| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
This patch tries to make the code have the same time and memory access
aptterns across all branches of the decryption function so that timining
or cache side channels are minimized or neutralized.
To do so it uses a new nettle rsa decryption function that is
side-channel silent.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
| |
It looks like Mac OS X's grep has issues with applying basic regexps
with alternation operator inside. Use several grep calls in pipeline to
achieve the same result.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |
|
|
|
|
|
| |
Use --outfile instead of output redirection to stop CR from sneaking
into temp file. Extra CR symbols make grep choke on that file.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |
|
|
|
|
|
|
| |
This fixes a truncation issue in session description information printing
for certain ciphersuites, and adds a limited testing of expected description
strings for certain ciphersuites.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\
| |
| |
| |
| | |
Fix some minor issue in the TPM test cases
See merge request gnutls/gnutls!814
|
| | |
| |
| |
| |
| |
| |
| | |
Use kill_proc to terminate a process by first sending it SIGTERM,
waiting max. 1 second and then use SIGKILL.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
| | |
| |
| |
| |
| |
| |
| | |
The dash shell doesn't seem to understand &>/dev/null, so use
>/dev/null to quiet down the help screen check.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It can happen that an application due to a misconfiguration, enables TLS1.3
in combination with TLS1.0 or TLS1.1 only. In that case a server which is
unaware of the TLS1.3 protocol will reply by selecting the TLS1.2 protocol
instead and that answer will be rejected by the client. With this change
we ensure that TLS1.3 is not enabled in these problematic scenarios.
Resolves: #621
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Disable text output if --no-text option was given for --p7-info and
--p12-info.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| |
| |
| | |
Print all pkcs12-info output to outfile, rather than stderr.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| | |
This test only checks the behavior of _gnutls_anti_replay_check, thus
session is not needed at all.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\ \
| |/
|/|
| |
| |
| |
| | |
Added support for Ed25519 keys under PKCS#11
Closes #417
See merge request gnutls/gnutls!812
|
| | |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Tested with softHSM 2.5.0
Resolves #417
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| |
| |
| | |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |\ \
| |/
|/|
| |
| | |
gnutls_certificate_type_get*: ensure that the default type is returned
See merge request gnutls/gnutls!806
|
| | |
| |
| |
| |
| |
| | |
Also set a link to the kernel coding style in CONTRIBUTIONS.md
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
That is, ensure that unless we negotiate something else than
X509, the default certificate type is returned to applications.
Previously we wouldn't do that for TLS1.3 resumed sessions, and
we would return zero (invalid type) instead.
That addresses issues with applications checking explicitly
for X509 certificate type being present.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |/
|
|
|
|
| |
Also exercise this in testcompat-tls13-openssl.sh.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |\
| |
| |
| |
| | |
tests: tpm: Add a test case for tpmtool
See merge request gnutls/gnutls!807
|
| | |
| |
| |
| |
| |
| |
| | |
Extend the tpmtool test case to also test without the --register
parameter.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This test case exercises tpmtool and uses certtool to create a
self-signed certificate with the TPM. It uses swtpm as TPM emulator and
configures tcsd to talk to swtpm.
Extend the Readme.md with the packages needed for TPM support and TPM test
support.
This test case needs to be run as root since tcsd needs to be started
as root.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
| |\ \
| | |
| | |
| | |
| | | |
Improve support of GOST private keys parsing
See merge request gnutls/gnutls!802
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add a test for parsing and decoding GOST private keys in different
formats, incuding encrypted keys.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | | |
updates in anti-replay subsystem
Closes #610
See merge request gnutls/gnutls!805
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The new function was not sharing anything with the existing
gnutls_db_* backend, and moving it to anti_replay structure
is more clean and allows for deviations from the old API
conventions (e.g., now we can pass pointers for efficiency
and pass the expiration time as part of the call).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Resolves #610
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| | |
This verifies whether the behavior of GNUTLS_CERT_IGNORE, GNUTLS_CERT_REQUEST
and GNUTLS_CERT_REQUIRE is consistent accross protocols.
Relates #615
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |/
|
|
|
|
|
| |
Add test example demonstrating indefinite-length BER encoding of PKCS#7
data.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |\
| |
| |
| |
| |
| |
| | |
add support for 0-RTT
Closes #127
See merge request gnutls/gnutls!775
|
| | |
| |
| |
| |
| |
| |
| | |
This implements ClientHello recording outlined in section 8.2 of RFC
8446.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This would be particularly useful when the same database is used to
store long-lived TLS 1.2 session data and short-lived TLS 1.3
anti-replay entries. Note that the existing gnutls_db_check_entry
doesn't fit in this use-case, as it takes gnutls_session_t as the
argument.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |/
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
| |
DSA uses 1024-bit parameters, and these together with curves of
less than 256 bits are not accepted by debian's openssl.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |\
| |
| |
| |
| |
| |
| | |
gnutls_priority_init: ignore CTYPE-OPENPGP options
Closes #593
See merge request gnutls/gnutls!789
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In GnuTLS 3.6.0 we dropped support for openpgp keys, however
the CTYPE-OPENPGP is often seen in applications, sometimes
as -CTYPE-OPENPGP to ensure it is not enabled. We simply
ignore this priority string when seen, to avoid preventing
these applications from running.
Resolves #593
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |/
|
|
|
|
|
| |
Previously it had assumed that TLS 1.2 servers don't send the
extension, while actually it can be present in ServerHello.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When an application would re-set priorities prior to a rehandshake
we would override the negotiated version with the highest supported,
something which may lead to issues. This disables that unnecessary
version override. See:
https://bugzilla.redhat.com/show_bug.cgi?id=1634736
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
While gettime() is extensively used in the code, the library
previously hadn't provided a way to replace it for testing. This adds
a new internal function _gnutls_global_set_gettime_function and makes
use of it through virt-time.h.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |\
| |
| |
| |
| | |
fips140: aligned code with documentation
See merge request gnutls/gnutls!781
|
| | |
| |
| |
| |
| |
| |
| | |
That is, we introduce the documented but unimplemented macros
GNUTLS_FIPS140_SET_LAX_MODE() and GNUTLS_FIPS140_SET_STRICT_MODE().
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
