| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
It can happen that an application due to a misconfiguration, enables TLS1.3
in combination with TLS1.0 or TLS1.1 only. In that case a server which is
unaware of the TLS1.3 protocol will reply by selecting the TLS1.2 protocol
instead and that answer will be rejected by the client. With this change
we ensure that TLS1.3 is not enabled in these problematic scenarios.
Resolves: #621
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\
| |
| |
| |
| |
| |
| | |
certtool: don't output textual information if --no-text was given
Closes #487
See merge request gnutls/gnutls!810
|
| | |
| |
| |
| | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Disable text output if --no-text option was given for --p7-info and
--p12-info.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| |
| |
| | |
Print all pkcs12-info output to outfile, rather than stderr.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |/
|
|
|
|
|
|
|
| |
Change privkey/certificate/CRL/CSR handling to disable text output if
--no-text option was given.
Closes #487
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |\
| |
| |
| |
| | |
Minor fixes towards 3.6.5
See merge request gnutls/gnutls!818
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| | |
| |
| |
| |
| |
| |
| | |
Unlike the ".c.c.bak:" and ".h.h.bak:" rules, ".def.stamp:" needs this
adjustment because the source files (*.bak) are not provided as $<.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |/
|
|
|
|
|
| |
This test only checks the behavior of _gnutls_anti_replay_check, thus
session is not needed at all.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This also corrects the GOST R 34.10-2012-512-TC26-512-A self
test.
Relates: #597
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\
| |
| |
| |
| |
| |
| | |
Added support for Ed25519 keys under PKCS#11
Closes #417
See merge request gnutls/gnutls!812
|
| | |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Tested with softHSM 2.5.0
Resolves #417
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| |
| |
| | |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |\ \
| |/
|/|
| |
| | |
gnutls_certificate_type_get*: ensure that the default type is returned
See merge request gnutls/gnutls!806
|
| | |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| |
| |
| |
| |
| | |
Also set a link to the kernel coding style in CONTRIBUTIONS.md
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
That is, ensure that unless we negotiate something else than
X509, the default certificate type is returned to applications.
Previously we wouldn't do that for TLS1.3 resumed sessions, and
we would return zero (invalid type) instead.
That addresses issues with applications checking explicitly
for X509 certificate type being present.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\ \
| |/
|/|
| |
| | |
Fix max_early_data_size handling
See merge request gnutls/gnutls!811
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| |
| |
| | |
Also exercise this in testcompat-tls13-openssl.sh.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |/
|
|
|
|
| |
session->security_parameters.max_early_data_size is initially set to 0.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
[ci skip]
That clarifiesthe intention, and adds warning of using this flag when
multiple threads are involved. Based on suggestion by Michael Catanzaro.
Relates: #615
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
| |
This will include the TPM subsystem in the coverage report.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |\
| |
| |
| |
| | |
tests: tpm: Add a test case for tpmtool
See merge request gnutls/gnutls!807
|
| | |
| |
| |
| |
| |
| |
| | |
Extend the tpmtool test case to also test without the --register
parameter.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This test case exercises tpmtool and uses certtool to create a
self-signed certificate with the TPM. It uses swtpm as TPM emulator and
configures tcsd to talk to swtpm.
Extend the Readme.md with the packages needed for TPM support and TPM test
support.
This test case needs to be run as root since tcsd needs to be started
as root.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
| | |
| |
| |
| | |
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
| | |
| |
| |
| | |
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
| | |
| |
| |
| | |
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
| |\ \
| | |
| | |
| | |
| | | |
Improve support of GOST private keys parsing
See merge request gnutls/gnutls!802
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add a test for parsing and decoding GOST private keys in different
formats, incuding encrypted keys.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If password is specified on command line currently certtool will always
output encrypted pkcs8 file. Add `--pkcs-cipher none' allowing one to
force certtool to output unencrypted private keys.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Use size_t for size variables instead of mp_limb_t (data type rather
than size type).
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add support for yet another representation of GOST private keys:
LE-formatted number encoded into pkcs-8-PrivateKeyInfo.privateKey
without any additional encapsulation.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
New Russian reccomendation defines 'key masking' in the form of
several concatenated numbers, which must be multiplied modulo Q to get
private key.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | | |
updates in anti-replay subsystem
Closes #610
See merge request gnutls/gnutls!805
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The new function was not sharing anything with the existing
gnutls_db_* backend, and moving it to anti_replay structure
is more clean and allows for deviations from the old API
conventions (e.g., now we can pass pointers for efficiency
and pass the expiration time as part of the call).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Resolves #610
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
