Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | p11tool: introduced the --mark-distrusted and --distrusted optionstmp-pkcs11-stapled | Nikos Mavrogiannopoulos | 2016-09-26 | 2 | -2/+20 |
| | | | | | | This allows to mark objects as distrusted, as well as list all distrusted certificates (blacklisted) for a p11-kit trust module as: p11tool --list-all-certs --distrusted | ||||
* | pkcs11: introduced flag GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED | Nikos Mavrogiannopoulos | 2016-09-26 | 3 | -2/+30 |
| | | | | | This allows to mark objects as distrusted, as well as to be able to list distrusted objects. | ||||
* | pkcs11: only staple extensions from a trust module when they are from a ↵ | Nikos Mavrogiannopoulos | 2016-09-26 | 2 | -5/+14 |
| | | | | | | | | | | | non-distrusted certificate That is, make sure that the API for stapling extensions is only used for non-distrusted (blacklisted) certificates. The reason is to avoid duplicate extension entries from the p11-kit trust database, the fact that they come from blacklisted certificates, and the fact that there is no reason to support stapled extensions for blacklisted certificates. | ||||
* | p11tool: allow to export a certificate with its stapled extensions | Nikos Mavrogiannopoulos | 2016-09-26 | 2 | -0/+20 |
| | |||||
* | gnutls_oid_to_ecc_curve: fix null pointer dereference | Nikos Mavrogiannopoulos | 2016-09-26 | 1 | -1/+1 |
| | | | | | | This addresses issue where an unknown curve would cause a null pointer dereference. This was introduced with the addition of X25519. Reported by Theofilos Petsios. | ||||
* | Only send the status request extension on cert authentication | Nikos Mavrogiannopoulos | 2016-09-23 | 1 | -0/+5 |
| | | | | | That is, do not both asking for it, or replying to it, if we are not using any certificates. | ||||
* | gdoc: improved the detection and display of escaped characters (@%) | Nikos Mavrogiannopoulos | 2016-09-22 | 1 | -5/+13 |
| | | | | | This allows to properly display strings like %COMPAT and @SYSTEM in the manual and the manpages. | ||||
* | doc: gnutls_priority_init: fixed %COMPAT [ci skip] | Nikos Mavrogiannopoulos | 2016-09-22 | 1 | -2/+2 |
| | |||||
* | .gitlab-ci.yml: corrected debian build's dependency | Nikos Mavrogiannopoulos | 2016-09-22 | 1 | -1/+1 |
| | |||||
* | doc update | Nikos Mavrogiannopoulos | 2016-09-22 | 1 | -0/+5 |
| | |||||
* | On client side allow signing with the signature algorithm of our cert | Nikos Mavrogiannopoulos | 2016-09-22 | 3 | -6/+12 |
| | | | | | | | That allows to sign for example with DSA-SHA1 as client even if we do not allow DSA-SHA1 as signature algorithm for server's certificate. This allows to use a deprecated certificate without enabling deprecated algorithms globally. | ||||
* | _gnutls_session_get_sign_algo: always return GNUTLS_SIGN_UNKNOWN on failure | Nikos Mavrogiannopoulos | 2016-09-22 | 1 | -1/+1 |
| | |||||
* | tests: added check for server-side ECDSA keys | Nikos Mavrogiannopoulos | 2016-09-22 | 5 | -7/+166 |
| | | | | | | These tests check whether a server ECDSA key will be rejected by the client in case the client has no ECDSA signature algorithms available. | ||||
* | tests: added check for client-side DSA key | Nikos Mavrogiannopoulos | 2016-09-22 | 5 | -7/+184 |
| | | | | | | This checks whether a client can use and send a DSA key, even if DSA is not enabled (which should prohibit the server from providing a DSA certificate). | ||||
* | certtool: do not require a certificate to generate a PKCS#12 file | Nikos Mavrogiannopoulos | 2016-09-22 | 2 | -1/+5 |
| | | | | That is, allow generating PKCS#12 files with private keys only as well. | ||||
* | .gitlab-ci.yml: added debian build | Nikos Mavrogiannopoulos | 2016-09-20 | 1 | -0/+20 |
| | |||||
* | README.md: depend on softhsm2 and net-tools on debian | Nikos Mavrogiannopoulos | 2016-09-20 | 1 | -2/+2 |
| | |||||
* | tests: mini-server-name: skip invalid UTF-8 check if compiled without libidntmp-test-macros | Nikos Mavrogiannopoulos | 2016-09-19 | 1 | -0/+2 |
| | | | | | This allows the test suite to run in systems without libidn. Reported by Thomas Klausner. | ||||
* | tests: added the macros test_fail() and test_success() | Nikos Mavrogiannopoulos | 2016-09-19 | 4 | -43/+47 |
| | | | | | | These macros allow test programs which run multiple checks, to report the name of the check failed. Modified mini-server-name and x509-dn-decode to use the macro. | ||||
* | cfg.mk: removed invalid rule in web target | Nikos Mavrogiannopoulos | 2016-09-19 | 1 | -1/+0 |
| | |||||
* | doc update | Nikos Mavrogiannopoulos | 2016-09-19 | 1 | -0/+4 |
| | |||||
* | added debugging message when session fails due to handshake hash buffer | Nikos Mavrogiannopoulos | 2016-09-19 | 1 | -2/+4 |
| | |||||
* | tests: check whether large packets are allowed on the handshake | Nikos Mavrogiannopoulos | 2016-09-19 | 2 | -1/+286 |
| | |||||
* | Do not allow sending overflowed extensions field | Nikos Mavrogiannopoulos | 2016-09-19 | 1 | -0/+3 |
| | | | | That is, restrict the extensions to a 2^16 total size. | ||||
* | tests: minor improvements in mini-extension | Nikos Mavrogiannopoulos | 2016-09-19 | 1 | -1/+10 |
| | | | | This will improve recovery from error conditions. | ||||
* | Increased the maximum size allowed for handshake messages to 128kb | Nikos Mavrogiannopoulos | 2016-09-19 | 2 | -2/+5 |
| | | | | | This would allow the library to cope with larger packets, as well as TLS 1.3 hellos. Suggested by Hubert Kario. | ||||
* | tests: added check for insecure key | Nikos Mavrogiannopoulos | 2016-09-17 | 5 | -5/+198 |
| | | | | | That is, a check which verified whether a connection to a server with a very small key will fail the certificate verification check. | ||||
* | doc updateseparate-error-codes-for-invalid-keys | Nikos Mavrogiannopoulos | 2016-09-17 | 1 | -0/+2 |
| | |||||
* | Introduced separate error codes for invalid private and public keys | Nikos Mavrogiannopoulos | 2016-09-17 | 4 | -19/+19 |
| | | | | | | This allows functions like decryption and verification to report the specific issue they encountered on public key error. The new codes are GNUTLS_E_PK_INVALID_PUBKEY and GNUTLS_E_PK_INVALID_PRIVKEY | ||||
* | .gitlab-ci.yml: no longer require gnutls-develno-gnutls-devel | Nikos Mavrogiannopoulos | 2016-09-15 | 1 | -2/+2 |
| | | | | This package is no longer needed to run abi-check. | ||||
* | Makefile: abi-check no longer require gnutls headers to be installed | Nikos Mavrogiannopoulos | 2016-09-15 | 1 | -1/+3 |
| | | | | | This addresses the issue of requiring gnutls-devel in the CI system to run abi-check. | ||||
* | doc: remove the conditional self_test functionsnproc | Nikos Mavrogiannopoulos | 2016-09-14 | 1 | -5/+1 |
| | | | | | | Also prevent them by re-entering the documented functions list by restricting the header files that contribute functions to the known list defined by $(HEADER_FILES). | ||||
* | Makefile.am: introduced 'make files-update' rule | Nikos Mavrogiannopoulos | 2016-09-14 | 3 | -4/+12 |
| | | | | | | This rule updates the makefiles in doc/ and the kept symbol list. This allows for easier automation of the symbol change 'make dist' breakages. | ||||
* | manpages: delete comparison temp file | Nikos Mavrogiannopoulos | 2016-09-14 | 1 | -0/+1 |
| | |||||
* | Makefile.am: symbol changes were made more elaborate | Nikos Mavrogiannopoulos | 2016-09-14 | 1 | -9/+26 |
| | | | | | During make dist, the makefile will report the appropriate symbol change message with instructions and fail. | ||||
* | updated doc and symbol files for ↵ | Nikos Mavrogiannopoulos | 2016-09-14 | 3 | -0/+4 |
| | | | | gnutls_certificate_set_ocsp_status_request_function2 | ||||
* | Makefile.am: print the symbols.last diff on make dist | Nikos Mavrogiannopoulos | 2016-09-14 | 1 | -1/+1 |
| | | | | | This allows to manually verify the contents before overriding the old file. | ||||
* | doc: allow creation of gnutls.epub without running epub-fix | Nikos Mavrogiannopoulos | 2016-09-14 | 1 | -1/+1 |
| | |||||
* | .gitlab-ci.yml: use nproc as argument to 'make -j' | Nikos Mavrogiannopoulos | 2016-09-14 | 1 | -17/+17 |
| | | | | | That way, we use as many make processes, as the number of CPUs in the CI system. | ||||
* | .gitlab-ci.yml: added build which runs 'make dist' | Nikos Mavrogiannopoulos | 2016-09-14 | 1 | -0/+15 |
| | | | | | | This tests whether the manpages, info, html, pdf and epub manual are properly generated, and whether any new functions were included into makefiles. | ||||
* | doc: fixed the epub documentation generation | Nikos Mavrogiannopoulos | 2016-09-13 | 1 | -4/+6 |
| | |||||
* | gnutls_certificate_set_ocsp_status_request_file: mention version it was enhanced | Nikos Mavrogiannopoulos | 2016-09-13 | 1 | -0/+3 |
| | |||||
* | doc: corrected typo | Nikos Mavrogiannopoulos | 2016-09-13 | 1 | -1/+1 |
| | |||||
* | Add ECDHE-* to the priority string docs for key exchange algorithms | Alex Monk | 2016-09-13 | 1 | -1/+1 |
| | | | | | | | GNUTLS_KX_ECDHE_PSK was added in 2.99.3 (released 2011-06-18) The other two were added in 2.99.2 (released 2011-05-26) Signed-off-by: Alex Monk <krenair@gmail.com> | ||||
* | doc update | Nikos Mavrogiannopoulos | 2016-09-13 | 1 | -0/+4 |
| | |||||
* | .gitlab-ci.yml: added check for position dependent code | Nikos Mavrogiannopoulos | 2016-09-13 | 1 | -4/+9 |
| | |||||
* | Makefile.am: added check for position dependent code | Nikos Mavrogiannopoulos | 2016-09-13 | 1 | -0/+7 |
| | | | | | This check will verify that the generated library doesn't contain position dependent code. It depends on elf utilities. | ||||
* | openssl asm: reverted to AESNI-x86 code to gnutls 3.4.x code | Nikos Mavrogiannopoulos | 2016-09-13 | 3 | -2193/+1283 |
| | | | | The newer code was creating position dependent code. | ||||
* | tests: added checks to verify server understanding of UTF8 hostnamesidna-server | Nikos Mavrogiannopoulos | 2016-09-12 | 5 | -3/+393 |
| | | | | | This verifies whether a server can understand and serve requests which contain UTF-8 server names. | ||||
* | tests: set_key: fixed the time override | Nikos Mavrogiannopoulos | 2016-09-12 | 1 | -2/+2 |
| |