Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | tests: do not use pkglib to generate libpkcs11mock1.sognutls_3_3_23_win32 | Nikos Mavrogiannopoulos | 2016-05-20 | 1 | -4/+2 |
| | | | | | | This resulted in the test library being installed. Install we use noinst for the library, but pass -rpath to LDFLAGS as a hack to for libtool to generate the shared version. | ||||
* | released 3.3.23gnutls_3_3_23 | Nikos Mavrogiannopoulos | 2016-05-20 | 3 | -3/+3 |
| | |||||
* | gnutls-cli: allow operation with stdin input | Nikos Mavrogiannopoulos | 2016-05-19 | 3 | -3/+50 |
| | | | | | | | That is once commands from stdin are given, they are not only sent to server, but we also wait for a response prior to exiting. Resolves #96 | ||||
* | doc update [ci skip] | Nikos Mavrogiannopoulos | 2016-05-17 | 1 | -1/+1 |
| | |||||
* | doc update | Nikos Mavrogiannopoulos | 2016-05-17 | 1 | -0/+3 |
| | |||||
* | gnutls-cli: corrected check for OCSP verification success | Nikos Mavrogiannopoulos | 2016-05-17 | 1 | -1/+1 |
| | |||||
* | gnutls_global_init: log gnutls' version on initialization | Nikos Mavrogiannopoulos | 2016-05-15 | 1 | -1/+1 |
| | |||||
* | doc update [ci skip] | Nikos Mavrogiannopoulos | 2016-05-12 | 1 | -0/+3 |
| | |||||
* | tests: backported server name checks | Nikos Mavrogiannopoulos | 2016-05-12 | 2 | -1/+341 |
| | |||||
* | server_name: only save the supported server names in the session | Nikos Mavrogiannopoulos | 2016-05-12 | 1 | -10/+14 |
| | | | | | Invalid server names with embedded nulls and unsupported types are not saved. | ||||
* | doc update | Nikos Mavrogiannopoulos | 2016-05-10 | 1 | -0/+7 |
| | |||||
* | cert cred: add the CN to the list of known hostnames only if no dns_names | Nikos Mavrogiannopoulos | 2016-05-10 | 1 | -9/+14 |
| | | | | That is, follow rfc6125 and support CN as a fallback only. | ||||
* | gnutls_certificate_set_key: import the DNS names of the certificates | Nikos Mavrogiannopoulos | 2016-05-10 | 1 | -1/+25 |
| | | | | That is, only when no (NULL) names are provided. | ||||
* | Revert "tests: ignore failure to load pkcs11 mock provider" | Nikos Mavrogiannopoulos | 2016-05-03 | 3 | -3/+6 |
| | | | | This reverts commit ae40598e5597b1b1f01a7e55d35b5f476d7d19d7. | ||||
* | tests: don't run pkcs11 mock module tests under buggy p11-kit | Nikos Mavrogiannopoulos | 2016-05-03 | 2 | -0/+6 |
| | |||||
* | tests: ignore failure to load pkcs11 mock provider | Nikos Mavrogiannopoulos | 2016-05-03 | 3 | -6/+3 |
| | | | | | GnuTLS 3.3.x can work with old versions of p11-kit which do not have the necessary fixes to load absolute paths. | ||||
* | Fixed _NETTLE_UPDATE macro | Nikos Mavrogiannopoulos | 2016-05-03 | 1 | -1/+1 |
| | | | | | | The macro was not using the input parameters but rather the actual variable name from the function (which was identical to input). Patch by Stanislav Zidek. | ||||
* | gnutls_certificate_set_key: duplicate the provided memory | Nikos Mavrogiannopoulos | 2016-05-03 | 1 | -2/+11 |
| | | | | That is, do not assume that a heap allocated value is provided. | ||||
* | doc update [ci skip] | Nikos Mavrogiannopoulos | 2016-05-03 | 1 | -1/+1 |
| | |||||
* | doc update | Nikos Mavrogiannopoulos | 2016-05-03 | 1 | -0/+9 |
| | |||||
* | tests: added a basic PKCS#11 mock module | Nikos Mavrogiannopoulos | 2016-05-03 | 6 | -1/+3186 |
| | | | | | | This is used to test gnutls_pkcs11_obj_get_exts(), gnutls_x509_crt_import_url(), and gnutls_pkcs11_get_raw_issuer() with the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag. | ||||
* | pkcs11: find_cert_cb: do not use C_FindObjectsInit() when another is already ↵ | Nikos Mavrogiannopoulos | 2016-05-03 | 1 | -35/+37 |
| | | | | | | | running While some modules implicitly terminated the previous run, this is not something that PKCS#11 modules are expected to typically do. | ||||
* | pkcs11: the flag GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT will be ↵ | Nikos Mavrogiannopoulos | 2016-05-03 | 1 | -0/+18 |
| | | | | | | | | | respected by imported certificates That is, certificates imported with gnutls_pkcs11_obj_import_url() or gnutls_x509_crt_import_url() will be able to be extracted with their extensions overriden. Previously that was available only on gnutls_pkcs11_get_raw_issuer() and friends. | ||||
* | pkcs11: find_ext_cb: eliminated memory leak | Nikos Mavrogiannopoulos | 2016-05-03 | 1 | -0/+1 |
| | |||||
* | gnutls_pkcs11_obj_get_exts: updated documentation [ci skip] | Nikos Mavrogiannopoulos | 2016-05-02 | 1 | -4/+7 |
| | |||||
* | corrected import issue in gnutls_privkey_import_ecc_raw | Nikos Mavrogiannopoulos | 2016-04-29 | 1 | -1/+1 |
| | |||||
* | x509/privkey: in raw import functions set the parameter's algorithm type | Nikos Mavrogiannopoulos | 2016-04-29 | 1 | -0/+3 |
| | |||||
* | tests: enhanced dane testing with offline verification checks | Nikos Mavrogiannopoulos | 2016-04-26 | 1 | -34/+573 |
| | |||||
* | dane: verification will not fail if a CA entry is encountered but cannot be ↵ | Nikos Mavrogiannopoulos | 2016-04-26 | 1 | -3/+5 |
| | | | | | | | | | verified That addresses the issue of verifying a single certificate against a list of TLSA entries that contain an entry with CA usage (cert usage 0). With the previous behavior verification would have failed, while now this entry will be skipped. | ||||
* | doc: improved documentation on certificate and DANE verification functions | Nikos Mavrogiannopoulos | 2016-04-26 | 2 | -11/+22 |
| | |||||
* | _wrap_nettle_pk_derive: reject values of public key that are over the prime | Nikos Mavrogiannopoulos | 2016-04-18 | 1 | -10/+4 |
| | | | | | | | | | That is do not canonicalise the value we get from the network, but rather check it for validity. This saves a modular reduction on handshake and performs a sanity check on the peer's (client) parameters. Reported by Hubert Kario. Resolves #84 | ||||
* | handshake: do not overwrite the server's signature algorithm | Nikos Mavrogiannopoulos | 2016-04-13 | 1 | -1/+2 |
| | | | | | | That is, correct a bug under which a client sending a certificate would overwrite the server's idea about the used signature algorithm. Reported by Hubert Kario. | ||||
* | gnutls_ocsp_resp_get_single: fail if thisUpdate is not available or unparsable | Nikos Mavrogiannopoulos | 2016-04-12 | 1 | -2/+3 |
| | | | | | That is because this field is not optional, and a failure on its parsing is always fatal. Reported by Yuan Jochen Kang. | ||||
* | x509 output: don't warn about insecure algorithm when unknown | Nikos Mavrogiannopoulos | 2016-04-09 | 2 | -3/+3 |
| | |||||
* | pkix.asn: corrected byKey definition | Nikos Mavrogiannopoulos | 2016-04-08 | 2 | -2/+2 |
| | | | | | OCSP is defined in an EXPLICIT tags module, and as such we must tag explicitly all of its tags. | ||||
* | name constraints: enforce the rules for IP constraints when adding | Nikos Mavrogiannopoulos | 2016-04-05 | 1 | -2/+13 |
| | | | | This will prevent gnutls from generating badly formed certificates. | ||||
* | doc update | Nikos Mavrogiannopoulos | 2016-04-02 | 1 | -0/+4 |
| | |||||
* | ocsptool: use HTTP/1.0 for requests | Nikos Mavrogiannopoulos | 2016-04-02 | 1 | -1/+1 |
| | | | | | This avoids issue with servers serving chunk encoding which ocsptool doesn't support. Reported by Thomas Klute. | ||||
* | doc update | Nikos Mavrogiannopoulos | 2016-03-30 | 1 | -0/+2 |
| | |||||
* | x509/output: simplified cidr_to_string() | Nikos Mavrogiannopoulos | 2016-03-30 | 1 | -33/+4 |
| | |||||
* | x509/output: print RFC5280 CIDRs in name constraints | Nikos Mavrogiannopoulos | 2016-03-30 | 1 | -9/+98 |
| | |||||
* | system_recv_timeout(): verify that the file descriptor is acceptable for ↵ | Nikos Mavrogiannopoulos | 2016-03-30 | 1 | -0/+5 |
| | | | | select() | ||||
* | doc update | Nikos Mavrogiannopoulos | 2016-03-21 | 1 | -0/+5 |
| | |||||
* | tests: template-test was updated for OCSP key purpose reordering | Nikos Mavrogiannopoulos | 2016-03-21 | 1 | -6/+6 |
| | |||||
* | certtool: do not require a CA for OCSP signing | Nikos Mavrogiannopoulos | 2016-03-21 | 1 | -12/+14 |
| | | | | | | | | This follows the recommendations in RFC6960 in 4.2.2.2 which allow a CA to delegate OCSP signing to another certificate without requiring it to be a CA. Reported by Thomas Klute. | ||||
* | x86-common: CPUID override will only work if CPU has already the capability ↵ | Nikos Mavrogiannopoulos | 2016-03-18 | 1 | -10/+56 |
| | | | | | | | present This resolves test suite failure on CPUs with limited capabilities. Reported by Andreas Metzler. | ||||
* | doc update | Nikos Mavrogiannopoulos | 2016-03-18 | 1 | -0/+9 |
| | |||||
* | handshake: parse the mandatory to parse extension prior to any callback call | Nikos Mavrogiannopoulos | 2016-03-18 | 1 | -7/+7 |
| | | | | | This relates to the change of ALPN extension to mandatory to parse, and allows applications to get ALPN data prior to handshake completion. | ||||
* | tests: verify that the post-client-hello callback has access to ALPN data | Nikos Mavrogiannopoulos | 2016-03-18 | 1 | -0/+45 |
| | |||||
* | tests: added checks for session resumption and ALPN | Nikos Mavrogiannopoulos | 2016-03-18 | 1 | -8/+69 |
| | | | | | This checks whether the ALPN extension is re-read on resumption and is negotiated. |