| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\
| |
| |
| |
| | |
algorithms: implement X448 key exchange and Ed448 signature scheme
See merge request gnutls/gnutls!984
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \
| |/
|/|
| |
| |
| |
| | |
tls13: fix issues with client OCSP responses
Closes #876
See merge request gnutls/gnutls!1169
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The TLS1.3 protocol requires the server to advertise an empty
OCSP status request extension on its certificate verify message
for an OCSP response to be sent by the client. We now always
send this extension to allow clients attaching those responses.
Resolves: #876
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In client side ensure we see a request for OCSP from servers before
sending one.
Relates: #876
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|/
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| | |
libgnutls: Add system-wide default-priority-string override.
See merge request gnutls/gnutls!1158
|
| |
| |
| |
| | |
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
|
|\ \
| |/
|/|
| |
| | |
Extend GOST priority settings and documentation
See merge request gnutls/gnutls!1160
|
| |
| |
| |
| |
| |
| |
| | |
Use +GOST-ALL shortcut to enable GOST ciphersuites. Also document newly
added GOST shortcuts.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
Provide flag to identify sessions that an OCSP response was requested
Closes #829
See merge request gnutls/gnutls!1131
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
That adds the flag GNUTLS_SFLAGS_CLI_REQUESTED_OCSP which can be
checked by a server application to determine whether the
client has requested stapled OCSP responses.
This includes minor cleanups in the status request handling code.
Resolves: #829
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
According to RFC5280 a certificate must not include more than
one instance of a particular extension. We were previously printing
warnings when such extensions were found, but that is insufficient
to flag such certificates. Instead, refuse to import them.
Resolves: #887
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This effectively reverts !400 and ensures that we no longer tolerate
invalid DER time. This complements the previous commit by Lili Quan
and ensures we provide the --disable-strict-der-time backwards compatibility
option.
Resolves: #207
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously we would only set these extensions specific with add_extension
when generating using --generate-certificate. The change makes sure these
options are considered even when generating an extension from a certificate
request. Issue reported on the mailing list.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
When running the test suite we do not apply the global
gnutls configration as it may change options that are
tested.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If a CA is found in the trusted list, check in addition to
time validity, whether the algorithms comply to the expected
level. This addresses the problem of accepting CAs which would
have been marked as insecure otherwise.
Resolves: #877
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
| |
| |
| |
| |
| | |
This applies to the --verify and --verify-chain commands.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
According to RFC5280 we should reject such certificates.
Resolves: #870
Signed-off-by: Lili Quan <13132239506@163.com>
|
|/
|
|
| |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This is a behavioral change of the API but it conforms to
the RFC4648 expectations.
Resolves: #834
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Previously we would omit the CRL distribution points from a non-self
signed CA certificate, even if contained in the template.
Resolves: #765
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nia Alarie <nia@NetBSD.org>
|
|
|
|
|
|
|
|
|
|
| |
It is possible for a server to send a new session ticket during
TLS1.2 resumption. To be able to parse it as client we need to
check the extension during resumption as well.
Resolves: #841
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
| |
gnutls-cli/serv tools.
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\
| |
| |
| |
| |
| |
| | |
Regenerate asm files with -fPIC
Closes #818
See merge request gnutls/gnutls!1081
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
CRYPTOGAMS' perl-scripts can produce different output if -fPIC is passed
as option. Set -fPIC for the same files as openssl does.
Closes #818
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
|/
|
|
|
|
| |
Resolves: #840
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\
| |
| |
| |
| |
| |
| | |
ext/supported_versions: reorder client precedence if necessary
Closes #837
See merge request gnutls/gnutls!1074
|
| |
| |
| |
| |
| |
| |
| |
| | |
If the client advertises TLS < 1.2 before TLS 1.3 and the server is
configured with TLS 1.3 enabled, the server should select TLS 1.3;
otherwise the client will disconnect when seeing downgrade sentinel.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
When TLS1.3 was introduced, gnutls_session_get_data2 was modified
to assume that the callbacks set included the timeout one which was
not previously necessary except for some special cases. This corrects
that issue and makes sure that gnutls_session_get_data2() does not
fail (but not necessarily succeed), if that timeout callback is not
set.
Resolves: #823
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since some point in 3.6.x we updated the calculation of maximum record size,
however that did not include the possibility of random record padding available
for CBC ciphersuites which exceeds the maximum. This commit allows for larger
sizes for these ciphersuites to account for random padding as applied by
gnutls 2.12.x.
Resolves: #811
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
| |
This adds an in-place equivalent of gnutls_aead_cipher_encrypt() and
gnutls_aead_cipher_decrypt(), that works on data buffers.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
| |
This exposes the deterministic ECDSA/DSA functionality through the
GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
|
|
| |
Added test certificates (cert10.der) with registered ID
Updated Makefile for inclusion of test certificates
Updated SAN unknown test certificates (cert5.der)
Signed-off-by: Karsten Ohme <k_o_@users.sourceforge.net>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were not setting the third array member correctly, though
this didn't have any impact to previous implementations as they
did not rely on it. This also moves away from the custom implementation
of cpuid (which was limited), and we now rely on the compiler's
version.
This effectively enables support for SHA_NI.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|