| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
With this option gnutls-cli prints the build-time configuration of the
library, retrieved through gnutls_get_library_config.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
| |
In src, we now have two helper programs: systemkey and dumpcfg.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
| |
As neither the tools nor documentation depends on AutoGen, we don't
need to include the AutoGen definition files.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
| |
As no tools link with libopts anymore, we don't need to include it in
the distribution.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
| |
This replaces configuration file parsing code previously provided by
<autoopts/options.h>, with a minimal compatible implementation.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
| |
This replaces AutoGen based command-line parser with a Python
script (gen-getopt.py), which takes JSON description as the input.
The included JSON files were converted one-off using the parse-autogen
program: https://gitlab.com/dueno/parse-autogen.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
| |
Currently certtool uses PKCS12-3DES-SHA1 for encrypting keys in
PKCS#12, while it is suggested to migrate to more modern algorithms,
namely AES-128-CBC with PBKDF2 and SHA-256:
https://bugzilla.redhat.com/show_bug.cgi?id=1759982
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
|
|
|
|
|
|
|
|
|
|
| |
This introduces transparent loading of TPM2 keys which are in PEM
form by gnutls_privkey_import_x509_raw() and higher level functions
which wrap it.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Co-authored-by: David Woodhouse <dwmw2@infradead.org>
Co-authored-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
| |
This is a simple extension of the certtool command-line interface.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|
|
|
|
|
|
| |
This is related to #1227 -- but in this case, it's enforcing a
requirement of RFC 8410 §5.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|
|
|
|
|
|
| |
These are just trivial extension points where the codepath is the same
for the ECDH scheme as it is for the EdDSA scheme.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|
|
|
|
|
| |
Spotted by LGTM.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DN components are expected to be ordered by scale, with the wire format
representing larger-scale components (like country or organization) before
smaller-scale components (like state or organizationalUnit).
The bulk of the changes here of course are changes to the target
certificates in the test suite.
Note that a change was necessary in tests/cert-tests/crq.sh because it
tests the "interactive" mode of certtool. If any user is scripting
certtool in this way, this change will cause a backwards-incompatible
break. However, I think this is OK -- the supported scripted/batch
mode for certtool should use a template file, and I don't think it's
important to maintain a strict api on the interactive mode.
The main change here is to order the DN from least-specific-to-most,
in particular:
country, state, locality, org, orgunit, cn, uid
But I've also made an additional arbitrary choice, which is that DC
(domain component) comes *after* uid. This was already the case in
certificate generation, but in *request* generation, it was the other
way around. I've changed request generation to match this ordering
from certificate generation.
Closes: #1243
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|
|
|
|
|
|
|
|
| |
AI_ADDRCONFIG is only useful when the NODE argument is given in the
getaddrinfo call, as described in RFC 3493 6.1. Suggested by Andreas
Metzler in:
https://gitlab.com/gnutls/gnutls/-/issues/1007#note_356637206
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
| |
While those options have no effect, the command previously tried to
open a file for reading and leaked file descriptor.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Spotted by gcc analyzer:
srptool.c:113:32: warning: leak of FILE 'fp' [CWE-775] [-Wanalyzer-file-leak]
113 | return -1;
| ^
also:
srptool.c:560:32: warning: leak of FILE 'fp' [CWE-775] [-Wanalyzer-file-leak]
560 | return -1;
| ^
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
| |
Spotted by gcc analyzer:
serv.c:1138:9: warning: call to 'exit' from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler]
1138 | exit(1);
| ^~~~~~~
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
| |
Spotted by gcc analyzer:
certtool-cfg.c:856:24: warning: use of possibly-NULL 'copy' where non-null expected [CWE-690] [-Wanalyzer-possible-null-argument]
856 | while (strcmp(pass, copy) != 0
| ^~~~~~~~~~~~~~~~~~
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
| |
Spotted by gcc analyzer:
psk.c:275:21: warning: use of possibly-NULL '_username.data' where non-null expected [CWE-690] [-Wanalyzer-possible-null-argument]
275 | if (strncmp(p, (const char *) _username.data,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
| |
"it's" is for contractions like "it is" or "it has". "its" is a
possessive pronoun, like "his" or "hers" or "theirs", none of which
have an apostrophe in them either.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If I try to generate an ed25519 key, it is *not* an ECDSA key. But I
see this warning:
0 dkg@host:~$ certtool --generate-privkey --provable --key-type ed25519
Generating a 256 bit EdDSA (Ed25519) private key ...
The --provable parameter cannot be used with ECDSA keys.
1 dkg@host:~$
Looking at the code and documentation, it's clear that --provable only
works for RSA and DSA. This fix aligns the warning message with the
underlying mechanism.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
| |
Suggested by Thomas Karlsson in:
https://gitlab.com/gnutls/gnutls/-/issues/1126
While this changes the default behavior, CDP can always be set through
the template or interactive input.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The patch set adds the backend implementation to use the Linux kernel
crypto API via the AF_ALG interface. The GnuTLS AF_ALG extension uses
libkcapi [1] as the backend library which implements the actual kernel
communication.
[1] http://www.chronox.de/libkcapi.html
The symmetric cipher support, the hashing and the MAC support are
validated to work correctly using NIST CAVS test vectors.
The AEAD cipher support was tested by connecting to a remote host using
gnutls-cli (the following log strips out unrelated information):
Processed 143 CA certificate(s).
...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
...
- Description: (TLS1.2)-(ECDHE-SECP384R1)-(RSA-SHA512)-(AES-256-GCM)
- Session ID: 9E:5E:FC:09:2A:4E:2A:3D:22:44:68:42:C3:F6:2D:AB:F9:67:08:CE:6D:EE:E4:A2:EF:80:43:FE:3B:D9:1E:FE
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP384R1
- Curve size: 384 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA512
- Cipher: AES-256-GCM
- MAC: AEAD
- Options: extended master secret, safe renegotiation,
- Handshake was completed
- Simple Client Mode:
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Co-authored-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Hedgehog5040 <krenzelok.frantisek@gmail.com>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous issuer callback API had a drawback: the callback is
supposed to add CA to the trust list by itself. This was error-prone,
because the callback must check the new CA is trusted by the already
added CA. This instead moves the responsibility to the library.
This also rewrites the chain amendment logic in a side-effect free
manner. The application can assume that the trust information stored
on gnutls_x509_trust_list_t shouldn't change after the verification.
The missingissuer test has been extended to cover all the possible
patterns exhaustively.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
| |
GCC 10 warns this:
tests.c:702:2: error: 'siginterrupt' is deprecated: Use sigaction with SA_RESTART instead [-Werror=deprecated-declarations]
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
| |
The previous code didn't modify the pointer to the realloc'ed region
nor check overflow before calling realloc.
Spotted by Anderson Sasaki in:
<https://gitlab.com/gnutls/gnutls/-/merge_requests/1345#note_439063374>.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
| |
This also moves the hex encoding of key to write_key for readability
and makes file stream closing robuster.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
| |
Printing UTCTime really needs last 2 digits of the year.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
|
|
|
|
|
|
| |
gnutls-cli to
automatically download missing intermediate CAs in a certificate chain
lib/cred-cert.c : adds set and get APIs to get user data in the
gnutls_x509_trust_list_set_getissuer_function() callback.
Signed-off-by: Sahana Prasad <sahana@redhat.com>
|
|
|
|
|
|
| |
add option `--crlf` to gnutls-serv to disable replacing a received CRLF
by LF in echo mode (fixes #1073).
Signed-off-by: Albrecht Dreß <albrecht.dress@arcor.de>
|
|\
| |
| |
| |
| | |
doc: assorted typo fixes
See merge request gnutls/gnutls!1305
|
| |
| |
| |
| |
| |
| | |
Spotted by codespell.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| | |
| | |
| | |
| | | |
cert-session: ensure that invalid flag is always set
See merge request gnutls/gnutls!1304
|
| |/
| |
| |
| |
| |
| |
| |
| | |
According to the documentation, the GNUTLS_CERT_INVALID flag must
always be set in case of verification failure, together with the flag
indicating the actual error cause.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|\ \
| |/
|/|
| |
| |
| |
| | |
Fix two issues about certtool and passwords
Closes #933 and #888
See merge request gnutls/gnutls!1268
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Do not encrypt certificate bag if the user has specified empty password
(--password ''). Encryption can be turned on by specifying
--empty-password.
Fixes #888
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make pin_callback() use cinfo->password if it is set (via command line
or from template).
Fixes #933
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | | |
build: minor fixes
See merge request gnutls/gnutls!1287
|