]>
git.ipfire.org Git - thirdparty/gnutls.git/log
Nikos Mavrogiannopoulos [Mon, 4 Aug 2014 08:58:49 +0000 (10:58 +0200)]
pkcs12: increased the number of iterations for MAC
Nikos Mavrogiannopoulos [Mon, 4 Aug 2014 08:50:37 +0000 (10:50 +0200)]
removed debugging info
Nikos Mavrogiannopoulos [Thu, 31 Jul 2014 10:18:16 +0000 (12:18 +0200)]
several windows compilation fixes
Nikos Mavrogiannopoulos [Thu, 31 Jul 2014 09:55:39 +0000 (11:55 +0200)]
gnutls.h: use _SYM_EXPORT to export other than function symbols
Nikos Mavrogiannopoulos [Tue, 29 Jul 2014 20:21:36 +0000 (22:21 +0200)]
updated to libopts 5.18.3
Nikos Mavrogiannopoulos [Tue, 29 Jul 2014 20:09:25 +0000 (22:09 +0200)]
updated gnulib
Nikos Mavrogiannopoulos [Tue, 29 Jul 2014 15:23:09 +0000 (17:23 +0200)]
updated documentation for gnutls_pkcs12_simple_parse
Nikos Mavrogiannopoulos [Tue, 29 Jul 2014 11:11:34 +0000 (13:11 +0200)]
master now holds the 3.4.0 release
Nikos Mavrogiannopoulos [Tue, 29 Jul 2014 08:22:43 +0000 (10:22 +0200)]
Use pthread_atfork() and variants to detect fork
Nikos Mavrogiannopoulos [Mon, 28 Jul 2014 13:16:48 +0000 (15:16 +0200)]
doc update
Nikos Mavrogiannopoulos [Mon, 28 Jul 2014 13:00:25 +0000 (15:00 +0200)]
Added replacements of inet_aton and inet_pton on systems they are not present
gnulib is avoided due to keep the gnulib network replacements out of
the library.
Nikos Mavrogiannopoulos [Mon, 28 Jul 2014 12:37:05 +0000 (14:37 +0200)]
Added text on PKCS #11 verification
Nikos Mavrogiannopoulos [Sun, 27 Jul 2014 12:40:39 +0000 (14:40 +0200)]
removed comma at the end of enumerations
That patch allows compilers that don't support C99 syntax to
compile applications that use a header of gnutls. Report and
patch Ryan Schmidt.
Nikos Mavrogiannopoulos [Sun, 27 Jul 2014 12:26:14 +0000 (14:26 +0200)]
check for sed in configure.ac and use the output variable in Makefiles
Nikos Mavrogiannopoulos [Thu, 24 Jul 2014 19:55:43 +0000 (21:55 +0200)]
doc update
Nikos Mavrogiannopoulos [Wed, 23 Jul 2014 12:51:56 +0000 (14:51 +0200)]
tests: dane: add flag DANE_F_IGNORE_LOCAL_RESOLVER to dane_state_init
That prevents unbound from complaining in systems where no
DNSSEC functionality is present.
Nikos Mavrogiannopoulos [Wed, 23 Jul 2014 07:15:39 +0000 (09:15 +0200)]
doc update
Nikos Mavrogiannopoulos [Wed, 23 Jul 2014 07:10:11 +0000 (09:10 +0200)]
tests: added libdane/includes to includes dir
Nikos Mavrogiannopoulos [Wed, 23 Jul 2014 07:08:45 +0000 (09:08 +0200)]
released 3.3.6
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 22:33:13 +0000 (00:33 +0200)]
Added missing functions
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 21:47:08 +0000 (23:47 +0200)]
bumped library version
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 16:30:13 +0000 (18:30 +0200)]
libdane: simplified initialization of variables.
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 16:22:40 +0000 (18:22 +0200)]
libdane: bogus and secure values are always initialized in dane_query_to_raw_tlsa
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 16:18:26 +0000 (18:18 +0200)]
tests: eliminated leak from dane check
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 16:14:50 +0000 (18:14 +0200)]
libdane: use gnutls_malloc() and doc update
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 16:07:14 +0000 (18:07 +0200)]
Added self test for DANE raw functions
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 15:39:09 +0000 (17:39 +0200)]
danetool: added option to print the raw entries.
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 15:18:31 +0000 (17:18 +0200)]
doc update
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 14:39:23 +0000 (16:39 +0200)]
moved _gnutls_prf_raw to FIPS140 symbols
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 13:34:51 +0000 (15:34 +0200)]
Added sanity check on padlock AES IV set.
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 11:57:55 +0000 (13:57 +0200)]
fips140-2: Added _gnutls_prf_raw() which can calculate the TLS PRF without depending on a session structure.
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 11:38:25 +0000 (13:38 +0200)]
fips140-2: do not check the libtasn1's integrity
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 11:30:33 +0000 (13:30 +0200)]
RSA-PSK ciphersuites are only allowed in TLS 1.0.
That is because they implement the EncryptedPreMasterSecret encoding
according to RFC 4279, which uses the TLS 1.0 (RFC 2246) encoding,
and there can be ambiguities when using that over SSL 3.0.
See: http://lists.gnupg.org/pipermail/gnutls-help/2014-July/003546.html
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 11:19:15 +0000 (13:19 +0200)]
gnutls_priority_init: set err_pos prior to any action
That allows a valid err_pos, even on a memory allocation
error. Reported by Dan Fandrich.
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 11:08:46 +0000 (13:08 +0200)]
updated TODO
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 11:03:38 +0000 (13:03 +0200)]
minimum version was changed to TLS 1.0 for ciphersuites with SHA2
These ciphersuites could not be used with SSL 3.0 that only defines
usage of MD5 or SHA1 MACs. Reported by Manuel Pegourie-Gonnard.
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 15:57:04 +0000 (17:57 +0200)]
ignore CKR_CRYPTOKI_ALREADY_INITIALIZED when returned on reinitialization
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 15:50:05 +0000 (17:50 +0200)]
tests: x509cert-tl checks gnutls_x509_trust_list_add_trust_dir()
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 15:45:09 +0000 (17:45 +0200)]
doc update
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 14:55:41 +0000 (16:55 +0200)]
doc update
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 14:55:09 +0000 (16:55 +0200)]
Added gnutls_certificate_set_x509_trust_dir()
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 14:50:52 +0000 (16:50 +0200)]
Added gnutls_x509_trust_list_add_trust_dir()
This essentially exports the functionality to read from a directory
with trusted certificates.
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 14:33:34 +0000 (16:33 +0200)]
Allow specifying a directory as trust store
Nikos Mavrogiannopoulos [Fri, 11 Jul 2014 15:43:57 +0000 (17:43 +0200)]
doc update
Simon Arlott [Thu, 10 Jul 2014 21:08:30 +0000 (22:08 +0100)]
libdane: add function dane_query_to_raw_tlsa
This function converts a dane_query_t into the parameters needed for
dane_raw_tlsa() to make it easy to copy the results of the (synchronous)
lookup query from one process to another.
This code allocates an unnecessary extra NULL entry for dane_data_len
to avoid trying to malloc 0 bytes if q->data_entries is 0 (it is possible
for malloc/calloc to return NULL when requested to allocate 0 bytes).
Signed-off-by: Simon Arlott
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 14:47:27 +0000 (16:47 +0200)]
FIPS140-2 tests: no need for MD5 check
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 13:14:20 +0000 (15:14 +0200)]
FIPS140-2 tests: removed redundant checks
We keep on check per cipher which is required, and avoid multiple
(and time-consuming) tests.
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 12:09:55 +0000 (14:09 +0200)]
Allow specifying GNUTLS_CPUID_OVERRIDE in either hex or decimal.
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 12:06:53 +0000 (14:06 +0200)]
doc update
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 12:02:18 +0000 (14:02 +0200)]
Added option to disable any cpu optimizations
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 11:55:28 +0000 (13:55 +0200)]
simplified housekeeping of CPUID registers
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 11:50:15 +0000 (13:50 +0200)]
Allow overriding the detected CPUID using the GNUTLS_CPUID_OVERRIDE environment variable
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 09:15:05 +0000 (11:15 +0200)]
FIPS140-2 tests: Added pairwise consistency check for RSA encryption
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 09:07:25 +0000 (11:07 +0200)]
FIPS140-2 tests: check with DSA-2048 and DSA-3072 bit keys, as well as SHA256.
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 08:59:27 +0000 (10:59 +0200)]
FIPS140-2 tests: check with RSA-2048 and RSA-3072 bit keys
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 08:52:19 +0000 (10:52 +0200)]
tests: check RSA with SHA256
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 08:46:56 +0000 (10:46 +0200)]
FIPS140-2 mode: test whether RSA encrypted data differ from plaintext
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 16:34:02 +0000 (18:34 +0200)]
FIPS140-2 mode: enforce the minimum GCM IV size required by SP800-38D (section 8.2)
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 15:00:25 +0000 (17:00 +0200)]
doc update
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 14:58:53 +0000 (16:58 +0200)]
p11tool/certtool: Added --curve parameter.
The curve parameter allows to explicitly specify the curve to use
when generating a key.
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 12:41:40 +0000 (14:41 +0200)]
doc update
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 12:37:00 +0000 (14:37 +0200)]
set CKA_EC_PARAMS when generating an ECDSA key
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 11:36:16 +0000 (13:36 +0200)]
p11tool: only print warning about key sizes in RSA keys
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 11:32:56 +0000 (13:32 +0200)]
p11tool: make brief output more brief
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 10:13:31 +0000 (12:13 +0200)]
mpi: use zeroize_key() instead of memset()
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 21:11:00 +0000 (23:11 +0200)]
dane: Skip DANE entries that may contain unknown info
That would allow skipping any future entries without failing.
Reported by Simon Arlott.
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 20:58:42 +0000 (22:58 +0200)]
dane: Added sanity check in dane_verify_crt_raw()
That allows calling the function will an empty chain.
Reported by Simon Arlott.
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 16:40:57 +0000 (18:40 +0200)]
examples: mention that gnutls_global_init() is optional
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 16:34:48 +0000 (18:34 +0200)]
doc: mention and link to trust storage module
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 16:30:34 +0000 (18:30 +0200)]
doc update
Nikos Mavrogiannopoulos [Fri, 4 Jul 2014 15:19:38 +0000 (17:19 +0200)]
doc update
Nikos Mavrogiannopoulos [Fri, 4 Jul 2014 13:44:38 +0000 (15:44 +0200)]
pkcs11: Removed length check of attribute as a sanity check for valid keys.
There can be keys where the id or label is empty and thus with zero length.
Nikos Mavrogiannopoulos [Fri, 4 Jul 2014 13:44:12 +0000 (15:44 +0200)]
Increased number of attributes
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 16:11:22 +0000 (18:11 +0200)]
doc update
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 16:07:29 +0000 (18:07 +0200)]
try to restart on session errors, to avoid having a failed call.
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 16:04:46 +0000 (18:04 +0200)]
corrected pkcs11 reinitialization
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 13:36:11 +0000 (15:36 +0200)]
If we get a PKCS #11 session error, invalidate the cached session.
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 13:05:37 +0000 (15:05 +0200)]
set the maximum value when printing library_description
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 13:03:24 +0000 (15:03 +0200)]
On fork invalidate the PKCS #11 privkey cached session
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 09:54:04 +0000 (11:54 +0200)]
doc update
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 09:43:32 +0000 (11:43 +0200)]
p11tool: don't outsmart user and override login type
Unfortunately tokens vary on their requirements for writing trusted
and private objects, and there is no one-size fits all policy. Thus
allow a proper failure and warn the user that so-login may be required.
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 09:45:39 +0000 (11:45 +0200)]
testpkcs11: Try to write the trusted object both by so-pin and normal pin
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 21:14:28 +0000 (23:14 +0200)]
tests: testpkcs11: temp parameters are deleted after generation
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 20:39:29 +0000 (22:39 +0200)]
bumped version
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:59:33 +0000 (15:59 +0200)]
tests: added testpkcs11.sc-hsm
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:57:42 +0000 (15:57 +0200)]
doc update
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:54:24 +0000 (15:54 +0200)]
p11tool: use GNUTLS_PIN and GNUTLS_SO_PIN when setting the PINs of an initialized token.
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:51:11 +0000 (15:51 +0200)]
tests: gendh: increased the DH prime size to allow usage under FIPS140-2 mode
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:49:36 +0000 (15:49 +0200)]
tools: when in batch mode and no PIN, print a note about using the environment variables
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:43:31 +0000 (15:43 +0200)]
tests: crq_key_id: increased generated DSA key size and changed hash to SHA256
That allows the test to operate under the FIPS140-2 mode.
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:41:10 +0000 (15:41 +0200)]
tests: improved error reporting in crq_key_id
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:33:13 +0000 (15:33 +0200)]
doc: properly terminate table
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:30:48 +0000 (15:30 +0200)]
removed pbits=1024, qbits=160 from the acceptable bit sizes in FIPS140-2 DSA parameter generation.
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 11:53:22 +0000 (13:53 +0200)]
doc update
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 11:40:48 +0000 (13:40 +0200)]
doc update
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 11:37:04 +0000 (13:37 +0200)]
tools: PIN callback will respect batch mode and will not ask for PIN.
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 11:26:58 +0000 (13:26 +0200)]
p11tool: Ask for label if not specified.
Added --batch parameter to disable interaction.
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 11:17:55 +0000 (13:17 +0200)]
p11tool: If there is only a single token available, don't bother complaining about specifying the correct URL
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 09:45:05 +0000 (11:45 +0200)]
updated comment
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 13:53:25 +0000 (15:53 +0200)]
doc update