summaryrefslogtreecommitdiff
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'tmp-ed448' into 'master'Daiki Ueno2020-01-244-3/+8
|\ | | | | | | | | algorithms: implement X448 key exchange and Ed448 signature scheme See merge request gnutls/gnutls!984
| * algorithms: implement X448 key exchange and Ed448 signature schemeDaiki Ueno2020-01-234-3/+8
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | gnutls-cli-debug: ignore tests when algorithms are unavailableNikos Mavrogiannopoulos2020-01-181-2/+13
|/ | | | | | | | When gnutls-cli-debug is run on systems where a particular algorithm is disabled, ensure that we don't stop the testing; in that case we ignore the test. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls-cli: Log all stapled OCSP responses when running with --verboseFiona Klute2020-01-111-6/+15
| | | | Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
* certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not setTim Rühsen2020-01-031-1/+2
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* cli: fix building with GOST disabledDmitry Eremin-Solenikov2019-12-291-0/+2
| | | | | | | Fix building gnutls-cli (benchmark part) with GOST keys support being disabled. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* cli: support building with OCSP and ANON disabledDmitry Eremin-Solenikov2019-12-293-13/+52
| | | | | | | Support gnutls-cli when building GnuTLS with OCSP and ANON authentication API disabled. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* serv: support building with OCSP disabledDmitry Eremin-Solenikov2019-12-292-2/+32
| | | | | | Support gnutls-serv when building GnuTLS with OCSP API disabled. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* benchmark: enable benchmarking of GOST CNT ciphersuite/KXDmitry Eremin-Solenikov2019-12-271-0/+55
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* benchmark: support benchmarking GOST ciphers/MACsDmitry Eremin-Solenikov2019-12-271-0/+12
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* benchmark: use mac key size instead of block sizeDmitry Eremin-Solenikov2019-12-271-4/+4
| | | | | | | Use newly added gnutls_hmac_get_key_size() to get key size instead of assuming that key size = block size (incorrect for GOST 28147 IMIT). Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Merge branch 'tmp-certtool-crq' into 'master'Nikos Mavrogiannopoulos2019-12-231-1/+2
|\ | | | | | | | | certtool: always set extensions from template See merge request gnutls/gnutls!1130
| * certtool: always set extensions from templateNikos Mavrogiannopoulos2019-12-231-1/+2
| | | | | | | | | | | | | | | | | | Previously we would only set these extensions specific with add_extension when generating using --generate-certificate. The change makes sure these options are considered even when generating an extension from a certificate request. Issue reported on the mailing list. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | Merge branch 'tmp-gnutls-cli' into 'master'Dmitry Eremin-Solenikov2019-12-233-14/+34
|\ \ | | | | | | | | | | | | Improvements in gnutls-cli --benchmark-tls-kx See merge request gnutls/gnutls!1128
| * | gnutls-cli: improved output of --benchmark-tls-kxtmp-gnutls-cliNikos Mavrogiannopoulos2019-12-201-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is now printed in a way that separates the tests. Example: ``` (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) - 179.19 transactions/sec - avg. handshake time: 5.57 ms - standard deviation: 0.57 (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM) - 182.24 transactions/sec - avg. handshake time: 5.48 ms - standard deviation: 0.64 ``` Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | gnutls-cli: benchmark-tls-kx can work with sub-ms accuracyNikos Mavrogiannopoulos2019-12-203-13/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | This allows micro and nanoseconds to be reported if necessary, and it changes reporting of sample variance to standard deviation giving a possibly better overview as it is in the same units as the average. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | Merge branch 'tmp-fix-serv-exit' into 'master'Nikos Mavrogiannopoulos2019-12-232-20/+32
|\ \ \ | |_|/ |/| | | | | | | | | | | | | | gnutls-serv: do not exit on command failure Closes #868 See merge request gnutls/gnutls!1129
| * | gnutls-serv: do not exit on command failureNikos Mavrogiannopoulos2019-12-072-20/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If gnutls_reauth() or gnutls_heartbeat_ping() fail, gnutls-serv would simply quit. This prevents using this tool in a test environment like tlsfuzzer. Ensure that we don't quit on error. Resolves: #868 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | Merge branch 'tmp-check-same-certs' into 'master'Nikos Mavrogiannopoulos2019-12-203-0/+28
|\ \ \ | |_|/ |/| | | | | | | | | | | | | | _gnutls_verify_crt_status: apply algorithm checks to trusted CAs and other cert improvements Closes #877 See merge request gnutls/gnutls!1140
| * | certtool: added option to apply a certificate verification profileNikos Mavrogiannopoulos2019-12-193-0/+28
| |/ | | | | | | | | | | This applies to the --verify and --verify-chain commands. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC testsDmitry Eremin-Solenikov2019-12-203-5/+97
|/ | | | | | | Add test for VKO-GOST-12, GOST28147-TC26Z-CNT and GOST28147-TC26Z-IMIT support by the server. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* libopts: include new files into disttmp-libopts-fixNikos Mavrogiannopoulos2019-12-021-1/+1
| | | | | | | | | This also includes --enable-local-libopts flag to make dist to catch future regressions. Resolves: #867 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Write OCSP status request debug information to logfile, if setFiona Klute2019-12-011-1/+1
| | | | | | | The status information not part of the payload data and should be separate when using --logfile. Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
* Send log messages about loading client credentials to logfile, if setFiona Klute2019-12-011-2/+2
| | | | Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
* certtool: always include the CRL distribution points on CAsNikos Mavrogiannopoulos2019-11-251-9/+10
| | | | | | | | | Previously we would omit the CRL distribution points from a non-self signed CA certificate, even if contained in the template. Resolves: #765 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Merge branch 'tmp-update-ci-to-f31' into 'master'Nikos Mavrogiannopoulos2019-11-0255-1529/+2322
|\ | | | | | | | | Update CI to F31 See merge request gnutls/gnutls!1113
| * updated to libopts 5.18.16Nikos Mavrogiannopoulos2019-10-3055-1529/+2322
| | | | | | | | | | | | | | This fixes compilation in Fedora 30 which ships with this version of autogen. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Merge branch 'logfile-doc-improvement' into 'master'Nikos Mavrogiannopoulos2019-10-311-1/+1
|\ \ | |/ |/| | | | | | | | | doc: describe how to make gnutls-cli quiet for pipe usage Closes #845 See merge request gnutls/gnutls!1108
| * doc: describe how to make gnutls-cli quiet for pipe usageBjörn Jacke2019-10-251-1/+1
| | | | | | | | Signed-off-by: Bjoern Jacke <bjacke@samba.org>
* | serv: move closing TABLE tag after actual table endDmitry Eremin-Solenikov2019-10-271-1/+3
|/ | | | | | Move closing TABLE tag after printing information on cipher and MAC. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* src: fix noreturn-related warningDmitry Eremin-Solenikov2019-10-182-2/+2
| | | | | | | | | | | | | Recent autogen started adding '#include <stdnoreturn.h>' into -args.h files. However in GnuTLS tools code this results in the following warnings, because stdnoreturn.h unconditionally redefines 'noreturn' to _Noreturn: warning: '_Noreturn' attribute directive ignored Use __noreturn__ attribute instead as does Gnulib. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* p11tool: print mechanism info in list-mechanismsDmitry Eremin-Solenikov2019-10-092-1/+61
| | | | | | Print key size range and flags in mechanisms list. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Implemented raw public key support for gnutls-serv application.Tom Vrancken2019-10-042-6/+101
| | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* Implemented raw public key support for gnutls-cli application.Tom Vrancken2019-10-043-53/+223
| | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* certtool: ensure that PKCS#8 file does not contain key descriptionNikos Mavrogiannopoulos2019-09-281-3/+6
| | | | | | Resolves: #840 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls-cli-debug: fix early break for no version supported checkDmitry Eremin-Solenikov2019-09-023-60/+56
| | | | | | | | | | | | | | | | Currently gnutls-cli-debug code hardodes index of tests, after which it will check if any known protocols (SSL 3.0/TLS1.[0123]) are supported by the server. However this number is hardcoded and thus easy to break. This is exactly what happened after adding %ALLOW_SMALL_RECORDS check. Two tests were added in front of tests lists without updating this index. So let's make this check robust by adding another test which will return fatal error if no known protocols are supported. While we are at it, also simplify tests loop by removing internal loop completely and controlling opening/closing a socket with a flag. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* src/Makefile.am: fix detection of .bak filesNikos Mavrogiannopoulos2019-08-051-6/+5
| | | | | | | | | This fixes detection in a way to work in builds outside the source directory. Resolves: #810 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* certtool: default to yes on signing certificates for CAstmp-sign-casNikos Mavrogiannopoulos2019-07-261-2/+2
| | | | | | | | | When asking the questions for CA certificate generation, default to yes to signing certificates. This is because that's the most common type of CAs generated and defaulting to yes eliminates the need for restart on error. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls-cli-debug: test whether RSA key exchange is supportedNikos Mavrogiannopoulos2019-06-293-0/+27
| | | | | | Resolves: #449 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls-serv: add --httpdata option to respond with fixed sized dataDaiki Ueno2019-06-192-1/+55
| | | | | | | | By default, the gnutls-server --http responds with the connection information. While this is useful for manual testing, fixed content would be more desirable for automated testing. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* gnutls-cli-debug: check if %ALLOW_SMALL_RECORDS is requiredDaiki Ueno2019-06-193-2/+69
| | | | | | | | | | This adds a new test against the server to check if %ALLOW_SMALL_RECORDS is required to continue communicating with the server. The test is in two parts: one to check if the server accepts records with the default size (512 bytes) and the other is to check if %ALLOW_SMALL_RECORDS helps if the previuos test fails. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* gnutls-serv: add --recordsize optionDaiki Ueno2019-06-192-0/+22
| | | | | | | | This adds a means to set maximum record size to receive. If the size is less than our default (< 512), --priority with %ALLOW_SMALL_RECORDS also needs to be specified. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Do not regenerate autogen files if --enable-local-libopts is giventmp-fix-liboptsNikos Mavrogiannopoulos2019-05-291-0/+18
| | | | | | | | | | | | This addresses issue on installed systems which have autogen but use --enable-local-libopts. In these systems if the installed autogen would not match the local libopts library version compilation would fail because the auto-generated files depend on the corresponding to autogen version libopts internals. Resolves: #772 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* certtool: corrected typo in manual [ci skip]Nikos Mavrogiannopoulos2019-05-231-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* certtool: CA certificates will contain the digital signature key usage flagNikos Mavrogiannopoulos2019-05-201-1/+5
| | | | | | | | | This change ensures that all certificates will contain the digital signature key usage flag if that's specified in the template. Resolves: #767 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls-serv: GERR macro will output in stderrNikos Mavrogiannopoulos2019-05-201-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Check all memory allocation in examples and certtooltmp-check-allocationsNikos Mavrogiannopoulos2019-05-141-0/+9
| | | | | | Resolves: #739 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tools: suppress ctime() error from static analysersNikos Mavrogiannopoulos2019-05-096-13/+40
| | | | | | | This function is not thread safe and can be easily misused even in single threaded scenarios (one such minor bug fixed). Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Add or clean header guards in src/Tim Rühsen2019-05-0710-17/+41
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* certtool: refuse to accept an incompatible key typeNikos Mavrogiannopoulos2019-04-251-2/+13
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
View Lorry Controller Status