]>
git.ipfire.org Git - thirdparty/gnutls.git/log
Nikos Mavrogiannopoulos [Wed, 22 Oct 2014 19:44:23 +0000 (21:44 +0200)]
exported gnutls_fd_in_use
Nikos Mavrogiannopoulos [Wed, 22 Oct 2014 14:35:42 +0000 (16:35 +0200)]
document gnutls_fd_in_use()
Nikos Mavrogiannopoulos [Wed, 22 Oct 2014 14:31:49 +0000 (16:31 +0200)]
gnutls_fd_in_use: mention version
Nikos Mavrogiannopoulos [Wed, 22 Oct 2014 14:31:20 +0000 (16:31 +0200)]
corrected FIND_OBJECT loop when the token func is used
Nikos Mavrogiannopoulos [Wed, 22 Oct 2014 10:19:25 +0000 (12:19 +0200)]
added gnutls_fd_in_use() to check whether a file descriptor is in use
Nikos Mavrogiannopoulos [Tue, 21 Oct 2014 18:02:23 +0000 (20:02 +0200)]
added prototype to avoid compiler warning
Nikos Mavrogiannopoulos [Tue, 21 Oct 2014 18:00:54 +0000 (20:00 +0200)]
fips140-2: limit the FIPS code in fips mode
Nikos Mavrogiannopoulos [Tue, 21 Oct 2014 06:50:29 +0000 (08:50 +0200)]
fips140-2: use the FIPS algorithms only when in FIPS140-2 mode
Nikos Mavrogiannopoulos [Mon, 20 Oct 2014 13:02:03 +0000 (15:02 +0200)]
dtls-stress: reindented code
Nikos Mavrogiannopoulos [Mon, 20 Oct 2014 12:55:52 +0000 (14:55 +0200)]
tests: dtls-stress: only replay when send succeeds
Nikos Mavrogiannopoulos [Fri, 17 Oct 2014 12:11:26 +0000 (14:11 +0200)]
testsrn: do not assume that SSL 3.0 is enabled by default
Nikos Mavrogiannopoulos [Fri, 17 Oct 2014 11:46:10 +0000 (13:46 +0200)]
gnutls-cli-debug: added test that checks the fallback from TLS 1.6
Nikos Mavrogiannopoulos [Fri, 17 Oct 2014 11:45:40 +0000 (13:45 +0200)]
added _gnutls_hello_set_default_version() which allows to override the clienthello version
Nikos Mavrogiannopoulos [Fri, 17 Oct 2014 11:20:30 +0000 (13:20 +0200)]
gnutls-cli: prevent the combination of the -p and --list options
As -p may be mistaken for --priority that would prevent wrong outputs.
Nikos Mavrogiannopoulos [Fri, 17 Oct 2014 10:11:02 +0000 (12:11 +0200)]
avoid d from getting out of scope
Nikos Mavrogiannopoulos [Fri, 17 Oct 2014 10:05:56 +0000 (12:05 +0200)]
gnutls-serv: avoid possible buffer overrun
Nikos Mavrogiannopoulos [Fri, 17 Oct 2014 07:45:07 +0000 (09:45 +0200)]
avoid memory leak on gnutls_x509_privkey_generate() failure
Nikos Mavrogiannopoulos [Thu, 16 Oct 2014 11:55:12 +0000 (13:55 +0200)]
doc update
Nikos Mavrogiannopoulos [Thu, 16 Oct 2014 11:54:42 +0000 (13:54 +0200)]
gnutls-cli: added option --priority-list
Nikos Mavrogiannopoulos [Thu, 16 Oct 2014 11:54:24 +0000 (13:54 +0200)]
added gnutls_priority_string_list(), a function to iterate all priority strings
Nikos Mavrogiannopoulos [Thu, 16 Oct 2014 11:39:50 +0000 (13:39 +0200)]
put all priority strings into a table
Nikos Mavrogiannopoulos [Wed, 15 Oct 2014 13:21:27 +0000 (15:21 +0200)]
updated documentation for SSL 3.0 removal
Nikos Mavrogiannopoulos [Wed, 15 Oct 2014 13:18:25 +0000 (15:18 +0200)]
doc update
Nikos Mavrogiannopoulos [Wed, 15 Oct 2014 13:17:22 +0000 (15:17 +0200)]
SSL 3.0 is no longer on the default priorities list
Nikos Mavrogiannopoulos [Wed, 15 Oct 2014 12:20:40 +0000 (14:20 +0200)]
in FIPS140-2 mode only disable 1024-bit DSA parameters when generating
Ludovic Courtès [Tue, 14 Oct 2014 20:33:10 +0000 (22:33 +0200)]
guile: Remove trailing zero in 'gnutls_server_name_set' call.
In GnuTLS 3.2.19 (and possibly 3.3.9 and 3.1.17),
'set-session-server-name!' would pass a trailing nul character on the
wire after the server name, which would thus be rejected by servers.
Nikos Mavrogiannopoulos [Tue, 14 Oct 2014 19:05:34 +0000 (21:05 +0200)]
corrected libopt's Makefile.am
reported by Marius Schamschula.
Nikos Mavrogiannopoulos [Tue, 14 Oct 2014 14:29:23 +0000 (16:29 +0200)]
use _gnutls_hash_fast() in DSA/ECDSA verification
Nikos Mavrogiannopoulos [Tue, 14 Oct 2014 11:57:33 +0000 (13:57 +0200)]
FIPS140-2 RSA key generation changes to account for seed starting with null byte
Nikos Mavrogiannopoulos [Tue, 14 Oct 2014 09:05:20 +0000 (11:05 +0200)]
corrected the SSSE3 optimized SHA224
Nikos Mavrogiannopoulos [Tue, 14 Oct 2014 07:21:14 +0000 (09:21 +0200)]
simplified getrusage code; the failure check code wasn't needed
Nikos Mavrogiannopoulos [Fri, 10 Oct 2014 11:29:43 +0000 (13:29 +0200)]
use lcm(p-1,q-1) instead of phi(n) for RSA key generation in FIPS-140-2 mode
Nikos Mavrogiannopoulos [Mon, 13 Oct 2014 13:12:21 +0000 (15:12 +0200)]
tests: added check for import failure of v1 certificate with extensions
Nikos Mavrogiannopoulos [Mon, 13 Oct 2014 13:05:47 +0000 (15:05 +0200)]
do not allow importing X.509 certificates with version < 3 and extensions present
Nikos Mavrogiannopoulos [Mon, 13 Oct 2014 07:02:02 +0000 (09:02 +0200)]
update the guile manual along the C one
Nikos Mavrogiannopoulos [Sat, 11 Oct 2014 21:04:04 +0000 (23:04 +0200)]
updated to libopts 5.18.4
Nikos Mavrogiannopoulos [Sat, 11 Oct 2014 17:42:56 +0000 (19:42 +0200)]
place all rusage variables into HAVE_GETRUSAGE block
Nikos Mavrogiannopoulos [Sat, 11 Oct 2014 12:34:02 +0000 (14:34 +0200)]
rnd: if RUSAGE_THREAD fails try RUSAGE_SELF
Nikos Mavrogiannopoulos [Fri, 10 Oct 2014 07:30:57 +0000 (09:30 +0200)]
tests: removed last remnants of GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE
Nikos Mavrogiannopoulos [Fri, 10 Oct 2014 07:29:58 +0000 (09:29 +0200)]
tests: pkcs11-combo: use unique db file
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 10:04:32 +0000 (12:04 +0200)]
forbid heartbeat messages during a handshake
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 16:15:01 +0000 (18:15 +0200)]
added internal variable to track handshake status
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 13:56:41 +0000 (15:56 +0200)]
ocsptool: avoid shadowing a global variable
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 13:53:47 +0000 (15:53 +0200)]
removed flag GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 12:22:56 +0000 (14:22 +0200)]
more files to ignore
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 12:09:01 +0000 (14:09 +0200)]
tests: updated time in pkcs11-is-known
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 11:16:32 +0000 (13:16 +0200)]
pkcs11: handle errors from override_cert_exts as fatal
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 10:34:46 +0000 (12:34 +0200)]
tests: allow running specific chainverify tests on fixed dates
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 10:28:34 +0000 (12:28 +0200)]
_gnutls_check_valid_key_id: corrected activation/expiration check
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 10:09:52 +0000 (12:09 +0200)]
pkcs11: simplified and optimized loop
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 09:35:10 +0000 (11:35 +0200)]
mention nettle as the recommended crypto backend
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 09:10:15 +0000 (11:10 +0200)]
tests: Added check to ensure that trust list combination with extra certificates works
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 08:41:57 +0000 (10:41 +0200)]
when both a trust module and additional CAs are present account the latter as well
That solves an issue in openconnect which used the system trust module,
plus additional certificates.
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 08:13:48 +0000 (10:13 +0200)]
simplify the handling of trust_list_get_issuer() when GNUTLS_TL_GET_COPY is not given
Nikos Mavrogiannopoulos [Wed, 8 Oct 2014 21:17:14 +0000 (23:17 +0200)]
doc update
Nikos Mavrogiannopoulos [Wed, 8 Oct 2014 12:41:08 +0000 (14:41 +0200)]
doc update
Nikos Mavrogiannopoulos [Mon, 29 Sep 2014 14:02:42 +0000 (16:02 +0200)]
tools: print the status of safe renegotiation and extended master secret
Nikos Mavrogiannopoulos [Mon, 29 Sep 2014 14:00:16 +0000 (16:00 +0200)]
tests: check whether the extended master secret is negotiated by default
Nikos Mavrogiannopoulos [Wed, 8 Oct 2014 12:09:30 +0000 (14:09 +0200)]
Added support for the extended master secret calculation
That is performed implicitly unless GNUTLS_NO_EXTENSIONS is specified.
The implementation follows draft-ietf-tls-session-hash-02.
Nikos Mavrogiannopoulos [Wed, 8 Oct 2014 09:47:49 +0000 (11:47 +0200)]
corrected assignment
Nikos Mavrogiannopoulos [Wed, 8 Oct 2014 08:22:04 +0000 (10:22 +0200)]
corrected the name of exported function
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 16:25:09 +0000 (18:25 +0200)]
doc update
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 16:24:29 +0000 (18:24 +0200)]
tests: added check for gnutls_record_discard_queued()
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 16:03:25 +0000 (18:03 +0200)]
Added gnutls_record_discard_queued()
That function allows to discard queued data in DTLS.
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 14:50:05 +0000 (16:50 +0200)]
tests: corrected test for v1 cert signing (removed bogus authorityIdentifier)
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 14:44:26 +0000 (16:44 +0200)]
certtool: only set the authority key identifier, if there is a corresponding subject key identifier
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 14:28:19 +0000 (16:28 +0200)]
pkcs11: do not shortcut checks when GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY is specified
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 14:20:18 +0000 (16:20 +0200)]
pkcs11: always check for a valid subjectKeyIdentifier match
That way, expired certificates can co-exist with their replacements.
Armin Burgmeier [Mon, 6 Oct 2014 21:28:46 +0000 (17:28 -0400)]
Add a test for PKCS11 CA iteration
Signed-off-by: Armin Burgmeier <armin@arbur.net>
Armin Burgmeier [Mon, 6 Oct 2014 21:24:11 +0000 (17:24 -0400)]
Also iterate over the CA certificates in a PKCS11 token
Signed-off-by: Armin Burgmeier <armin@arbur.net>
Armin Burgmeier [Mon, 6 Oct 2014 21:22:28 +0000 (17:22 -0400)]
Return an error if multiple PKCS11 URLs are added to a trust list
Before, the new URL would overwrite the old URL, and the memory of theold URL
would be leaked. It is documented that only one URL can be used, so it should
be safe to reject any attempt to add another one.
Signed-off-by: Armin Burgmeier <armin@arbur.net>
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 13:14:34 +0000 (15:14 +0200)]
pkcs11: when no CKA_ID can be relied on fallback on checking the SubjectKeyIdentifier
Patch by David Woodhouse.
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 11:40:50 +0000 (13:40 +0200)]
added FIPS140-2 ECDH verification functions
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 09:19:39 +0000 (11:19 +0200)]
removed unused definition
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 08:02:56 +0000 (10:02 +0200)]
added FIPS140-2 DH verification functions
Nikos Mavrogiannopoulos [Mon, 6 Oct 2014 22:12:37 +0000 (00:12 +0200)]
tests: corrected check with gnutls_x509_trust_list_get_issuer
Nikos Mavrogiannopoulos [Mon, 6 Oct 2014 21:22:45 +0000 (23:22 +0200)]
corrected remove_pkcs11_url()
Nikos Mavrogiannopoulos [Mon, 6 Oct 2014 17:50:39 +0000 (19:50 +0200)]
address memory leak in gnutls_pkcs11_crt_is_known()
Nikos Mavrogiannopoulos [Mon, 6 Oct 2014 21:18:08 +0000 (23:18 +0200)]
tests: check gnutls_pkcs11_crt_is_known() when multiple same DNs are present
Nikos Mavrogiannopoulos [Mon, 6 Oct 2014 21:17:29 +0000 (23:17 +0200)]
pkcs11: when checking for presence do not give up on the first mismatch
Nikos Mavrogiannopoulos [Sun, 5 Oct 2014 08:09:22 +0000 (10:09 +0200)]
doc update: clarifications in gnutls_x509_trust_list_add_trust_file
Nikos Mavrogiannopoulos [Thu, 2 Oct 2014 14:24:41 +0000 (16:24 +0200)]
corrected compilation for non-pkcs11; reported by David Woodhouse.
Nikos Mavrogiannopoulos [Thu, 2 Oct 2014 13:15:52 +0000 (15:15 +0200)]
doc update
Nikos Mavrogiannopoulos [Thu, 2 Oct 2014 13:06:31 +0000 (15:06 +0200)]
avoid calls in gnutls_init()
Nikos Mavrogiannopoulos [Thu, 2 Oct 2014 09:08:15 +0000 (11:08 +0200)]
the handshake function has a timeout value by default
Nikos Mavrogiannopoulos [Thu, 2 Oct 2014 12:55:01 +0000 (14:55 +0200)]
use wait and retransmit when receiving session tickets
Nikos Mavrogiannopoulos [Thu, 2 Oct 2014 12:10:16 +0000 (14:10 +0200)]
tests: added -r option to dtls-stress
That allows it to replay messages in a kind of arbitrary way.
Nikos Mavrogiannopoulos [Thu, 2 Oct 2014 07:25:58 +0000 (09:25 +0200)]
report the FIPS140-2 mode
Nikos Mavrogiannopoulos [Wed, 1 Oct 2014 18:29:49 +0000 (20:29 +0200)]
tests: added check for GNUTLS_TL_GET_COPY
Nikos Mavrogiannopoulos [Wed, 1 Oct 2014 18:27:51 +0000 (20:27 +0200)]
Added GNUTLS_TL_GET_COPY flag and documented the limitations of gnutls_x509_trust_list_get_issuer()
Nikos Mavrogiannopoulos [Tue, 30 Sep 2014 19:15:11 +0000 (21:15 +0200)]
opencdk: changed filter_fnct_t to match the actual function prototypes
Nikos Mavrogiannopoulos [Tue, 30 Sep 2014 18:55:58 +0000 (20:55 +0200)]
updated news entry
Ludovic Courtès [Tue, 30 Sep 2014 11:22:14 +0000 (13:22 +0200)]
guile: doc: Remove erroneous @ifnottex.
Ludovic Courtès [Tue, 30 Sep 2014 11:08:56 +0000 (13:08 +0200)]
Add NEWS entry for Guile changes.
Ludovic Courtès [Tue, 30 Sep 2014 11:07:24 +0000 (13:07 +0200)]
guile: doc: Make it clear that the bindings are part of GnuTLS.
Nikos Mavrogiannopoulos [Sat, 27 Sep 2014 15:37:32 +0000 (17:37 +0200)]
if receiving a ChangeCipherSpec fails, return GNUTLS_E_UNEXPECTED_PACKET
That is more precise than the current GNUTLS_E_UNEXPECTED_PACKET_LENGTH
Nikos Mavrogiannopoulos [Fri, 26 Sep 2014 22:44:30 +0000 (00:44 +0200)]
use __hidden in solaris to provide the hidden visibility attribute
Nikos Mavrogiannopoulos [Fri, 26 Sep 2014 22:40:39 +0000 (00:40 +0200)]
no need to define _gnutls_x86_cpuid_s
Nikos Mavrogiannopoulos [Mon, 29 Sep 2014 13:22:06 +0000 (15:22 +0200)]
use MAX_CIPHER_BLOCK_SIZE more consistently
Nikos Mavrogiannopoulos [Fri, 26 Sep 2014 07:01:15 +0000 (09:01 +0200)]
do not allow GNUTLS_E_LARGE_PACKET to be returned from non-DTLS sessions