| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
The macro was intended to avoid non-recoverable errors during library
initialization, but the code path has been removed in commit
3963518d067a64412bbe0aa9ce5fc33ae729c15f.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, to enable the FIPS140-2 mode, both /etc/system-fips and
the fips=1 kernel command line need to be set. While this was
designed to be consistent, the convention is not well followed by the
other crypto libraries and the former tends to be ignored. This
aligns the behavior to the latter, i.e. if fips=1 is set, the library
enables the FIPS140-2 mode regardless of the existence of
/etc/system-fips.
Suggested by Alexander Sosedkin.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |\
| |
| |
| |
| | |
Decode certificate policies OIDs
See merge request gnutls/gnutls!1245
|
| | |
| |
| |
| |
| |
| |
| | |
Add Russian Security Class certificate policies (per
draft-deremin-rfc4491-bis).
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Add ability to print names for several pre-defined Certificate policies.
Currently the list is populated with anyPolicy from X.509 and CA/B
policies.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |\ \
| |/
| |
| |
| | |
PKCS7 attribute printing update
See merge request gnutls/gnutls!1246
|
| | |
| |
| |
| |
| |
| | |
Use new function to remove code duplication.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Basically export print_pkcs7_info() in a way usable by external
applications.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Try printing symbolic names for well-known OIDs when printing PKCS7
signature info.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Make oid to name conversion functions generic enough by allowing caller
to specify a pointer to OID table.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |\ \
| |/
|/|
| |
| | |
fips: leftover fixes
See merge request gnutls/gnutls!1243
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Nettle's RSA signing, encryption and decryption functions still
require randomness for blinding, so fallback to use a fixed buffer in
selftests where entropy might not be available.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |\ \
| | |
| | |
| | |
| | | |
accelerated: use AES-NI for AES-XTS when available
See merge request gnutls/gnutls!1244
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This introduces a wrapper for the CRYPTOGAMS AES-XTS implementation
already present in the generated assembly code.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
| | |/
| |
| |
| | |
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
| |\ \
| |/
|/|
| |
| | |
gnutls-cli: Add option to wait longer for resumption data
See merge request gnutls/gnutls!1232
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces the --waitresumption command line option which makes the
client to wait for the resumption data until a ticket is received under
TLS1.3. The client will block if no ticket is received. The new option
has no effect if the option --resume is not provided.
This is useful to force the client to wait for the resumption data when
the server takes long to send the ticket, allowing the session
resumption to be tested. This is a common scenario in CI systems where
the testing machines have limited resources.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
| |\
| |
| |
| |
| |
| |
| | |
nettle: expose SIV-CMAC through the AEAD interface
Closes #974 and #463
See merge request gnutls/gnutls!1238
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds a couple of new cipher algorithms GNUTLS_CIPHER_AES_128_SIV
and GNUTLS_CIPHER_AES_256_SIV, exposing nettle_siv_cmac_aes{128,256}*
functions. Note that they can only used with the AEAD interface and
authentication tags are prepended (not appended) to the ciphertext.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| | |
This script will handle other backports except ECC as well.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Given the fixed version of the function will be part of Nettle 3.6,
use pkg-config --atleast-version instead of a manually comparison of
the Nettle version.
Fixes #974.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| |/
|/|
| |
| |
| |
| | |
New make target 'update-copyright-year'
Closes #980
See merge request gnutls/gnutls!1241
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We don't want to automatically update the copyright year as this
prevents reproducible builds.
Instead, 'make update-copyright-year' has to be executed at the
start of each new year and the changes have to be pushed.
Closes #980
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | | |
doc: expand GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE description on RSA-PSS [ci skip]
Closes #953
See merge request gnutls/gnutls!1242
|
| | |/
| |
| |
| |
| |
| |
| |
| | |
For RSA-PSS, this flag alone doens't fully enable reproducible
signatures and the user needs to indicate the fact that a zero-length
salt is used through SPKI upon verification.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| |/
|/|
| |
| | |
gost: use gostdsa-vko from nettle 3.6rc2
See merge request gnutls/gnutls!1239
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Do not include gmp.h header, <nettle/bignum.h> conflicts with it in
mini-gmp configuration and includes this header on it's own in
non-mini-gmp config.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
SRP test times out if running on the GitLab CI with mini-gmp version of
Nettle. Increase timeouts to let the test pass.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Wget/Wget2 OSS-Fuzz builders use mini-gmp version of nettle. Check that
we do not break them occasionally.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Now as we have upgraded Nettle to 3.6rc3 (which includes gostdsa_vko),
use this function from imported nettle sources.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |/
|
|
|
|
|
|
| |
Update imported nettle version to 3.6rc3. This will bring in updated
gmp-glue code and a possiblity to use gostdsa-vko imported from nettle
sources.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |\
| |
| |
| |
| | |
gnutls_session_ext_register: keep track of extension name
See merge request gnutls/gnutls!1224
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously it discarded the name argument, and that was making the
debug output awkward, e.g., running tests/tls-session-ext-register -v:
client|<4>| EXT[0x9cdc20]: Preparing extension ((null)/242) for 'client hello'
client|<4>| EXT[0x9cdc20]: Preparing extension ((null)/241) for 'client hello'
client|<4>| EXT[0x9cdc20]: Sending extension (null)/241 (2 bytes)
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This adds a generalized version of gnutls_ext_get_name, which can
retrieve the name of the extension, even if it is registered per
session.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |\ \
| | |
| | |
| | |
| | | |
fips: check library soname during configure
See merge request gnutls/gnutls!1231
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, we hard-coded the sonames of linked libraries for FIPS
integrity checking. That required downstream packagers to manually
adjust the relevant code in lib/fips.c, when a new interface version
of the dependent libraries (nettle, gmp) becomes available and linked
to libgnutls.
This patch automates that process with the configure script.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |\ \
| |/
|/|
| |
| | |
gost: update gostdsa_vko to follow Nettle
See merge request gnutls/gnutls!1237
|
| |/
|
|
|
|
| |
Update gostdsa_vko() following changes going to be accepted into Nettle.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |\
| |
| |
| |
| | |
handshake-tls13: add session flag to disable sending session tickets
See merge request gnutls/gnutls!1234
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
While GnuTLS by default implicitly sends NewSessionTicket during
handshake, application protocols like QUIC set a clear boundary
between "in handshake" and "post handshake", and NST must be sent in
the post handshake state.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |\ \
| | |
| | |
| | |
| | | |
build: attempt to fix build issues on FreeBSD
See merge request gnutls/gnutls!1236
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
BSD sed does not like \n and \0 in string substitution. Workaround this
by using sed magic.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| |\ \ \
| |/ /
|/| |
| | |
| | | |
xts: check key block according to FIPS-140-2 IG A.9
See merge request gnutls/gnutls!1233
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The implementation guidance suggests that a check of key1 != key2
should be done at any place before the keys are used:
https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Module-Validation-Program/documents/fips140-2/FIPS1402IG.pdf
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |\ \ \
| |/ /
|/| |
| | |
| | | |
Stop using Nettle and Hogweed internal symbols
See merge request gnutls/gnutls!1235
|
| | | |
| | |
| | |
| | |
| | |
| | | |
lib/nettle/curve448
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Check that GnuTLS does not depend on Nettle/Hogweed internal symbols.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Nettle's poly1305 code ended up with internal symbol _poly1305_block in
public header. This causes issues on Nettle version changes. Since those
symbols are going to become nettle-internal, vendor in relevant source
file.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
