]> git.ipfire.org Git - thirdparty/gnutls.git/log
thirdparty/gnutls.git
11 years agognutls_x509_trust_list_add_system_trust() will not allow duplicate entries
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 17:37:48 +0000 (19:37 +0200)] 
gnutls_x509_trust_list_add_system_trust() will not allow duplicate entries

11 years agomore compiler warning fixes
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 17:33:57 +0000 (19:33 +0200)] 
more compiler warning fixes

11 years agoconfigure: enabled more warnings
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 17:24:57 +0000 (19:24 +0200)] 
configure: enabled more warnings

11 years agofixed compilation warnings
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 17:11:14 +0000 (19:11 +0200)] 
fixed compilation warnings

11 years agouse _DIRENT_HAVE_D_TYPE to detect d->d_type
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 16:54:57 +0000 (18:54 +0200)] 
use _DIRENT_HAVE_D_TYPE to detect d->d_type

11 years agocorrected type
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 16:50:35 +0000 (18:50 +0200)] 
corrected type

11 years agoconfigure: don't both with checks for padlock in non-x86
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 16:46:55 +0000 (18:46 +0200)] 
configure: don't both with checks for padlock in non-x86

11 years agoupdated auto-generated files
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 12:41:17 +0000 (14:41 +0200)] 
updated auto-generated files

11 years agorun abi-compliance-checker prior to release
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 12:34:55 +0000 (14:34 +0200)] 
run abi-compliance-checker prior to release

11 years agoindented symbols
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 12:07:23 +0000 (14:07 +0200)] 
indented symbols

11 years agoprotect DTLS clients that don't handle GNUTLS_E_LARGE_PACKET from an infinite loop...
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 10:00:39 +0000 (12:00 +0200)] 
protect DTLS clients that don't handle GNUTLS_E_LARGE_PACKET from an infinite loop on handshake

11 years agoremoved unused error values
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 09:52:52 +0000 (11:52 +0200)] 
removed unused error values

11 years agorestrict the number of non-fatal errors gnutls_handshake() can return
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 09:49:52 +0000 (11:49 +0200)] 
restrict the number of non-fatal errors gnutls_handshake() can return

11 years agooptimized gnutls_error_is_fatal() by splitting the errors to two tables
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 07:55:53 +0000 (09:55 +0200)] 
optimized gnutls_error_is_fatal() by splitting the errors to two tables

11 years agodoc update
Nikos Mavrogiannopoulos [Wed, 24 Sep 2014 08:29:03 +0000 (10:29 +0200)] 
doc update

11 years agouse unsigned types in prototypes
Nikos Mavrogiannopoulos [Wed, 24 Sep 2014 08:20:54 +0000 (10:20 +0200)] 
use unsigned types in prototypes

11 years agoenable gcc warnings by default
Nikos Mavrogiannopoulos [Wed, 24 Sep 2014 08:14:32 +0000 (10:14 +0200)] 
enable gcc warnings by default

11 years agoCheck the credentials getter functions as part of the unit tests
Armin Burgmeier [Tue, 23 Sep 2014 20:12:38 +0000 (16:12 -0400)] 
Check the credentials getter functions as part of the unit tests

11 years agoAdd an interface to iterate the trusted CA certificates in a trust list
Armin Burgmeier [Thu, 18 Sep 2014 15:22:35 +0000 (11:22 -0400)] 
Add an interface to iterate the trusted CA certificates in a trust list

Signed-off-by: Armin Burgmeier <armin@arbur.net>
11 years agoAdd getter functions for openpgp keys and certificates
Armin Burgmeier [Thu, 18 Sep 2014 14:13:55 +0000 (10:13 -0400)] 
Add getter functions for openpgp keys and certificates

Signed-off-by: Armin Burgmeier <armin@arbur.net>
11 years agoAdd functions to obtain X.509 keys and certificates from certificate credentials
Armin Burgmeier [Wed, 17 Sep 2014 22:59:29 +0000 (18:59 -0400)] 
Add functions to obtain X.509 keys and certificates from certificate credentials

Signed-off-by: Armin Burgmeier <armin@arbur.net>
11 years agoenabled gnutls_privkey_export_pkcs11
Nikos Mavrogiannopoulos [Wed, 24 Sep 2014 08:03:13 +0000 (10:03 +0200)] 
enabled gnutls_privkey_export_pkcs11

11 years agoAdd functions to export X.509 and OpenPGP private keys from the abstract type
Armin Burgmeier [Wed, 17 Sep 2014 21:33:40 +0000 (17:33 -0400)] 
Add functions to export X.509 and OpenPGP private keys from the abstract type

Signed-off-by: Armin Burgmeier <armin@arbur.net>
11 years agoAdd a function to obtain the trust list of a gnutls_certificate_credentials_t
Armin Burgmeier [Wed, 17 Sep 2014 16:30:44 +0000 (12:30 -0400)] 
Add a function to obtain the trust list of a gnutls_certificate_credentials_t

Signed-off-by: Armin Burgmeier <armin@arbur.net>
11 years agodoc update
Nikos Mavrogiannopoulos [Wed, 24 Sep 2014 07:44:39 +0000 (09:44 +0200)] 
doc update

11 years agomore files to ignore
Nikos Mavrogiannopoulos [Mon, 22 Sep 2014 20:31:07 +0000 (22:31 +0200)] 
more files to ignore

11 years agoremoved gnutls_pcert_get_type()
Nikos Mavrogiannopoulos [Mon, 22 Sep 2014 20:27:42 +0000 (22:27 +0200)] 
removed gnutls_pcert_get_type()

11 years agoonly enable crywrap if libidn is present
Nikos Mavrogiannopoulos [Mon, 22 Sep 2014 16:55:38 +0000 (18:55 +0200)] 
only enable crywrap if libidn is present

11 years agoguile: Restore cross-reference in 'set-session-priorities!' docstring.
Ludovic Courtès [Mon, 22 Sep 2014 14:20:07 +0000 (16:20 +0200)] 
guile: Restore cross-reference in 'set-session-priorities!' docstring.

This had been destroyed in 32d90395.

11 years agoguile: Add bindings for 'gnutls_server_name_set'.
Ludovic Courtès [Mon, 22 Sep 2014 14:10:36 +0000 (16:10 +0200)] 
guile: Add bindings for 'gnutls_server_name_set'.

This adds the 'set-session-server-name!' procedure and the
'server-name-type' enum type.

11 years agodoc update
Nikos Mavrogiannopoulos [Mon, 22 Sep 2014 09:21:00 +0000 (11:21 +0200)] 
doc update

11 years agotests: Added checks for key purpose verification
Nikos Mavrogiannopoulos [Mon, 22 Sep 2014 09:15:06 +0000 (11:15 +0200)] 
tests: Added checks for key purpose verification

11 years agoVerify key purpose on intermediate certificate if GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERM...
Nikos Mavrogiannopoulos [Mon, 22 Sep 2014 09:12:56 +0000 (11:12 +0200)] 
Verify key purpose on intermediate certificate if GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE is specified

That introduces the verification flag GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE,
and the verification result GNUTLS_CERT_PURPOSE_MISMATCH. The reason that this
verification test must be explicitly enabled is because it is only defined in CA
Forum's Baseline requirements 1.1.9 but not any IETF document.

11 years agocerttool: updated the extended key usage documentation
Nikos Mavrogiannopoulos [Mon, 22 Sep 2014 07:53:00 +0000 (09:53 +0200)] 
certtool: updated the extended key usage documentation

11 years agoadded missing prototype
Nikos Mavrogiannopoulos [Mon, 22 Sep 2014 07:51:15 +0000 (09:51 +0200)] 
added missing prototype

11 years agodoc update
Nikos Mavrogiannopoulos [Mon, 22 Sep 2014 06:57:36 +0000 (08:57 +0200)] 
doc update

11 years agointroduced gnutls_privkey_import_ext3()
Nikos Mavrogiannopoulos [Mon, 22 Sep 2014 06:56:23 +0000 (08:56 +0200)] 
introduced gnutls_privkey_import_ext3()

That function allows copying an external specified private
key, as well as allow variability on the capabilities of an
external key.

11 years agoupdated cross.mk
Nikos Mavrogiannopoulos [Sun, 21 Sep 2014 00:18:09 +0000 (02:18 +0200)] 
updated cross.mk

11 years agodoc update
Nikos Mavrogiannopoulos [Sat, 20 Sep 2014 23:55:59 +0000 (01:55 +0200)] 
doc update

11 years agowhen printing a certificate request also print its signature algorithm
Nikos Mavrogiannopoulos [Sat, 20 Sep 2014 23:55:18 +0000 (01:55 +0200)] 
when printing a certificate request also print its signature algorithm

11 years agoadded gnutls_x509_crq_get_signature_algorithm()
Nikos Mavrogiannopoulos [Sat, 20 Sep 2014 23:50:52 +0000 (01:50 +0200)] 
added gnutls_x509_crq_get_signature_algorithm()

11 years agodoc update
Nikos Mavrogiannopoulos [Sat, 20 Sep 2014 23:17:10 +0000 (01:17 +0200)] 
doc update

11 years agoAdded missing prototype
Nikos Mavrogiannopoulos [Sat, 20 Sep 2014 23:14:34 +0000 (01:14 +0200)] 
Added missing prototype

11 years agoAdded gnutls_pkcs11_privkey_cpy()
Nikos Mavrogiannopoulos [Sat, 20 Sep 2014 23:11:24 +0000 (01:11 +0200)] 
Added gnutls_pkcs11_privkey_cpy()

11 years agoAdd gnutls_certificate_get_verify_flags
Armin Burgmeier [Wed, 17 Sep 2014 22:54:09 +0000 (18:54 -0400)] 
Add gnutls_certificate_get_verify_flags

Signed-off-by: Armin Burgmeier <armin@arbur.net>
11 years agoAdd API to retrieve a X.509 or OpenPGP certificate from a gnutls_pcert_t
Armin Burgmeier [Wed, 17 Sep 2014 16:26:47 +0000 (12:26 -0400)] 
Add API to retrieve a X.509 or OpenPGP certificate from a gnutls_pcert_t

Signed-off-by: Armin Burgmeier <armin@arbur.net>
11 years agoMemory leak fix on certificate copy failure
Armin Burgmeier [Thu, 18 Sep 2014 15:22:50 +0000 (11:22 -0400)] 
Memory leak fix on certificate copy failure

Signed-off-by: Armin Burgmeier <armin@arbur.net>
11 years agoFix a documentation typo
Armin Burgmeier [Wed, 17 Sep 2014 16:31:19 +0000 (12:31 -0400)] 
Fix a documentation typo

Signed-off-by: Armin Burgmeier <armin@arbur.net>
11 years agoregenerated files.mk
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 14:24:57 +0000 (16:24 +0200)] 
regenerated files.mk

11 years agolibdane: do not require the CA to be a direct CA
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 09:31:51 +0000 (11:31 +0200)] 
libdane: do not require the CA to be a direct CA

11 years agotests: enhanced test suite to pass more of the PKCS #11 API under valgrind
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 08:40:44 +0000 (10:40 +0200)] 
tests: enhanced test suite to pass more of the PKCS #11 API under valgrind

11 years agognutls-serv: added the --provider option
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 08:40:14 +0000 (10:40 +0200)] 
gnutls-serv: added the --provider option

11 years agotools: corrected pin entry
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 08:03:05 +0000 (10:03 +0200)] 
tools: corrected pin entry

11 years agocleaned up memory deallocation in read_cert_url()
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 07:43:22 +0000 (09:43 +0200)] 
cleaned up memory deallocation in read_cert_url()

That caused unexpected results when loading PKCS #11 URLs.
Reported by Joseph Peruski.

11 years agoupdated certtool.cfg
Nikos Mavrogiannopoulos [Thu, 18 Sep 2014 19:09:11 +0000 (21:09 +0200)] 
updated certtool.cfg

11 years agotests: added checks with modified certificate
Nikos Mavrogiannopoulos [Mon, 15 Sep 2014 14:09:29 +0000 (16:09 +0200)] 
tests: added checks with modified certificate

This tests whether a modified of a DER certificate, that is cancelled
out while we parse it, would result to a good signature.

11 years agorequire explicit disabling of PKCS #11 in configure
Nikos Mavrogiannopoulos [Thu, 18 Sep 2014 11:33:52 +0000 (13:33 +0200)] 
require explicit disabling of PKCS #11 in configure

11 years agoAdded Armin's DCO
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 18:05:21 +0000 (20:05 +0200)] 
Added Armin's DCO

11 years agoupdated details on certificate verification
Nikos Mavrogiannopoulos [Thu, 18 Sep 2014 08:49:54 +0000 (10:49 +0200)] 
updated details on certificate verification

11 years agodepend on p11-kit 0.20.7
Nikos Mavrogiannopoulos [Thu, 18 Sep 2014 08:37:32 +0000 (10:37 +0200)] 
depend on p11-kit 0.20.7

11 years agoCheck for all error conditions when verifying a certificate
Armin Burgmeier [Tue, 16 Sep 2014 18:02:24 +0000 (14:02 -0400)] 
Check for all error conditions when verifying a certificate

This allows to check for all possible flaws with a certificate chain with a
single call to gnutls_x509_crt_list_verify and friends.

Signed-off-by: Armin Burgmeier <armin@arbur.net>
11 years agodepend on p11-kit 0.20.6
Nikos Mavrogiannopoulos [Wed, 17 Sep 2014 14:54:05 +0000 (16:54 +0200)] 
depend on p11-kit 0.20.6

11 years agoremoved unneeded set of status
Nikos Mavrogiannopoulos [Wed, 17 Sep 2014 11:27:41 +0000 (13:27 +0200)] 
removed unneeded set of status

11 years agopkcs11: when a signer isn't found in PKCS #11 force the verification of the chain
Nikos Mavrogiannopoulos [Wed, 17 Sep 2014 11:26:25 +0000 (13:26 +0200)] 
pkcs11: when a signer isn't found in PKCS #11 force the verification of the chain

That allows obtaining any additional flags from the chain such as insecure
algorithms or expirations.

11 years agopsktool: corrected resource leak on failure
Nikos Mavrogiannopoulos [Wed, 17 Sep 2014 07:25:02 +0000 (09:25 +0200)] 
psktool: corrected resource leak on failure

11 years agoadded sanity check on cleanup
Nikos Mavrogiannopoulos [Wed, 17 Sep 2014 07:23:07 +0000 (09:23 +0200)] 
added sanity check on cleanup

11 years agoremoved unused variable
Nikos Mavrogiannopoulos [Wed, 17 Sep 2014 07:13:44 +0000 (09:13 +0200)] 
removed unused variable

11 years agocerttool: corrected typo in printing error
Nikos Mavrogiannopoulos [Wed, 17 Sep 2014 07:11:48 +0000 (09:11 +0200)] 
certtool: corrected typo in printing error

11 years agopkcs11: correctly reallocate the read buffer
Nikos Mavrogiannopoulos [Wed, 17 Sep 2014 07:03:11 +0000 (09:03 +0200)] 
pkcs11: correctly reallocate the read buffer

Report and patch by David Woodhouse.

11 years agoupdated documentation on PKCS #11 trust module verification
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 13:38:19 +0000 (15:38 +0200)] 
updated documentation on PKCS #11 trust module verification

11 years agounified the key purpose checks functions
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 09:08:37 +0000 (11:08 +0200)] 
unified the key purpose checks functions

11 years agocheck for CAs with the same key in gnutls_x509_trust_list_add_cas
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 08:49:19 +0000 (10:49 +0200)] 
check for CAs with the same key in gnutls_x509_trust_list_add_cas

That way when GNUTLS_TL_NO_DUPLICATE_KEY is specified the added CA will
overwrite any previous one with the same name and key.

11 years agohostname and key purpose checks were moved above CRL checks
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 08:58:06 +0000 (10:58 +0200)] 
hostname and key purpose checks were moved above CRL checks

11 years agodoc update
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 08:40:37 +0000 (10:40 +0200)] 
doc update

11 years agocorrected gnutls_x509_crl_get_raw_issuer_dn()
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 08:30:05 +0000 (10:30 +0200)] 
corrected gnutls_x509_crl_get_raw_issuer_dn()

11 years agotests: use the PID number in RPORT
Nikos Mavrogiannopoulos [Mon, 15 Sep 2014 19:07:33 +0000 (21:07 +0200)] 
tests: use the PID number in RPORT

The shell's RANDOM isn't that random.

11 years agoupdated libtasn1
Nikos Mavrogiannopoulos [Mon, 15 Sep 2014 14:05:33 +0000 (16:05 +0200)] 
updated libtasn1

11 years agodocumented the environment variables
Nikos Mavrogiannopoulos [Mon, 15 Sep 2014 12:49:45 +0000 (14:49 +0200)] 
documented the environment variables

11 years agosimulate pkcs11x.h when it doesn't exist
Nikos Mavrogiannopoulos [Sat, 13 Sep 2014 11:06:33 +0000 (13:06 +0200)] 
simulate pkcs11x.h when it doesn't exist

11 years agotests: Added crlverify to check gnutls_x509_crl_verify and gnutls_x509_trust_list_add...
Nikos Mavrogiannopoulos [Sat, 13 Sep 2014 09:13:18 +0000 (11:13 +0200)] 
tests: Added crlverify to check gnutls_x509_crl_verify and gnutls_x509_trust_list_add_crls

11 years agocreate-chain.sh: generate CRL
Nikos Mavrogiannopoulos [Sat, 13 Sep 2014 08:59:35 +0000 (10:59 +0200)] 
create-chain.sh: generate CRL

11 years agognutls_x509_crl_verify: do not always set the invalid status
Nikos Mavrogiannopoulos [Sat, 13 Sep 2014 08:34:29 +0000 (10:34 +0200)] 
gnutls_x509_crl_verify: do not always set the invalid status

Reported by Armin Burgmeier.

11 years agoRevert "gnutls_x509_crl_verify: do not always set the invalid status"
Nikos Mavrogiannopoulos [Sat, 13 Sep 2014 08:33:40 +0000 (10:33 +0200)] 
Revert "gnutls_x509_crl_verify: do not always set the invalid status"

This reverts commit a922ee10c5f3902988e5730a1e6fbf77b033058c.

11 years agognutls_x509_crl_verify: do not always set the invalid status
Nikos Mavrogiannopoulos [Sat, 13 Sep 2014 07:50:22 +0000 (09:50 +0200)] 
gnutls_x509_crl_verify: do not always set the invalid status

Reported by Armin Burgmeier.

11 years agodoc update
Nikos Mavrogiannopoulos [Sat, 13 Sep 2014 07:27:58 +0000 (09:27 +0200)] 
doc update

11 years agoadded missing file
Nikos Mavrogiannopoulos [Fri, 12 Sep 2014 14:40:56 +0000 (16:40 +0200)] 
added missing file

11 years agop11tool: print Attached Extensions, instead of extensions
Nikos Mavrogiannopoulos [Fri, 12 Sep 2014 14:22:57 +0000 (16:22 +0200)] 
p11tool: print Attached Extensions, instead of extensions

11 years agowhen adding a duplicate certificate, keep the last entry
Nikos Mavrogiannopoulos [Fri, 12 Sep 2014 14:22:43 +0000 (16:22 +0200)] 
when adding a duplicate certificate, keep the last entry

11 years agoadded gnutls_pkcs11_copy_attached_extension()
Nikos Mavrogiannopoulos [Fri, 12 Sep 2014 11:51:39 +0000 (13:51 +0200)] 
added gnutls_pkcs11_copy_attached_extension()

11 years agopkcs11-get-issuer: do not hardcode the chain number, use its name
Nikos Mavrogiannopoulos [Fri, 12 Sep 2014 09:31:28 +0000 (11:31 +0200)] 
pkcs11-get-issuer: do not hardcode the chain number, use its name

11 years agoRevert "corrected planned version number"
Nikos Mavrogiannopoulos [Thu, 11 Sep 2014 17:23:11 +0000 (19:23 +0200)] 
Revert "corrected planned version number"

This reverts commit 5e44f432580f8b9533223acc3060db26446f0e96.

11 years agofixes in the extension handling
Nikos Mavrogiannopoulos [Thu, 11 Sep 2014 16:09:50 +0000 (18:09 +0200)] 
fixes in the extension handling

11 years agop11tool: will print trust module extensions if present
Nikos Mavrogiannopoulos [Thu, 11 Sep 2014 16:07:46 +0000 (18:07 +0200)] 
p11tool: will print trust module extensions if present

11 years agocheck the key purpose of the CA certificate when in pkcs11 cert validation
Nikos Mavrogiannopoulos [Wed, 10 Sep 2014 14:55:05 +0000 (16:55 +0200)] 
check the key purpose of the CA certificate when in pkcs11 cert validation

11 years agoallow retrieving extensions in a trust module using GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_...
Nikos Mavrogiannopoulos [Wed, 10 Sep 2014 14:02:12 +0000 (16:02 +0200)] 
allow retrieving extensions in a trust module using GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT

11 years agoexport x509_crt_to_raw_pubkey() in x509/common.h and prefixed s/get_extension with...
Nikos Mavrogiannopoulos [Wed, 10 Sep 2014 13:29:59 +0000 (15:29 +0200)] 
export x509_crt_to_raw_pubkey() in x509/common.h and prefixed s/get_extension with _gnutls

11 years agodoc update
Nikos Mavrogiannopoulos [Wed, 10 Sep 2014 07:41:03 +0000 (09:41 +0200)] 
doc update

11 years agocorrected planned version number
Nikos Mavrogiannopoulos [Tue, 9 Sep 2014 11:36:06 +0000 (13:36 +0200)] 
corrected planned version number

11 years agognutls_x509_trust_list_verify_crt2 is in par with gnutls_certificate_verify_peers
Nikos Mavrogiannopoulos [Tue, 9 Sep 2014 08:56:27 +0000 (10:56 +0200)] 
gnutls_x509_trust_list_verify_crt2 is in par with gnutls_certificate_verify_peers

That is, it accepts a list of gnutls_typed_vdata_st and allows for flexibility.

11 years agodoc update
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 14:27:01 +0000 (16:27 +0200)] 
doc update