Andreas Metzler [Sun, 14 Apr 2019 15:25:31 +0000 (15:25 +0000)]
Fix link error with gcc-9
Use LDADD instead of LDFLAGS to link test cipher-openssl-compat against
libcrypto. This fixes a build error with gcc9 which passes the linker
option --as-needed by default.
tests: fix race condition in tls13/post-handshake-with-cert-pkcs11
The test had a strange setup of server/client processes: the server
runs in a child process and the client runs in a parent process. The
intention behind this was to detect softhsm availability in the parent
process and exit with 77 if missing. However, there was a potential
race when the server exits and proceeds to the next call of start().
This fixes the process setup and moves the softhsm detection at the
program startup.
guile has three settings acquired from system:
* GUILE_SITE
* GUILE_SITE_CCACHE
* GUILE_EXTENSION
The <guile-2.2 m4 macro exposed only GUILE_SITE while build tried to guess the
other variables based on the $libdir of the gnutls which may be different.
The >=guile-2.2 m4 macro provides all settings for build to use as default,
while allowing to override each.
Marius Bakke [Tue, 9 Apr 2019 12:17:09 +0000 (14:17 +0200)]
Makefile.am: Don't assume autoopts-config returns a single dash.
On distributions such as Nix or Guix, `autoopts-config libsrc` may
return something along the lines of
"/gnu/store/...-autogen-5.18.16/share/autogen/libopts-42.1.17.tar.gz".
* Makefile.am (libopts-check): Print only the last field from
autoopts-config output.
This adds libpkcs11mock2.so, which wraps SoftHSM but filters out the
use of the CKM_RSA_PKCS_PSS mechanism. That way we can simulate the
situation where the certificate is RSA while the private key cannot be
used for RSA-PSS.
nettle: include config.h before checking for definitions
This makes sure that we don't include the internal backport
if compiled with a version of nettle that includes that code.
We also exclude nettle/backport from the static analyzer's list
as it contains files outside our control (from nettle project).
cert auth: reject auth if no signature algorithm is usable in TLS 1.3
Previously, when there is no overlap between usable signature
algorithms and the "signature_algorithms" extension in Certificate
Request, the client failed in sending Certificate Verify, followed by
a connection close. In TLS 1.3, it is possible to keep the connection
but reject the authentication by not sending Certificate Verify.
Simo Sorce [Fri, 29 Mar 2019 18:01:14 +0000 (14:01 -0400)]
Fix check_if_signed
Fix the target branch we check against by adding upstream as remote.
Drop the use of set -e as this causes the shell to immediately exit on
errors instead of allowing the code to check the failure and report what
it faled about.
Also print which commits are being checked and what information was found
so that a CI failure can be better diagnosed.
Simo Sorce [Fri, 19 Oct 2018 19:53:27 +0000 (15:53 -0400)]
Vendor in XTS functionality from Nettle
If nettle's XTS is not available, use a vendored in version from master.
This is necessary as long as we need to link against 3.4 for ABI
compatibility reasons.
Ke Zhao [Thu, 21 Mar 2019 15:27:24 +0000 (11:27 -0400)]
gnutls-cli: Fix output with option "--logfile"
The X.509 connection would still print informational message to the
stdout by default. Move that output to logfile and add x509 functionality
test in the test suite.
handshake: increase the default number of tickets we send to 2
This makes it easier for clients which perform multiple connections
to the server to use the tickets sent by a default server. That's
because 2 tickets allow for 2 new connections (if one is using each
ticket once as recommended), which in turn lead to 4 new and so on.
Improved estimation of wait in gnutls_session_get_data2
Previously we would wait an arbitrary value of 50ms for the
server to send session tickets. This change makes the client
wait for the estimated single trip time + 60 ms for the server
to calculate the session tickets. This improves the chance
to obtain tickets from internet servers during the call of
gnutls_session_get_data2().
Ke Zhao [Wed, 6 Mar 2019 18:23:24 +0000 (13:23 -0500)]
gnutls-cli: Add option "--logfile" to redirect information message output
First, add an option "--logfile" so user could choose a specific file to
store all the informational messages. In some cases, informational
messages may cause unexpected result if the output is standard output.
With this option, user could redirect these messages to a specific
file. This will be helpful in testing and tracking.
Second, replace printf() function with log_msg() function
This log_msg() function is used when "--logfile" is enabled.
Third, add a functionality test for "--logfile" option
Add a test script to test if "--logfile" option works as it should be.
We expand informational comments on limitations, but with removing
FIXME (keyword didn't help fixing these), and remove completely unhelpful
comments, obsolete ones, or comments about ideas.
SECURITY.md: updated to reflect the current practice [ci skip]
This change updates the SECURITY guidelines to reflect the current
practice (no special security releases), and thus refer directly
to the upcoming or following release. Furthermore, it removes
any mention of absolute time, as the release cadence is already
fixed to bi-monthly.
This directory had a makefile which was intended to calculate the cyclomatic
complexity, however that was not functional, and not related with gnutls'
documentation.
gnutls_record_send2: try to ensure integrity of operations on false and early start
This adds a double check in the sanity check of gnutls_record_send2()
for the initial_negotiation_completed value, making sure that the
check will be successful even in parallel operation of send/recv.
Make false start and early start multi-thread recv/send safe
An application that is sending and receiving from different threads
after handshake is complete cannot take advantage of false start because
gnutls_record_send2() detects operations during the handshake process
as invalid.
Because in early start and false start the remaining handshake process needs
only to receive data, and the sending side is already set-up, this error
detection is bogus. With this patch we remove it.
projects / thirdparty / gnutls.git / log
