Makefile.am: Don't assume autoopts-config returns a single dash.

See merge request !976

p11tool: copy vendor query attributes when listing privkeys

See merge request !982

prf: add function to retrieve early keying material

Closes #736 and #329

See merge request !894

Signed-off-by: Daiki Ueno <dueno@redhat.com>

On 32-bit platform, struct timespec.tv_sec can be signed 32-bit and
thus right shifting 32 could be an undefined behavior.
Signed-off-by: Daiki Ueno <dueno@redhat.com>

When checking datefudge availability under cross-compiling environment
with a binfmt wrapper, it is not sufficient to check against the host
executable.  This instead uses a test executable compiled for the
target architecture.
Signed-off-by: Daiki Ueno <dueno@redhat.com>

This adds --keymatexport and --keymatexportsize options to both
gnutls-serv and gnutls-cli.  Those would be useful for testing
interoperability with other implementations.
Signed-off-by: Daiki Ueno <dueno@redhat.com>

This adds a new function gnutls_prf_early, which shall be called in a
handshake hook waiting for GNUTLS_HANDSHAKE_CLIENT_HELLO.  The test
needs to be run in a datefudge wrapper as the early secrets depend on
the current time (through PSK).
Signed-off-by: Daiki Ueno <dueno@redhat.com>

Signed-off-by: Daiki Ueno <dueno@redhat.com>

TLS 1.3 Early Secret and the derived keys are calculated upon a PSK
being selected, thus the code fits better in ext/pre_shared_key.c.
Signed-off-by: Daiki Ueno <dueno@redhat.com>

Signed-off-by: Daiki Ueno <dueno@redhat.com>

Signed-off-by: Daiki Ueno <dueno@redhat.com>

Use libabigail for tracking ABI changes

See merge request !972

doc: Add documentation for GNUTLS_CERT_IGNORE

See merge request !983

Extend test cert to 2049-05-27

See merge request !979

Signed-off-by: Andreas Metzler <ametzler@bebt.de>

When listing private keys on a specified token, "pin-value" is
ignored and the tool looks for GNUTLS_PIN, because it internally
strips out vendor query attributes from the original URL.

This also replaces the global uses of GNUTLS_PIN envvar in
testpkcs11.sh to check the case where the envvar is not in effect.
Signed-off-by: Daiki Ueno <dueno@redhat.com>

These have output ABI format compatibility and that means we can
take snapshots to test ABI against. We also hard-code explicitly
the SONAME version to ensure no accidental SONAME bumps happen.

This patch also moves symbols.last in the devel/ subdirectory
and no internal files are shipped.

Relates: #292Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

This was available before 3.6.4, and was incorrectly removed.
It was found using libabigail tools.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Fix WIN32 custom push/pull functions

Closes #751

See merge request !978

instead of expiring in 2024-02-29
This update did not trigger y2038 bugs on 32-bit systems.

Without this patch, one test fails after 2024:
 doit:124: rsa pss key: gnutls_x509_crt_verify_data2                    |
 FAIL x509sign-verify (exit status: 1)
Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>

Fix link errors with gcc-9

See merge request !966

Use LDADD instead of LDFLAGS to link test cipher-openssl-compat against
libcrypto. This fixes a build error with gcc9 which passes the linker
option --as-needed by default.
Signed-off-by: Andreas Metzler <ametzler@bebt.de>

gnutls_cipher_suite_get_name and gnutls_session_get_master_secret
are marked as TLS1.2 or earlier-only as they cannot be used with
TLS 1.3.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

They served no purpose.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

That is because the same variable name is used by local
variables as well.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
Reported-by: J. Ali Harlow (@j_ali on Gitlab.com)

tests: fix race condition in tls13/post-handshake-with-cert-pkcs11

See merge request !977

The test had a strange setup of server/client processes: the server
runs in a child process and the client runs in a parent process.  The
intention behind this was to detect softhsm availability in the parent
process and exit with 77 if missing.  However, there was a potential
race when the server exits and proceeds to the next call of start().

This fixes the process setup and moves the softhsm detection at the
program startup.
Signed-off-by: Daiki Ueno <dueno@redhat.com>

build: allow override guile system location

Closes #748

See merge request !968

Pass CI commit check if branches are 'even'

See merge request !975

Reduce confusion between the upstream terms and the gnutls terms.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

guile has three settings acquired from system:
* GUILE_SITE
* GUILE_SITE_CCACHE
* GUILE_EXTENSION

The <guile-2.2 m4 macro exposed only GUILE_SITE while build tried to guess the
other variables based on the $libdir of the gnutls which may be different.

The >=guile-2.2 m4 macro provides all settings for build to use as default,
while allowing to override each.

Resolves: #748Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

On distributions such as Nix or Guix, `autoopts-config libsrc` may
return something along the lines of
"/gnu/store/...-autogen-5.18.16/share/autogen/libopts-42.1.17.tar.gz".

* Makefile.am (libopts-check): Print only the last field from
autoopts-config output.
Signed-off-by: Marius Bakke <mbakke@fastmail.com>

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

tests: cert-tests: crl: cleanup files

See merge request !973

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

ci: refresh the cache due to failures in debian

See merge request !974

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>