| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
Previously we were returning an internal error which seems to be incorrect
in that case.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
This introduces tests for zero-data transfers with padding as well
as padding and de-padding with safe padding flag set.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces the gnutls_init() flag GNUTLS_SAFE_PADDING_CHECK
which makes the TLS1.3 safe padding check optional. That way applications
which do not utilize the TLS1.3 padding do not get penalized by the performance
drop in TLS1.3 packet processing. This addresses a regression in TLS1.3
packet processing performance.
Resolves: #466
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This documents the fact that a TLS session ID cannot be relied
to be unique or to even have a meaningful value.
Resolves #484
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| | |
Fix make files-update for out-of-tree builds
See merge request gnutls/gnutls!674
|
| |
| |
| |
| |
| |
| |
| | |
Move autogen'ed files update to src/Makefile.am to simplify code and
support out-of-tree builds.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|/
|
|
| |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
| |
Relates #475
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\
| |
| |
| |
| | |
Makefile.am: abi-check: fetch fresh tags
See merge request gnutls/gnutls!668
|
|/
|
|
|
|
|
| |
This addresses the issue of failed abi-check CI runs on
forked repositories.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
| |
These are no longer necessary for FIPS140-2 compliance.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| | |
Fix usage of 'autoreconf'
See merge request gnutls/gnutls!667
|
|/
|
|
|
|
|
|
|
|
|
| |
'autoreconf' created a different configure script than ./bootstrap.
The result was a broken wchar.h that failed to compile.
The work-around was 'autoreconf -I gl/m4' which is not what a developer
expects. This patch moves gl/m4/* to m4/ which is the default include dir
for autoreconf.
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't use AC_CHECK_FUNCS for these functions, but actually test by
including the real header that defines the functions. This allows
the macOS version selection work as intended, making the references
to these functions weak if targeting a version of macOS where these
functions aren't available. Thanks to -no_weak_imports, these weak
references end up in failed linker tests, marking the functions as
unavailable.
This fixes issue #142.
Signed-off-by: Martin Storsjo <martin@martin.st>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function is available since macOS 10.12, but it's in
sys/random.h on macOS, contrary to the other platforms supporting
it where it is present in unistd.h.
If we don't include the right header that declares the function
and its availability, the configure check would succeed even if
targeting older versions of macOS that lacks the function.
Also include the same header in the source file that actually
uses getentropy.
Signed-off-by: Martin Storsjo <martin@martin.st>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This avoids linking to functions that aren't available in the
lowest targeted macOS version.
If the proper header declaring a function is included, and
gnutls is built with -mmacosx-version-min or the
MACOSX_DEPLOYMENT_TARGET environment variable is set, each
reference to a function that doesn't exist in the minimum
targeted version will be made a weak reference, so that loading
the binary still works, but the function pointer will resolve
to NULL if running on a version of the platform that lacks it.
Since this project doesn't do such runtime checks for functions
it expects to have available, we should instead add this linker
option to fail on the weak references. This allows autoconf to
work as intended, detecting that these functions aren't usable.
This flag appeared in Xcode 8, so check for its availability
before using it. (Xcode 8 and the 10.12 SDK is coincidentally
the release where most relevant new functions appeared, so with
older Xcode versions, the modern platform functions we might want
to avoid don't exist.)
See issue #142.
Signed-off-by: Martin Storsjo <martin@martin.st>
|
|
|
|
|
|
|
| |
The duplicate was added in 5bb8a18b without any specific reasoning
as to why.
Signed-off-by: Martin Storsjo <martin@martin.st>
|
|\
| |
| |
| |
| |
| |
| | |
update tlsfuzzer with TLS 1.3 HRR test
Closes #469
See merge request gnutls/gnutls!664
|
| |
| |
| |
| |
| |
| | |
Also enable test-tls13-hrr.py.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| |
| | |
In the TLS 1.3 middlebox compatibility mode, CCS follows the first
handshake message sent from the server, that is either SH or HRR.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| | |
callback is set
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|/
|
|
|
|
|
|
| |
Under TLS 1.3, when the server sent HRR, CCS may be followed by
receiving ClientHello. In that case, the messsage shouldn't be
cached.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\
| |
| |
| |
| |
| |
| | |
Introduce an iovec API for encryption
Closes #458
See merge request gnutls/gnutls!653
|
| |
| |
| |
| |
| |
| |
| | |
This prevents an abi-compliance checker error when run under
gcc8 (though this error is not there under any other gcc).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This eliminates the need of a memory allocation during each
packet encryption when no padding is done.
Relates #458
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This API allows encryption using a scatter input, by also
taking advantage of ciphers which are optimized for such input.
That is particularly useful under TLS1.3 since its encryption is
based on encryption of scattered data (data+pad).
Resolves #458
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|/
|
|
|
|
|
|
| |
This was not necessary since that value was only used by block
(in TLS sense) ciphers, but that definition could also be used
for the CHACHA20.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| | |
Gnulib bootstrap, fix 'make distcheck' and more...
See merge request gnutls/gnutls!641
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We can't simply remove the checks for HAVE_SYS_SOCKET_H.
If we do, we have to make checks on real WIN32, which
is currently not an option.
So we skip sc_prohibit_always_true_header_tests.
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|