]> git.ipfire.org Git - thirdparty/gnutls.git/log
thirdparty/gnutls.git
11 years agoAdded gnutls_x509_crt_get_extension_by_oid2() and gnutls_x509_crq_get_extension_by_oid2()
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 14:22:31 +0000 (16:22 +0200)] 
Added gnutls_x509_crt_get_extension_by_oid2() and gnutls_x509_crq_get_extension_by_oid2()

11 years agoAdded gnutls_x509_trust_list_verify_purpose_crt()
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 14:07:40 +0000 (16:07 +0200)] 
Added gnutls_x509_trust_list_verify_purpose_crt()

11 years agotpmtool: corrected key password read
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 08:56:52 +0000 (10:56 +0200)] 
tpmtool: corrected key password read

11 years agoset umask prior to calling mkstemp
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 08:49:47 +0000 (10:49 +0200)] 
set umask prior to calling mkstemp

11 years agoinitialize verification output to zero
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 08:46:39 +0000 (10:46 +0200)] 
initialize verification output to zero

11 years agodtls: when discarding packet, discard the correct number of bytes
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 08:44:41 +0000 (10:44 +0200)] 
dtls: when discarding packet, discard the correct number of bytes

11 years agocheck_ip: initialize ret
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 08:43:21 +0000 (10:43 +0200)] 
check_ip: initialize ret

11 years agognutls_tpm_privkey_generate: initialize input values to null to prevent any issue
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 08:42:31 +0000 (10:42 +0200)] 
gnutls_tpm_privkey_generate: initialize input values to null to prevent any issue

11 years agodo not dereference find_data->p_list in pkcs11 callback
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 08:38:48 +0000 (10:38 +0200)] 
do not dereference find_data->p_list in pkcs11 callback

11 years agocorrected issue in fips RNG
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 08:35:51 +0000 (10:35 +0200)] 
corrected issue in fips RNG

11 years agoadded comment to clarify check
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 08:34:11 +0000 (10:34 +0200)] 
added comment to clarify check

11 years agoopencdk: corrected unsigned comparison
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 08:32:20 +0000 (10:32 +0200)] 
opencdk: corrected unsigned comparison

11 years agofixes in loop for SRK password input
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 08:31:40 +0000 (10:31 +0200)] 
fixes in loop for SRK password input

11 years agoapps: corrected GNUTLS_PIN reading
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 08:23:04 +0000 (10:23 +0200)] 
apps: corrected GNUTLS_PIN reading

11 years agognutls_x509_trust_list_add_trust_dir: corrected CRL loading error
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 08:21:07 +0000 (10:21 +0200)] 
gnutls_x509_trust_list_add_trust_dir: corrected CRL loading error

11 years agocerttool: corrected copy+paste error
Nikos Mavrogiannopoulos [Mon, 8 Sep 2014 08:20:12 +0000 (10:20 +0200)] 
certtool: corrected copy+paste error

11 years agotests: simply valgrind suppressions for libidn
Nikos Mavrogiannopoulos [Sun, 7 Sep 2014 15:40:15 +0000 (17:40 +0200)] 
tests: simply valgrind suppressions for libidn

11 years agouse random ports in tests, unless a port is provided
Nikos Mavrogiannopoulos [Fri, 5 Sep 2014 15:22:22 +0000 (17:22 +0200)] 
use random ports in tests, unless a port is provided

11 years agocorrected usage of readdir_r()
Nikos Mavrogiannopoulos [Fri, 5 Sep 2014 13:40:48 +0000 (15:40 +0200)] 
corrected usage of readdir_r()

11 years agoocsptool: better error message
Nikos Mavrogiannopoulos [Fri, 5 Sep 2014 12:29:47 +0000 (14:29 +0200)] 
ocsptool: better error message

11 years agoreentrant fixes for gnutls_x509_trust_list_add_trust_dir() handle unknown file types
Nikos Mavrogiannopoulos [Fri, 5 Sep 2014 12:29:28 +0000 (14:29 +0200)] 
reentrant fixes for gnutls_x509_trust_list_add_trust_dir() handle unknown file types

11 years agodoc update
Nikos Mavrogiannopoulos [Fri, 5 Sep 2014 08:01:53 +0000 (10:01 +0200)] 
doc update

11 years agooptimized escaped comma handling
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 21:30:46 +0000 (23:30 +0200)] 
optimized escaped comma handling

11 years agorequire libtasn1 3.9 or later
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 18:56:02 +0000 (20:56 +0200)] 
require libtasn1 3.9 or later

That is because of the ocsp fix.

11 years agotests: extended crq API checks
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 18:52:01 +0000 (20:52 +0200)] 
tests: extended crq API checks

11 years agodoc update
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 18:45:27 +0000 (20:45 +0200)] 
doc update

11 years agowhen setting a DN properly handle spaces and escaped commas
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 18:39:34 +0000 (20:39 +0200)] 
when setting a DN properly handle spaces and escaped commas

11 years agosimplified _gnutls_x509_get_signed_data()
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 17:58:00 +0000 (19:58 +0200)] 
simplified _gnutls_x509_get_signed_data()

11 years agoThe get_raw_dn() functions were modified to work even if the certificate is generated...
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 17:41:26 +0000 (19:41 +0200)] 
The get_raw_dn() functions were modified to work even if the certificate is generated (not imported)

11 years agoDisallow zero fragments in DTLS for packets which have data.
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 12:23:44 +0000 (14:23 +0200)] 
Disallow zero fragments in DTLS for packets which have data.

Reported by Manuel Pégourié-Gonnard.

11 years agotests: Check the behavior of a DTLS server in a low-mtu scenario.
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 12:21:46 +0000 (14:21 +0200)] 
tests: Check the behavior of a DTLS server in a low-mtu scenario.

http://permalink.gmane.org/gmane.network.gnutls.general/3582

11 years agosteal openconnect's vasprintf() implementation
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 11:48:20 +0000 (13:48 +0200)] 
steal openconnect's vasprintf() implementation

11 years agocorrected bundled vasprintf(); reported by Jeff Lee
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 11:37:30 +0000 (13:37 +0200)] 
corrected bundled vasprintf(); reported by Jeff Lee

11 years agoupdated libtasn1
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 08:41:29 +0000 (10:41 +0200)] 
updated libtasn1

11 years agotests: Added tests on the invalid OCSP response
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 08:05:30 +0000 (10:05 +0200)] 
tests: Added tests on the invalid OCSP response

11 years agofips140: check the integrity of GMP
Nikos Mavrogiannopoulos [Wed, 3 Sep 2014 14:52:54 +0000 (16:52 +0200)] 
fips140: check the integrity of GMP

11 years agowhen comparing an end-certificate with the trusted list compare the entire certificate
Nikos Mavrogiannopoulos [Wed, 3 Sep 2014 12:33:40 +0000 (14:33 +0200)] 
when comparing an end-certificate with the trusted list compare the entire certificate

11 years agotests: Added test for amazon.com chain with new verisign CA.
Nikos Mavrogiannopoulos [Tue, 2 Sep 2014 20:37:33 +0000 (22:37 +0200)] 
tests: Added test for amazon.com chain with new verisign CA.

11 years agowhen comparing a CA certificate with the trusted list compare the name and key
Nikos Mavrogiannopoulos [Tue, 2 Sep 2014 18:56:32 +0000 (20:56 +0200)] 
when comparing a CA certificate with the trusted list compare the name and key

That is to handle cases where a CA certificate was superceded by a different
one with the same name and the same key. That can happen when an intermediate
CA certificate is replaced by a self-signed one.

11 years agoperform the FIPS140-2 self tests in two rounds
Nikos Mavrogiannopoulos [Tue, 2 Sep 2014 13:24:24 +0000 (15:24 +0200)] 
perform the FIPS140-2 self tests in two rounds

One round is before the AES acceleration is registered, and the second
is after. That is to allow testing of the AES implementation used in the
DRBG. That is a hack until nettle handles all cipher acceleration.

11 years agoname constraints: do not check CN when a DNSname is available
Nikos Mavrogiannopoulos [Mon, 1 Sep 2014 13:51:10 +0000 (15:51 +0200)] 
name constraints: do not check CN when a DNSname is available

11 years agodrbg-aes: added checks in the error handling of the functions
Nikos Mavrogiannopoulos [Mon, 1 Sep 2014 13:09:33 +0000 (15:09 +0200)] 
drbg-aes: added checks in the error handling of the functions

That coverts the instantiate and generation functions.

11 years agofips140: fail on encryption test failure
Nikos Mavrogiannopoulos [Mon, 1 Sep 2014 11:52:21 +0000 (13:52 +0200)] 
fips140: fail on encryption test failure

11 years agodrbg-aes: if the continuous test fails, put the library into error state
Nikos Mavrogiannopoulos [Mon, 1 Sep 2014 11:48:48 +0000 (13:48 +0200)] 
drbg-aes: if the continuous test fails, put the library into error state

11 years agosmall doc updates
Nikos Mavrogiannopoulos [Sun, 31 Aug 2014 17:05:03 +0000 (19:05 +0200)] 
small doc updates

11 years agodoc: fixes in sectioning for p11tool and tpmtool invocation
Nikos Mavrogiannopoulos [Sun, 31 Aug 2014 16:53:57 +0000 (18:53 +0200)] 
doc: fixes in sectioning for p11tool and tpmtool invocation

11 years agoalpn: fix version documentation
Tristan Matthews [Fri, 29 Aug 2014 17:42:09 +0000 (13:42 -0400)] 
alpn: fix version documentation

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
11 years agop11tool: allow printing multiple types of tokens
Nikos Mavrogiannopoulos [Fri, 29 Aug 2014 18:45:12 +0000 (20:45 +0200)] 
p11tool: allow printing multiple types of tokens

11 years agoremove text not applicable in that version
Nikos Mavrogiannopoulos [Fri, 29 Aug 2014 17:56:08 +0000 (19:56 +0200)] 
remove text not applicable in that version

11 years agorefer to rfc6125
Nikos Mavrogiannopoulos [Fri, 29 Aug 2014 17:55:31 +0000 (19:55 +0200)] 
refer to rfc6125

11 years agoadditional sanity check in RSA key generation testing in FIPS-140-2 mode
Nikos Mavrogiannopoulos [Fri, 29 Aug 2014 15:47:22 +0000 (17:47 +0200)] 
additional sanity check in RSA key generation testing in FIPS-140-2 mode

The encrypted data are checked to differ from the plaintext, to prevent
any issues with an accidental null encryption.

11 years agowhen in FIPS140-2 mode switch the library to error state if key generation fails
Nikos Mavrogiannopoulos [Fri, 29 Aug 2014 15:44:39 +0000 (17:44 +0200)] 
when in FIPS140-2 mode switch the library to error state if key generation fails

11 years agoavoid new allocations and keep a pointer to the DER data for DN
Nikos Mavrogiannopoulos [Fri, 29 Aug 2014 13:25:40 +0000 (15:25 +0200)] 
avoid new allocations and keep a pointer to the DER data for DN

11 years agowhen importing a CRL keep the DER data
Nikos Mavrogiannopoulos [Fri, 29 Aug 2014 13:21:55 +0000 (15:21 +0200)] 
when importing a CRL keep the DER data

11 years agowhen importing a certificate, keep the DER data
Nikos Mavrogiannopoulos [Fri, 29 Aug 2014 13:17:42 +0000 (15:17 +0200)] 
when importing a certificate, keep the DER data

11 years agodoc update
Nikos Mavrogiannopoulos [Fri, 29 Aug 2014 12:13:00 +0000 (14:13 +0200)] 
doc update

11 years agoadded configuration option --disable-padlock
Nikos Mavrogiannopoulos [Fri, 29 Aug 2014 10:00:33 +0000 (12:00 +0200)] 
added configuration option --disable-padlock

That allows keeping hardware acceleration in x86 but without
support for padlock.

11 years agoRevert "updated asm sources"
Nikos Mavrogiannopoulos [Fri, 29 Aug 2014 09:44:55 +0000 (11:44 +0200)] 
Revert "updated asm sources"

This reverts commit 97895066e18abc5689ede9af1a463539ea783e90.

11 years agop11tool: when listing tokens, list their type as well
Nikos Mavrogiannopoulos [Thu, 28 Aug 2014 07:02:56 +0000 (09:02 +0200)] 
p11tool: when listing tokens, list their type as well

11 years agohide _gnutls_x86_cpuid_s
Nikos Mavrogiannopoulos [Wed, 27 Aug 2014 08:55:30 +0000 (10:55 +0200)] 
hide _gnutls_x86_cpuid_s

11 years agoupdated asm sources
Nikos Mavrogiannopoulos [Wed, 27 Aug 2014 08:52:13 +0000 (10:52 +0200)] 
updated asm sources

11 years agognutls_pkcs11_obj_list_import_url2() will import data in a single pass
Nikos Mavrogiannopoulos [Wed, 27 Aug 2014 08:02:36 +0000 (10:02 +0200)] 
gnutls_pkcs11_obj_list_import_url2() will import data in a single pass

11 years agotests: added more idna valgrind suppressions
Nikos Mavrogiannopoulos [Tue, 26 Aug 2014 16:55:49 +0000 (18:55 +0200)] 
tests: added more idna valgrind suppressions

11 years agopkcs11: when reading PKCS #11 objects, read multiple objects at a time
Nikos Mavrogiannopoulos [Tue, 26 Aug 2014 16:37:50 +0000 (18:37 +0200)] 
pkcs11: when reading PKCS #11 objects, read multiple objects at a time

That improves the performance significantly when reading
from tokens with a significant number of objects. Reported
by David Woodhouse.

11 years agopkcs11: do not fail the entire operation if a single object cannot be imported
Nikos Mavrogiannopoulos [Tue, 26 Aug 2014 16:32:53 +0000 (18:32 +0200)] 
pkcs11: do not fail the entire operation if a single object cannot be imported

11 years agopkcs11: allow objects without label or without ID
Nikos Mavrogiannopoulos [Tue, 26 Aug 2014 16:29:08 +0000 (18:29 +0200)] 
pkcs11: allow objects without label or without ID

11 years agotests: updated name constraints checks to not include a CN
Nikos Mavrogiannopoulos [Tue, 26 Aug 2014 12:14:09 +0000 (14:14 +0200)] 
tests: updated name constraints checks to not include a CN

11 years agoRevert "tests: Added a nameconstraints test based on the CN bypass" The bypass check...
Nikos Mavrogiannopoulos [Tue, 26 Aug 2014 12:14:50 +0000 (14:14 +0200)] 
Revert "tests: Added a nameconstraints test based on the CN bypass" The bypass check was included in chainverify.

This reverts commit c9417bcc0614aaa2668486d294f5759b4082a23a.

11 years agodoc update
Nikos Mavrogiannopoulos [Tue, 26 Aug 2014 11:58:17 +0000 (13:58 +0200)] 
doc update

11 years agoonly check name constraints in non-CA certificates
Nikos Mavrogiannopoulos [Tue, 26 Aug 2014 11:54:59 +0000 (13:54 +0200)] 
only check name constraints in non-CA certificates

11 years agoignore constraints for different type than the checked
Nikos Mavrogiannopoulos [Tue, 26 Aug 2014 11:28:54 +0000 (13:28 +0200)] 
ignore constraints for different type than the checked

11 years agotests: Added a nameconstraints test based on the CN bypass
Nikos Mavrogiannopoulos [Tue, 26 Aug 2014 09:55:37 +0000 (11:55 +0200)] 
tests: Added a nameconstraints test based on the CN bypass

That was discussed in:
http://permalink.gmane.org/gmane.comp.encryption.openssl.devel/26660

11 years agowhen verifying name constrains enforce the single CN rule
Nikos Mavrogiannopoulos [Tue, 26 Aug 2014 09:22:37 +0000 (11:22 +0200)] 
when verifying name constrains enforce the single CN rule

11 years agocross.mk: compile gnutls without p11-kit by default
Nikos Mavrogiannopoulos [Fri, 22 Aug 2014 13:27:30 +0000 (15:27 +0200)] 
cross.mk: compile gnutls without p11-kit by default

11 years agocross.mk: do not delete the pkgconfig directory
Nikos Mavrogiannopoulos [Fri, 22 Aug 2014 13:26:03 +0000 (15:26 +0200)] 
cross.mk: do not delete the pkgconfig directory

11 years agoAdded Alon's DCO link
Nikos Mavrogiannopoulos [Mon, 25 Aug 2014 17:37:22 +0000 (19:37 +0200)] 
Added Alon's DCO link

11 years agocheck for stdnoreturn.h presence
Nikos Mavrogiannopoulos [Mon, 25 Aug 2014 17:29:55 +0000 (19:29 +0200)] 
check for stdnoreturn.h presence

11 years agobuild: tests: x509cert-tl: support separate builddir
Alon Bar-Lev [Sun, 24 Aug 2014 18:57:50 +0000 (21:57 +0300)] 
build: tests: x509cert-tl: support separate builddir

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
11 years agobuild: condition pkcs11 block
Alon Bar-Lev [Sun, 24 Aug 2014 18:26:19 +0000 (21:26 +0300)] 
build: condition pkcs11 block

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
11 years agorecord: tolerate a finished packet with errors in DTLS
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 19:17:45 +0000 (21:17 +0200)] 
record: tolerate a finished packet with errors in DTLS

11 years agorecord: in DTLS discard only messages that cause unexpected packet errors
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 15:28:59 +0000 (17:28 +0200)] 
record: in DTLS discard only messages that cause unexpected packet errors

11 years agotests: suppress more libidn warnings
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 03:49:14 +0000 (05:49 +0200)] 
tests: suppress more libidn warnings

11 years agodanetool: ensure the temporary file is always removed
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 03:44:22 +0000 (05:44 +0200)] 
danetool: ensure the temporary file is always removed

11 years agothe server_name extension will convert input and output names to IDNA.
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 03:26:18 +0000 (05:26 +0200)] 
the server_name extension will convert input and output names to IDNA.

11 years agotools: use idna_to_ascii_8z() to convert internationalized hostnames
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 03:06:43 +0000 (05:06 +0200)] 
tools: use idna_to_ascii_8z() to convert internationalized hostnames

11 years agohostname-verify: use idn_free()
Nikos Mavrogiannopoulos [Fri, 22 Aug 2014 21:32:47 +0000 (23:32 +0200)] 
hostname-verify: use idn_free()

11 years agodoc update
Nikos Mavrogiannopoulos [Fri, 22 Aug 2014 10:10:10 +0000 (12:10 +0200)] 
doc update

11 years agoprevent 1024-bit DSA parameter generation only when FIPS-mode is enabled.
Nikos Mavrogiannopoulos [Fri, 22 Aug 2014 06:19:46 +0000 (08:19 +0200)] 
prevent 1024-bit DSA parameter generation only when FIPS-mode is enabled.

11 years agoRevert "removed pbits=1024, qbits=160 from the acceptable bit sizes in FIPS140-2...
Nikos Mavrogiannopoulos [Fri, 22 Aug 2014 06:17:17 +0000 (08:17 +0200)] 
Revert "removed pbits=1024, qbits=160 from the acceptable bit sizes in FIPS140-2 DSA parameter generation."

This reverts commit 110527d9bb9ca70a66ae8173769067f133fd3cf7.

11 years agouse the windows API in windows even if iconv is available
Nikos Mavrogiannopoulos [Thu, 21 Aug 2014 09:45:48 +0000 (11:45 +0200)] 
use the windows API in windows even if iconv is available

11 years agowin32: updated Makefile and added the ability build openconnect
Nikos Mavrogiannopoulos [Wed, 20 Aug 2014 19:06:27 +0000 (21:06 +0200)] 
win32: updated Makefile and added the ability build openconnect

11 years agocheck for the correct version of libidn
Nikos Mavrogiannopoulos [Wed, 20 Aug 2014 19:05:37 +0000 (21:05 +0200)] 
check for the correct version of libidn

11 years agotests: Added case sensitive checks in hostname verification
Nikos Mavrogiannopoulos [Wed, 20 Aug 2014 17:33:31 +0000 (19:33 +0200)] 
tests: Added case sensitive checks in hostname verification

11 years agotests: copied valgrind suppressions to suite
Nikos Mavrogiannopoulos [Wed, 20 Aug 2014 14:38:26 +0000 (16:38 +0200)] 
tests: copied valgrind suppressions to suite

11 years agoupdated libtasn1
Nikos Mavrogiannopoulos [Wed, 20 Aug 2014 14:24:47 +0000 (16:24 +0200)] 
updated libtasn1

11 years agotests: suppress valgrind warnings due to libidn
Nikos Mavrogiannopoulos [Wed, 20 Aug 2014 13:50:56 +0000 (15:50 +0200)] 
tests: suppress valgrind warnings due to libidn

11 years agodoc update
Nikos Mavrogiannopoulos [Wed, 20 Aug 2014 13:48:37 +0000 (15:48 +0200)] 
doc update

11 years agognutls_x509_crt_print() will print the IDNA A-label names as well.
Nikos Mavrogiannopoulos [Wed, 20 Aug 2014 13:47:32 +0000 (15:47 +0200)] 
gnutls_x509_crt_print() will print the IDNA A-label names as well.

11 years agotests: added UTF-8 hostname comparison checks
Nikos Mavrogiannopoulos [Wed, 20 Aug 2014 13:34:59 +0000 (15:34 +0200)] 
tests: added UTF-8 hostname comparison checks

11 years agoAdded support for RFC6125 hostname comparison
Nikos Mavrogiannopoulos [Wed, 20 Aug 2014 11:41:55 +0000 (13:41 +0200)] 
Added support for RFC6125 hostname comparison

That adds the dependency on libidn.