summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* tests: do not use pkglib to generate libpkcs11mock1.sognutls_3_3_23_win32Nikos Mavrogiannopoulos2016-05-201-4/+2
| | | | | | This resulted in the test library being installed. Install we use noinst for the library, but pass -rpath to LDFLAGS as a hack to for libtool to generate the shared version.
* released 3.3.23gnutls_3_3_23Nikos Mavrogiannopoulos2016-05-203-3/+3
|
* gnutls-cli: allow operation with stdin inputNikos Mavrogiannopoulos2016-05-193-3/+50
| | | | | | | That is once commands from stdin are given, they are not only sent to server, but we also wait for a response prior to exiting. Resolves #96
* doc update [ci skip]Nikos Mavrogiannopoulos2016-05-171-1/+1
|
* doc updateNikos Mavrogiannopoulos2016-05-171-0/+3
|
* gnutls-cli: corrected check for OCSP verification successNikos Mavrogiannopoulos2016-05-171-1/+1
|
* gnutls_global_init: log gnutls' version on initializationNikos Mavrogiannopoulos2016-05-151-1/+1
|
* doc update [ci skip]Nikos Mavrogiannopoulos2016-05-121-0/+3
|
* tests: backported server name checksNikos Mavrogiannopoulos2016-05-122-1/+341
|
* server_name: only save the supported server names in the sessionNikos Mavrogiannopoulos2016-05-121-10/+14
| | | | | Invalid server names with embedded nulls and unsupported types are not saved.
* doc updateNikos Mavrogiannopoulos2016-05-101-0/+7
|
* cert cred: add the CN to the list of known hostnames only if no dns_namesNikos Mavrogiannopoulos2016-05-101-9/+14
| | | | That is, follow rfc6125 and support CN as a fallback only.
* gnutls_certificate_set_key: import the DNS names of the certificatesNikos Mavrogiannopoulos2016-05-101-1/+25
| | | | That is, only when no (NULL) names are provided.
* Revert "tests: ignore failure to load pkcs11 mock provider"Nikos Mavrogiannopoulos2016-05-033-3/+6
| | | | This reverts commit ae40598e5597b1b1f01a7e55d35b5f476d7d19d7.
* tests: don't run pkcs11 mock module tests under buggy p11-kitNikos Mavrogiannopoulos2016-05-032-0/+6
|
* tests: ignore failure to load pkcs11 mock providerNikos Mavrogiannopoulos2016-05-033-6/+3
| | | | | GnuTLS 3.3.x can work with old versions of p11-kit which do not have the necessary fixes to load absolute paths.
* Fixed _NETTLE_UPDATE macroNikos Mavrogiannopoulos2016-05-031-1/+1
| | | | | | The macro was not using the input parameters but rather the actual variable name from the function (which was identical to input). Patch by Stanislav Zidek.
* gnutls_certificate_set_key: duplicate the provided memoryNikos Mavrogiannopoulos2016-05-031-2/+11
| | | | That is, do not assume that a heap allocated value is provided.
* doc update [ci skip]Nikos Mavrogiannopoulos2016-05-031-1/+1
|
* doc updateNikos Mavrogiannopoulos2016-05-031-0/+9
|
* tests: added a basic PKCS#11 mock moduleNikos Mavrogiannopoulos2016-05-036-1/+3186
| | | | | | This is used to test gnutls_pkcs11_obj_get_exts(), gnutls_x509_crt_import_url(), and gnutls_pkcs11_get_raw_issuer() with the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag.
* pkcs11: find_cert_cb: do not use C_FindObjectsInit() when another is already ↵Nikos Mavrogiannopoulos2016-05-031-35/+37
| | | | | | | running While some modules implicitly terminated the previous run, this is not something that PKCS#11 modules are expected to typically do.
* pkcs11: the flag GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT will be ↵Nikos Mavrogiannopoulos2016-05-031-0/+18
| | | | | | | | | respected by imported certificates That is, certificates imported with gnutls_pkcs11_obj_import_url() or gnutls_x509_crt_import_url() will be able to be extracted with their extensions overriden. Previously that was available only on gnutls_pkcs11_get_raw_issuer() and friends.
* pkcs11: find_ext_cb: eliminated memory leakNikos Mavrogiannopoulos2016-05-031-0/+1
|
* gnutls_pkcs11_obj_get_exts: updated documentation [ci skip]Nikos Mavrogiannopoulos2016-05-021-4/+7
|
* corrected import issue in gnutls_privkey_import_ecc_rawNikos Mavrogiannopoulos2016-04-291-1/+1
|
* x509/privkey: in raw import functions set the parameter's algorithm typeNikos Mavrogiannopoulos2016-04-291-0/+3
|
* tests: enhanced dane testing with offline verification checksNikos Mavrogiannopoulos2016-04-261-34/+573
|
* dane: verification will not fail if a CA entry is encountered but cannot be ↵Nikos Mavrogiannopoulos2016-04-261-3/+5
| | | | | | | | | verified That addresses the issue of verifying a single certificate against a list of TLSA entries that contain an entry with CA usage (cert usage 0). With the previous behavior verification would have failed, while now this entry will be skipped.
* doc: improved documentation on certificate and DANE verification functionsNikos Mavrogiannopoulos2016-04-262-11/+22
|
* _wrap_nettle_pk_derive: reject values of public key that are over the primeNikos Mavrogiannopoulos2016-04-181-10/+4
| | | | | | | | | That is do not canonicalise the value we get from the network, but rather check it for validity. This saves a modular reduction on handshake and performs a sanity check on the peer's (client) parameters. Reported by Hubert Kario. Resolves #84
* handshake: do not overwrite the server's signature algorithmNikos Mavrogiannopoulos2016-04-131-1/+2
| | | | | | That is, correct a bug under which a client sending a certificate would overwrite the server's idea about the used signature algorithm. Reported by Hubert Kario.
* gnutls_ocsp_resp_get_single: fail if thisUpdate is not available or unparsableNikos Mavrogiannopoulos2016-04-121-2/+3
| | | | | That is because this field is not optional, and a failure on its parsing is always fatal. Reported by Yuan Jochen Kang.
* x509 output: don't warn about insecure algorithm when unknownNikos Mavrogiannopoulos2016-04-092-3/+3
|
* pkix.asn: corrected byKey definitionNikos Mavrogiannopoulos2016-04-082-2/+2
| | | | | OCSP is defined in an EXPLICIT tags module, and as such we must tag explicitly all of its tags.
* name constraints: enforce the rules for IP constraints when addingNikos Mavrogiannopoulos2016-04-051-2/+13
| | | | This will prevent gnutls from generating badly formed certificates.
* doc updateNikos Mavrogiannopoulos2016-04-021-0/+4
|
* ocsptool: use HTTP/1.0 for requestsNikos Mavrogiannopoulos2016-04-021-1/+1
| | | | | This avoids issue with servers serving chunk encoding which ocsptool doesn't support. Reported by Thomas Klute.
* doc updateNikos Mavrogiannopoulos2016-03-301-0/+2
|
* x509/output: simplified cidr_to_string()Nikos Mavrogiannopoulos2016-03-301-33/+4
|
* x509/output: print RFC5280 CIDRs in name constraintsNikos Mavrogiannopoulos2016-03-301-9/+98
|
* system_recv_timeout(): verify that the file descriptor is acceptable for ↵Nikos Mavrogiannopoulos2016-03-301-0/+5
| | | | select()
* doc updateNikos Mavrogiannopoulos2016-03-211-0/+5
|
* tests: template-test was updated for OCSP key purpose reorderingNikos Mavrogiannopoulos2016-03-211-6/+6
|
* certtool: do not require a CA for OCSP signingNikos Mavrogiannopoulos2016-03-211-12/+14
| | | | | | | | This follows the recommendations in RFC6960 in 4.2.2.2 which allow a CA to delegate OCSP signing to another certificate without requiring it to be a CA. Reported by Thomas Klute.
* x86-common: CPUID override will only work if CPU has already the capability ↵Nikos Mavrogiannopoulos2016-03-181-10/+56
| | | | | | | present This resolves test suite failure on CPUs with limited capabilities. Reported by Andreas Metzler.
* doc updateNikos Mavrogiannopoulos2016-03-181-0/+9
|
* handshake: parse the mandatory to parse extension prior to any callback callNikos Mavrogiannopoulos2016-03-181-7/+7
| | | | | This relates to the change of ALPN extension to mandatory to parse, and allows applications to get ALPN data prior to handshake completion.
* tests: verify that the post-client-hello callback has access to ALPN dataNikos Mavrogiannopoulos2016-03-181-0/+45
|
* tests: added checks for session resumption and ALPNNikos Mavrogiannopoulos2016-03-181-8/+69
| | | | | This checks whether the ALPN extension is re-read on resumption and is negotiated.
View Lorry Controller Status