| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |
|
|
|
|
|
| |
This replaces configuration file parsing code previously provided by
<autoopts/options.h>, with a minimal compatible implementation.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| | |
Minor build fixes before the 3.7.3 release
See merge request gnutls/gnutls!1511
|
| | |
| |
| |
| |
| |
| |
| | |
When the library is built with --disable-gost, gnutls_digest_get_id
returns GNUTLS_DIG_UNKNOWN for GOST algorithms.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| |/
|/|
| |
| | |
Extend system-override-curves-allowlist test with key generation
See merge request gnutls/gnutls!1500
|
| | |
| |
| |
| | |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |\ \
| | |
| | |
| | |
| | | |
certtool: --to-p12: use modern algorithms by default
See merge request gnutls/gnutls!1499
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | | |
| | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Pedro Monreal <pmonrealgonzalez@suse.de>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This installs service indicator state transitions in certain public
key operations in gnutls_crypto_pk_st, namely:
* fallible operations
- encrypt
- sign
- generate_keys
- derive
* infallible operations
- decrypt, decrypt2
- verify
other operations, such as generate_params, are not considered as
crypto operation. Note that fallible operations above mean that those
return value could indicate error, while infallible operations do not
have distinction between errors and failures: decrypt/verify failures
are treated as a successful completion of the operation.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Pedro Monreal <pmonrealgonzalez@suse.de>
|
| |/
|
|
| |
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
|
| |
|
|
|
|
| |
ktls enum flags API
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
|
|
|
|
|
| |
ktls is enabled by default, we can check if inicialization was
succesfull with gnutls_transport_is_ktls_enabled
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
|
|
| |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |
|
|
| |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |
|
|
| |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |
|
|
| |
Signed-off-by: Ander Juaristi <a@juaristi.eus>
|
| |\
| |
| |
| |
| |
| |
| | |
priority: support allowlisting in configuration file
Closes #1172
See merge request gnutls/gnutls!1427
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds a new mode of interpreting the [overrides] section. If
"override-mode" is set to "allowlisting" in the [global] section, all
the algorithms (hashes, signature algorithms, curves, and versions)
are initially marked as insecure/disabled. Then the user can enable
them by specifying allowlisting keywords such as "secure-hash" in the
[overrides] section.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
This adjust the existing valgrind invocations in the test suite with:
https://www.gnu.org/software/gnulib/manual/html_node/Valgrind-options.html
- make --suppressions option to per directory, using AM_VALGRINDFLAGS
- use LOG_VALGRIND for LOG_COMPILER
- quote '$(LOG_VALGRIND)' in TESTS_ENVIRONMENT
- move gl_VALGRIND_TESTS_DEFAULT_NO call before gl_INIT
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
|
|
|
| |
This makes sure that the global variables are initialized only once.
Most of those variables are initialized at ELF constructor, though a
couple of occasions they are initialized on-demand: the global keylog
file pointer and TPM2 TCTI context. To properly protect the
initialization this patch uses gl_once provided by Gnulib.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| |
| |
| | |
Port openconnect TPM2 code
Closes #594
See merge request gnutls/gnutls!1460
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This introduces transparent loading of TPM2 keys which are in PEM
form by gnutls_privkey_import_x509_raw() and higher level functions
which wrap it.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Co-authored-by: David Woodhouse <dwmw2@infradead.org>
Co-authored-by: Daiki Ueno <ueno@gnu.org>
|
| |/
|
|
|
|
|
|
|
| |
`$abs_top_builddir` has been used all across tests' subdirectories
(through tests/scripts/common.sh)
but has only been defined for tests/suite/ ones.
Defining it in other Makefiles where `top_builddir` is being passed.
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |
|
|
| |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ktls enables us to offload encryption/decryption to the kernel
prerequisites:
- configured with `--enable-ktls`
- tls module `modprobe tls` check with 'lsmod | grep tls'
- per connection:
gnutls_transport_set_int{2} must be set
When prerequisities are met then ktls is used by default.
If GnuTLS encounters a error during KTLS initialization, it will
not use ktls and fallback to userspace.
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |\
| |
| |
| |
| | |
certtool: generate, parse, and manipulate X25519 and X448 pubkeys, privkeys, and certificates
See merge request gnutls/gnutls!1428
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
These certs should work just fine for the purposes of cryptographic
e-mail (S/MIME).
These usage flags are also used in the end-entity certificates found
in https://datatracker.ietf.org/doc/draft-ietf-lamps-samples/
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
| | |
| |
| |
| | |
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
| |/
|
|
|
|
|
|
|
|
|
| |
This adds SHAKE-128, SHAKE-256, and RIPEMD-160 to the supported
algorithms by nettle. While SHAKEs are not a hash algorithm but an
XOF, it would be consistent to report they are implemented.
The simple test is expanded to exercise the code
path (gnutls_digest_get_id → wrap_nettle_hash_exists).
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
| |
This test is causing intermittent failure quite often in the CI.
Let's temporarily disable it until the cause is properly investigated.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
|
| |
This makes the locking logic per port, not per entire make process.
It also makes use of absolute paths for locking directory, so that
tlsfuzzer tests can use it.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| | |
tests/tls13/post-handshake-with-cert: avoid a race condition
See merge request gnutls/gnutls!1464
|
| | |
| |
| |
| |
| |
| |
| |
| | |
A server tries to close connection and kill the client after reauth.
Client, in turn, attempts to send data in some cases.
This patch makes the server wait for the client to terminate first.
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| | |
| |
| |
| |
| |
| | |
Add a safeguard to `terminate()` so that we don't kill whole pgroups.
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |/
|
|
|
|
|
| |
`terminate()` executed from the child process results in a `kill(0, SIGTERM)`,
bringing the whole pgroup down. `exit(1)` should be called instead.
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This attempts to use the registered pin callback when the password for
an encrypted openssl private key is not supplied. This matches the
functionality for PKCS8 sealed keys above and is similar to what openssl
does in this situation.
Signed-off-by: Craig Gallek <cgallek@gmail.com>
|
| |\
| |
| |
| |
| |
| |
| | |
mem: instrument with ASan memory poisoning as well as valgrind
Closes #1260
See merge request gnutls/gnutls!1458
|
| | |
| |
| |
| |
| |
| |
| | |
This makes it possible to catch undefined memory access in the more
lightweight CI runs.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |/
|
|
|
|
|
|
|
| |
This adds a couple of flags to RSA-PSS signing and verification, to
enforce that the salt length matches the digest length. That is not
only recommended in RFC 4055, but also mandated in RFC 8446 in the TLS
1.3 context.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
