]> git.ipfire.org Git - thirdparty/gnutls.git/log
thirdparty/gnutls.git
12 years agosimplified client hello generation
Nikos Mavrogiannopoulos [Mon, 20 Jan 2014 08:19:26 +0000 (09:19 +0100)] 
simplified client hello generation

12 years ago%COMPAT implies %DUMBFW
Nikos Mavrogiannopoulos [Sun, 19 Jan 2014 14:10:42 +0000 (15:10 +0100)] 
%COMPAT implies %DUMBFW

12 years agofix in DRBG-AES-CTR initialization
Nikos Mavrogiannopoulos [Sun, 19 Jan 2014 13:44:52 +0000 (14:44 +0100)] 
fix in DRBG-AES-CTR initialization

12 years agouse a single buffer to generate the client hello.
Nikos Mavrogiannopoulos [Sun, 19 Jan 2014 13:27:33 +0000 (14:27 +0100)] 
use a single buffer to generate the client hello.

12 years agodoc update
Nikos Mavrogiannopoulos [Fri, 17 Jan 2014 10:21:58 +0000 (11:21 +0100)] 
doc update

12 years agoThe FIPS140 random number generator is enabled conditionally when required.
Nikos Mavrogiannopoulos [Fri, 17 Jan 2014 10:20:21 +0000 (11:20 +0100)] 
The FIPS140 random number generator is enabled conditionally when required.

12 years agoremoved duplicate function
Nikos Mavrogiannopoulos [Fri, 17 Jan 2014 10:09:37 +0000 (11:09 +0100)] 
removed duplicate function

12 years agoreplaced the ANSI X9.31 RNG with the SP800-90A DRBG-AES-CTR rng.
Nikos Mavrogiannopoulos [Fri, 17 Jan 2014 09:35:00 +0000 (10:35 +0100)] 
replaced the ANSI X9.31 RNG with the SP800-90A DRBG-AES-CTR rng.

12 years agouse newline
Nikos Mavrogiannopoulos [Fri, 17 Jan 2014 09:57:55 +0000 (10:57 +0100)] 
use newline

12 years agowhen freeing priority_cache make sure it is set to NULL
Nikos Mavrogiannopoulos [Thu, 16 Jan 2014 11:18:50 +0000 (12:18 +0100)] 
when freeing priority_cache make sure it is set to NULL

12 years agoClarified version
Nikos Mavrogiannopoulos [Thu, 16 Jan 2014 11:15:11 +0000 (12:15 +0100)] 
Clarified version

12 years agognutls_global_set_mem_functions was deprecated
Nikos Mavrogiannopoulos [Thu, 16 Jan 2014 10:00:29 +0000 (11:00 +0100)] 
gnutls_global_set_mem_functions was deprecated

12 years agoremoved unneeded warning; all systems we support set this function.
Nikos Mavrogiannopoulos [Thu, 16 Jan 2014 09:54:29 +0000 (10:54 +0100)] 
removed unneeded warning; all systems we support set this function.

12 years agogenerate info documentation in a single file
Nikos Mavrogiannopoulos [Wed, 15 Jan 2014 11:59:37 +0000 (12:59 +0100)] 
generate info documentation in a single file

12 years agoThe simple bit size check in certificates is now replaced by the verification profiles.
Nikos Mavrogiannopoulos [Wed, 15 Jan 2014 09:39:25 +0000 (10:39 +0100)] 
The simple bit size check in certificates is now replaced by the verification profiles.

12 years agono need to set profile to LOW as it is already the default
Nikos Mavrogiannopoulos [Wed, 15 Jan 2014 09:36:13 +0000 (10:36 +0100)] 
no need to set profile to LOW as it is already the default

12 years agoIntroduced GNUTLS_DEFAULT_PRIORITY macro
Nikos Mavrogiannopoulos [Wed, 15 Jan 2014 09:24:17 +0000 (10:24 +0100)] 
Introduced GNUTLS_DEFAULT_PRIORITY macro

12 years agodoc update
Nikos Mavrogiannopoulos [Wed, 15 Jan 2014 09:16:55 +0000 (10:16 +0100)] 
doc update

12 years agodecreased certificate verification level to allow SHA1 as hash.
Nikos Mavrogiannopoulos [Wed, 15 Jan 2014 09:16:44 +0000 (10:16 +0100)] 
decreased certificate verification level to allow SHA1 as hash.

12 years agoWhen verifying a certificate's security level ensure that the hash is within the...
Nikos Mavrogiannopoulos [Wed, 15 Jan 2014 09:15:03 +0000 (10:15 +0100)] 
When verifying a certificate's security level ensure that the hash is within the level

12 years agoAdded gnutls_sec_param_to_symmetric_bits()
Nikos Mavrogiannopoulos [Wed, 15 Jan 2014 09:14:31 +0000 (10:14 +0100)] 
Added gnutls_sec_param_to_symmetric_bits()

12 years agoupdated test for level rename
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 15:23:08 +0000 (16:23 +0100)] 
updated test for level rename

12 years agoupdated memxor3 suppression to cope with any usage of memxor3
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 15:09:27 +0000 (16:09 +0100)] 
updated memxor3 suppression to cope with any usage of memxor3

12 years agoThe correct priority will be used if SYSTEM is not specified.
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 14:48:33 +0000 (15:48 +0100)] 
The correct priority will be used if SYSTEM is not specified.

12 years agodo not immediately fail on verification failure due to insecure algorithm.
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 14:45:21 +0000 (15:45 +0100)] 
do not immediately fail on verification failure due to insecure algorithm.

12 years agouse gnutls_priority_set_direct() to set a fixed priority string
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 14:27:55 +0000 (15:27 +0100)] 
use gnutls_priority_set_direct() to set a fixed priority string

12 years agoavoid allocation.
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 14:24:12 +0000 (15:24 +0100)] 
avoid allocation.

12 years agouse default priorities based on version number in examples, and add dependency on...
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 12:59:50 +0000 (13:59 +0100)] 
use default priorities based on version number in examples, and add dependency on 3.1.0

12 years agochanges in SYSTEM semantics to allow appending rules to the default policy.
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 12:41:48 +0000 (13:41 +0100)] 
changes in SYSTEM semantics to allow appending rules to the default policy.

12 years agoAdded the SYSTEM priority string initial keyword.
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 12:11:50 +0000 (13:11 +0100)] 
Added the SYSTEM priority string initial keyword.

That allows a compile-time specified configuration file to be
used to read the priorities. That can be used to impose system
specific policies.

12 years agoWeak sec-param was replaced with Low.
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 10:18:02 +0000 (11:18 +0100)] 
Weak sec-param was replaced with Low.

12 years agoupdated sec-params check
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 10:16:48 +0000 (11:16 +0100)] 
updated sec-params check

12 years agodoc update
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 10:10:10 +0000 (11:10 +0100)] 
doc update

12 years agomore updates for the security param rename
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 10:09:45 +0000 (11:09 +0100)] 
more updates for the security param rename

12 years agoAdded test to check the expected values of security parameters.
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 10:08:47 +0000 (11:08 +0100)] 
Added test to check the expected values of security parameters.

12 years agodoc update
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 10:08:12 +0000 (11:08 +0100)] 
doc update

12 years agosecurity levels aligned to ENISA and other common practice recommendations.
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 10:05:34 +0000 (11:05 +0100)] 
security levels aligned to ENISA and other common practice recommendations.

12 years agoGNUTLS_SEC_PARAM_NORMAL was renamed to GNUTLS_SEC_PARAM_MEDIUM
Nikos Mavrogiannopoulos [Tue, 14 Jan 2014 09:45:21 +0000 (10:45 +0100)] 
GNUTLS_SEC_PARAM_NORMAL was renamed to GNUTLS_SEC_PARAM_MEDIUM

That was done to avoid confusion with the NORMAL priority string.
Also when setting a PROFILE explicitly as priority string the
session security level is adjusted accordingly.

12 years agodoc update
Nikos Mavrogiannopoulos [Mon, 13 Jan 2014 11:56:33 +0000 (12:56 +0100)] 
doc update

12 years agoUse gperf to find priority string options.
Nikos Mavrogiannopoulos [Mon, 13 Jan 2014 11:09:27 +0000 (12:09 +0100)] 
Use gperf to find priority string options.

12 years agoverification profiles can be set individually as well.
Nikos Mavrogiannopoulos [Mon, 13 Jan 2014 10:12:39 +0000 (11:12 +0100)] 
verification profiles can be set individually as well.

12 years agodoc update
Nikos Mavrogiannopoulos [Mon, 13 Jan 2014 09:47:33 +0000 (10:47 +0100)] 
doc update

12 years agoincreased the overall security level unless %COMPAT is specified.
Nikos Mavrogiannopoulos [Mon, 13 Jan 2014 09:40:18 +0000 (10:40 +0100)] 
increased the overall security level unless %COMPAT is specified.

12 years agoenforce certificate verification profiles when setting priority strings
Nikos Mavrogiannopoulos [Mon, 13 Jan 2014 09:39:46 +0000 (10:39 +0100)] 
enforce certificate verification profiles when setting priority strings

12 years agoAdded certificate verification profiles.
Nikos Mavrogiannopoulos [Mon, 13 Jan 2014 09:20:56 +0000 (10:20 +0100)] 
Added certificate verification profiles.

12 years agosimplified _gnutls_verify_certificate2().
Nikos Mavrogiannopoulos [Fri, 10 Jan 2014 13:08:22 +0000 (14:08 +0100)] 
simplified _gnutls_verify_certificate2().

12 years agoconsistency changes.
Nikos Mavrogiannopoulos [Fri, 10 Jan 2014 12:54:17 +0000 (13:54 +0100)] 
consistency changes.

12 years agognutls_session_get_desc() returns a more compact description.
Nikos Mavrogiannopoulos [Sat, 11 Jan 2014 21:28:08 +0000 (22:28 +0100)] 
gnutls_session_get_desc() returns a more compact description.

12 years agodoc update
Nikos Mavrogiannopoulos [Sat, 11 Jan 2014 12:12:05 +0000 (13:12 +0100)] 
doc update

12 years agoThe RDN sequence is now kept in trust list instead of the credentials parameters.
Nikos Mavrogiannopoulos [Sat, 11 Jan 2014 11:24:22 +0000 (12:24 +0100)] 
The RDN sequence is now kept in trust list instead of the credentials parameters.

This is however not enabled by default. When adding CAs to trust list
the flag GNUTLS_TL_USE_IN_TLS must be specified to generate the RDN
sequence. This flag is for now only useful internally in gnutls.

12 years agosimplified x509dn
Nikos Mavrogiannopoulos [Sat, 11 Jan 2014 11:20:45 +0000 (12:20 +0100)] 
simplified x509dn

12 years agodoc update
Nikos Mavrogiannopoulos [Sat, 11 Jan 2014 10:25:35 +0000 (11:25 +0100)] 
doc update

12 years agoenhanced set_pkcs12_cred test.
Nikos Mavrogiannopoulos [Sat, 11 Jan 2014 10:20:17 +0000 (11:20 +0100)] 
enhanced set_pkcs12_cred test.

12 years agodoc update
Nikos Mavrogiannopoulos [Thu, 9 Jan 2014 07:49:29 +0000 (08:49 +0100)] 
doc update

12 years agognutls-cli-debug should accept TLS 1.2-only servers
Daniel Kahn Gillmor [Wed, 8 Jan 2014 20:57:59 +0000 (15:57 -0500)] 
gnutls-cli-debug should accept TLS 1.2-only servers

Without this patch, a TLS 1.2-only server will not be properly
investigated by gnutls-cli-debug.

e.g. a server like:

  gnutls-serv --x509keyfile=server/secret.key --x509certfile=server/x509.pem --priority 'NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2'

gets this failed analysis:

0 dkg@alice:~$ gnutls-cli-debug --port 5556 localhostrt 5556 localhost
Resolving 'localhost'...
Connecting to '::1:5556'...
Checking for SSL 3.0 support... no
Checking whether %COMPAT is required... yes
Checking for TLS 1.0 support... no
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... failed
Checking for TLS 1.2 support... yes
Checking whether we need to disable TLS 1.2... N/A
Checking whether we need to disable TLS 1.1... no

Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1
0 dkg@alice:~$

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
12 years agoFix CERTIFICATE STATUS processing when using non-blocking I/O
Nils Maier [Mon, 6 Jan 2014 14:15:58 +0000 (15:15 +0100)] 
Fix CERTIFICATE STATUS processing when using non-blocking I/O

_gnutls_recv_server_certificate_status() must wait for the first full
packet before setting priv->expect_cstatus = 0, or else CERTIFCATE
STATUS packets won't be processed in subsequent calls at all, leaving
them in the buffer and therefore causing later connection aborts.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
12 years agognutls_pkcs11_crt_exists renamed to gnutls_pkcs11_crt_is_known
Nikos Mavrogiannopoulos [Sat, 4 Jan 2014 09:56:33 +0000 (10:56 +0100)] 
gnutls_pkcs11_crt_exists renamed to gnutls_pkcs11_crt_is_known

Moreover it was modified to fully compare the certificate when looking
for a trusted certificate.

12 years agosimplified gnutls_certificate_set_x509_crl_file/mem.
Nikos Mavrogiannopoulos [Sat, 4 Jan 2014 09:39:27 +0000 (10:39 +0100)] 
simplified gnutls_certificate_set_x509_crl_file/mem.

12 years agosimplified gnutls_certificate_set_x509_trust_file/mem.
Nikos Mavrogiannopoulos [Sat, 4 Jan 2014 09:33:08 +0000 (10:33 +0100)] 
simplified gnutls_certificate_set_x509_trust_file/mem.

12 years agouse gnutls_strdup
Nikos Mavrogiannopoulos [Sat, 4 Jan 2014 09:25:59 +0000 (10:25 +0100)] 
use gnutls_strdup

12 years agodoc update
Nikos Mavrogiannopoulos [Fri, 3 Jan 2014 17:24:03 +0000 (18:24 +0100)] 
doc update

12 years agomini-record-2 movedto front.
Nikos Mavrogiannopoulos [Wed, 1 Jan 2014 21:25:07 +0000 (22:25 +0100)] 
mini-record-2 movedto front.

12 years agoremoved debugging
Nikos Mavrogiannopoulos [Fri, 3 Jan 2014 10:13:41 +0000 (11:13 +0100)] 
removed debugging

12 years agoWhen verifying using a PKCS #11 module use gnutls_pkcs11_crt_exists() to check for...
Nikos Mavrogiannopoulos [Fri, 3 Jan 2014 10:11:28 +0000 (11:11 +0100)] 
When verifying using a PKCS #11 module use gnutls_pkcs11_crt_exists() to check for trust and distrust (blacklists).

12 years agoAdded gnutls_pkcs11_crt_exists()
Nikos Mavrogiannopoulos [Thu, 2 Jan 2014 13:31:49 +0000 (14:31 +0100)] 
Added gnutls_pkcs11_crt_exists()

12 years agomore sensible names in find data private structures.
Nikos Mavrogiannopoulos [Thu, 2 Jan 2014 13:09:27 +0000 (14:09 +0100)] 
more sensible names in find data private structures.

12 years agodoc update
Nikos Mavrogiannopoulos [Thu, 2 Jan 2014 12:54:57 +0000 (13:54 +0100)] 
doc update

12 years agognutls_pkcs11_get_raw_issuer() returns only trusted issuers if GNUTLS_PKCS11_ISSUER_A...
Nikos Mavrogiannopoulos [Thu, 2 Jan 2014 12:52:46 +0000 (13:52 +0100)] 
gnutls_pkcs11_get_raw_issuer() returns only trusted issuers if GNUTLS_PKCS11_ISSUER_ANY is not specified.

12 years agodoc update
Nikos Mavrogiannopoulos [Thu, 2 Jan 2014 12:36:35 +0000 (13:36 +0100)] 
doc update

12 years agounified PKCS#11 debug messages
Nikos Mavrogiannopoulos [Thu, 2 Jan 2014 12:33:08 +0000 (13:33 +0100)] 
unified PKCS#11 debug messages

12 years agoUpdated PKCS #11 support for gnutls_x509_trust_list_add_trust_file().
Nikos Mavrogiannopoulos [Thu, 2 Jan 2014 11:50:13 +0000 (12:50 +0100)] 
Updated PKCS #11 support for gnutls_x509_trust_list_add_trust_file().

It will now use the PKCS #11 trust URL while verifying instead of importing
all CAs. That way it allows verification on the spot without requiring the
gnutls to restart in case of a blacklisted CA.

12 years agodoc update
Nikos Mavrogiannopoulos [Thu, 2 Jan 2014 11:14:27 +0000 (12:14 +0100)] 
doc update

12 years agoAdded documentation for force autogen to generate correct texinfo code.
Nikos Mavrogiannopoulos [Wed, 1 Jan 2014 18:16:28 +0000 (19:16 +0100)] 
Added documentation for force autogen to generate correct texinfo code.

12 years agodoc update
Nikos Mavrogiannopoulos [Tue, 31 Dec 2013 08:52:09 +0000 (09:52 +0100)] 
doc update

12 years agodoc update
Nikos Mavrogiannopoulos [Mon, 30 Dec 2013 15:16:14 +0000 (16:16 +0100)] 
doc update

12 years agoresume tests will not block if they fail
Nikos Mavrogiannopoulos [Sun, 29 Dec 2013 15:53:34 +0000 (16:53 +0100)] 
resume tests will not block if they fail

12 years agomoved constructor definitions to macros to allow easier extensions to other systems.
Nikos Mavrogiannopoulos [Sun, 29 Dec 2013 15:39:46 +0000 (16:39 +0100)] 
moved constructor definitions to macros to allow easier extensions to other systems.

12 years agoperform the iteration check on both rngs.
Nikos Mavrogiannopoulos [Sun, 29 Dec 2013 15:35:49 +0000 (16:35 +0100)] 
perform the iteration check on both rngs.

12 years agoAdd suppression for nettle's memxor3
Nikos Mavrogiannopoulos [Sun, 29 Dec 2013 15:27:13 +0000 (16:27 +0100)] 
Add suppression for nettle's memxor3

12 years agodoc update
Nikos Mavrogiannopoulos [Sun, 29 Dec 2013 15:20:41 +0000 (16:20 +0100)] 
doc update

12 years agoupdated
Nikos Mavrogiannopoulos [Sun, 29 Dec 2013 15:13:22 +0000 (16:13 +0100)] 
updated

12 years agoadapt padding size based on the current size of the client hello.
Nikos Mavrogiannopoulos [Sun, 29 Dec 2013 08:30:44 +0000 (09:30 +0100)] 
adapt padding size based on the current size of the client hello.

12 years agodoc update
Nikos Mavrogiannopoulos [Sun, 29 Dec 2013 08:22:02 +0000 (09:22 +0100)] 
doc update

12 years agodo not pad when the client hello size is sufficiently small.
Nikos Mavrogiannopoulos [Sat, 28 Dec 2013 17:21:19 +0000 (18:21 +0100)] 
do not pad when the client hello size is sufficiently small.

12 years agodo not send the dumbfw padding if the hello data are already too long.
Nikos Mavrogiannopoulos [Sat, 28 Dec 2013 17:10:26 +0000 (18:10 +0100)] 
do not send the dumbfw padding if the hello data are already too long.

12 years agoexport only xssl symbols; small patch by Andreas Metzler.
Nikos Mavrogiannopoulos [Sat, 28 Dec 2013 06:57:24 +0000 (07:57 +0100)] 
export only xssl symbols; small patch by Andreas Metzler.

12 years agoAdd LIB_CLOCK_GETTIME to crywrap
Gustavo Zacarias [Thu, 26 Dec 2013 16:13:03 +0000 (13:13 -0300)] 
Add LIB_CLOCK_GETTIME to crywrap

It's used indirectly thus causing build breakage on versions of glibc
where it's defined in librt rather than libc directly.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
12 years agolimit the size of the DH exponent
Nikos Mavrogiannopoulos [Wed, 25 Dec 2013 15:30:11 +0000 (16:30 +0100)] 
limit the size of the DH exponent

12 years agounified constants
Nikos Mavrogiannopoulos [Wed, 25 Dec 2013 15:18:49 +0000 (16:18 +0100)] 
unified constants

12 years agoDo not run the fips-test when not in fips mode
Nikos Mavrogiannopoulos [Wed, 25 Dec 2013 11:16:00 +0000 (12:16 +0100)] 
Do not run the fips-test when not in fips mode

12 years agosimplified gnutls_handshake_alloc
Nikos Mavrogiannopoulos [Wed, 25 Dec 2013 11:11:36 +0000 (12:11 +0100)] 
simplified gnutls_handshake_alloc

12 years agodo not specify a default class when searching for objects to delete
Nikos Mavrogiannopoulos [Mon, 23 Dec 2013 17:59:43 +0000 (18:59 +0100)] 
do not specify a default class when searching for objects to delete

This fixed issue when trying to delete all the keys in a token by
using the token URL.

12 years agoAdded so-login flag to force security office login to the card
Nikos Mavrogiannopoulos [Mon, 23 Dec 2013 16:53:57 +0000 (17:53 +0100)] 
Added so-login flag to force security office login to the card

12 years agoupdated txt
Nikos Mavrogiannopoulos [Mon, 23 Dec 2013 16:34:03 +0000 (17:34 +0100)] 
updated txt

12 years agoprint warning when no token name is provided
Nikos Mavrogiannopoulos [Mon, 23 Dec 2013 16:32:03 +0000 (17:32 +0100)] 
print warning when no token name is provided

12 years agoAdded userPrincipalName
Nikos Mavrogiannopoulos [Mon, 23 Dec 2013 15:20:37 +0000 (16:20 +0100)] 
Added userPrincipalName

12 years agopass the correct flag to dane_verify_crt_raw()
Nikos Mavrogiannopoulos [Mon, 23 Dec 2013 11:14:11 +0000 (12:14 +0100)] 
pass the correct flag to dane_verify_crt_raw()

That doesn't affect anything but logical correctness, as
the parameter is ignored.

12 years agocorrected key ID size check
Nikos Mavrogiannopoulos [Mon, 23 Dec 2013 10:58:12 +0000 (11:58 +0100)] 
corrected key ID size check

12 years agoPorted Alon's patch to correctly check for librt (et al.)
Nikos Mavrogiannopoulos [Mon, 23 Dec 2013 10:31:36 +0000 (11:31 +0100)] 
Ported Alon's patch to correctly check for librt (et al.)

This also makes clock_gettime() check independent of the FIPS140 option.

12 years agoAdded aliases list-privkeys and list-keys
Nikos Mavrogiannopoulos [Sun, 22 Dec 2013 11:41:51 +0000 (12:41 +0100)] 
Added aliases list-privkeys and list-keys