiannopoulos2019-12-231-1/+2
| | | | | | | | | | | | | | | | | | Previously we would only set these extensions specific with add_extension when generating using --generate-certificate. The change makes sure these options are considered even when generating an extension from a certificate request. Issue reported on the mailing list. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | Merge branch 'tmp-gnutls-cli' into 'master'Dmitry Eremin-Solenikov2019-12-233-14/+34
|\ \ | | | | | | | | | | | | Improvements in gnutls-cli --benchmark-tls-kx See merge request gnutls/gnutls!1128
| * | gnutls-cli: improved output of --benchmark-tls-kxtmp-gnutls-cliNikos Mavrogiannopoulos2019-12-201-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is now printed in a way that separates the tests. Example: ``` (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) - 179.19 transactions/sec - avg. handshake time: 5.57 ms - standard deviation: 0.57 (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) - 182.24 transactions/sec - avg. handshake time: 5.48 ms - standard deviation: 0.64 ``` Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | gnutls-cli: benchmark-tls-kx can work with sub-ms accuracyNikos Mavrogiannopoulos2019-12-203-13/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | This allows micro and nanoseconds to be reported if necessary, and it changes reporting of sample variance to standard deviation giving a possibly better overview as it is in the same units as the average. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | Merge branch 'tmp-fix-serv-exit' into 'master'Nikos Mavrogiannopoulos2019-12-232-20/+32
|\ \ \ | |_|/ |/| | | | | | | | | | | | | | gnutls-serv: do not exit on command failure Closes #868 See merge request gnutls/gnutls!1129
| * | gnutls-serv: do not exit on command failureNikos Mavrogiannopoulos2019-12-072-20/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If gnutls_reauth() or gnutls_heartbeat_ping() fail, gnutls-serv would simply quit. This prevents using this tool in a test environment like tlsfuzzer. Ensure that we don't quit on error. Resolves: #868 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | Merge branch 'tmp-check-same-certs' into 'master'Nikos Mavrogiannopoulos2019-12-203-0/+28
|\ \ \ | |_|/ |/| | | | | | | | | | | | | | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements Closes #877 See merge request gnutls/gnutls!1140
| * | certtool: added option to apply a certificate verification profileNikos Mavrogiannopoulos2019-12-193-0/+28
| |/ | | | | | | | | | | This applies to the --verify and --verify-chain commands. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC testsDmitry Eremin-Solenikov2019-12-203-5/+97
|/ | | | | | | Add test for VKO-GOST-12, GOST28147-TC26Z-CNT and GOST28147-TC26Z-IMIT support by the server. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* libopts: include new files into disttmp-libopts-fixNikos Mavrogiannopoulos2019-12-021-1/+1
| | | | | | | | | This also includes --enable-local-libopts flag to make dist to catch future regressions. Resolves: #867 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Write OCSP status request debug information to logfile, if setFiona Klute2019-12-011-1/+1
| | | | | | | The status information not part of the payload data and should be separate when using --logfile. Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
* Send log messages about loading client credentials to logfile, if setFiona Klute2019-12-011-2/+2
| | | | Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
* certtool: always include the CRL distribution points on CAsNikos Mavrogiannopoulos2019-11-251-9/+10
| | | | | | | | | Previously we would omit the CRL distribution points from a non-self signed CA certificate, even if contained in the template. Resolves: #765 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Merge branch 'tmp-update-ci-to-f31' into 'master'Nikos Mavrogiannopoulos2019-11-0255-1529/+2322
|\ | | | | | | | | Update CI to F31 See merge request gnutls/gnutls!1113
| * updated to libopts 5.18.16Nikos Mavrogiannopoulos2019-10-3055-1529/+2322
| | | | | | | | | | | | | | This fixes compilation in Fedora 30 which ships with this version of autogen. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Merge branch 'logfile-doc-improvement' into 'master'Nikos Mavrogiannopoulos2019-10-311-1/+1
|\ \ | |/ |/| | | | | | | | | doc: describe how to make gnutls-cli quiet for pipe usage Closes #845 See merge request gnutls/gnutls!1108
| * doc: describe how to make gnutls-cli quiet for pipe usageBjörn Jacke2019-10-251-1/+1
| | | | | | | | Signed-off-by: Bjoern Jacke <bjacke@samba.org>
* | serv: move closing TABLE tag after actual table endDmitry Eremin-Solenikov2019-10-271-1/+3
|/ | | | | | Move closing TABLE tag after printing information on cipher and MAC. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
View Lorry Controller Status