summaryrefslogtreecommitdiff
path: root/lib/gnutls_int.h
Commit message (Collapse)AuthorAgeFilesLines
* only send EtM extension if we have CBC ciphersuitesNikos Mavrogiannopoulos2015-04-011-0/+1
|
* Added the CHACHA20-POLY1305 ciphersuites (with random IDs)Nikos Mavrogiannopoulos2015-03-281-0/+20
|
* do not penalize CBC ciphers with the maximum send data sizeNikos Mavrogiannopoulos2015-03-281-6/+0
| | | | | | That reduced the maximum send size for CBC ciphers from 16384 to 16384-(block size), which was unnecessary and was causing issues: https://bugs.winehq.org/show_bug.cgi?id=37500
* gnutls_record_set_max_empty_records: removedNikos Mavrogiannopoulos2015-03-281-1/+0
|
* drop support for gnulib's u64Nikos Mavrogiannopoulos2015-03-241-1/+0
|
* added gnutls_ext_set_data() and gnutls_ext_get_data()Nikos Mavrogiannopoulos2015-03-201-2/+2
| | | | | | As a side effect the type which holds private data was reduced from union to void * pointer. That simplifies the exported API without reducing the options in the internal API.
* Added a way to add custom extensions from public API.Thierry Quemerais2015-03-191-28/+0
| | | | Signed-off-by: Thierry Quemerais <tquemerais@awox.com>
* Added the notion of obsolete versionsNikos Mavrogiannopoulos2015-01-161-0/+1
| | | | | | That prevents using these versions as record version numbers, unless they are the only protocol supported. This avoids the issues with servers that have banned SSL 3.0 record versions.
* gnutls_sign_callback_set() and gnutls_sign_callback_get() were removedNikos Mavrogiannopoulos2014-12-031-6/+0
|
* The record version in the client Hello will be set to the lowest supported ↵Nikos Mavrogiannopoulos2014-11-211-1/+2
| | | | | | | | | | | | protocol There should have been no harm in keeping it SSL 3.0 but unfortunately in draft-thomson-sslv3-diediedie-00 it has been marked as MUST NOT do that. That will be fixed in a later revision but since then there are servers not accepting SSL 3.0 as a valid record version (note that this is about the record version, which describes the format of the packet, nothing to do with the negotiated version).
* Added priority string %NO_SESSION_HASH to prevent advertising the extended ↵Nikos Mavrogiannopoulos2014-11-131-0/+2
| | | | master secret extension
* corrected calculation for max send data and other uses of _gnutls_cipher_type()Nikos Mavrogiannopoulos2014-11-051-1/+1
|
* introduced GNUTLS_MAX_SESSION_ID_SIZENikos Mavrogiannopoulos2014-11-051-3/+1
|
* Added support for RFC7366 (encrypt then authenticate)Nikos Mavrogiannopoulos2014-11-031-0/+6
| | | | | | | It implements a revised version of RFC7366, to avoid interoperability issues: http://www.ietf.org/mail-archive/web/tls/current/msg14349.html This is currently enabled by default, unless %NO_ETM, or %COMPAT is specified.
* Made AEAD type an alternative to stream and blockNikos Mavrogiannopoulos2014-11-031-4/+4
| | | | That way the terminology becomes closer to the TLS rfc.
* Improved support of draft-ietf-tls-session-hash-02.Nikos Mavrogiannopoulos2014-10-251-0/+2
| | | | | | Now the session hash is calculated correctly even when a client certificate is sent. That is, the session hash now does not take into account the CertificateVerify message.
* Added priority string %NO_TICKETS that disables session ticket supportNikos Mavrogiannopoulos2014-10-241-0/+1
| | | | This is implied by the priority string PFS.
* added _gnutls_hello_set_default_version() which allows to override the ↵Nikos Mavrogiannopoulos2014-10-171-0/+1
| | | | clienthello version
* added internal variable to track handshake statusNikos Mavrogiannopoulos2014-10-091-0/+2
|
* Added support for the extended master secret calculationNikos Mavrogiannopoulos2014-10-081-8/+11
| | | | | That is performed implicitly unless GNUTLS_NO_EXTENSIONS is specified. The implementation follows draft-ietf-tls-session-hash-02.
* the handshake function has a timeout value by defaultNikos Mavrogiannopoulos2014-10-021-0/+1
|
* protect DTLS clients that don't handle GNUTLS_E_LARGE_PACKET from an ↵Nikos Mavrogiannopoulos2014-09-251-0/+3
| | | | infinite loop on handshake
* handshake: Allow the post client hello callback to put the handshake on holdNikos Mavrogiannopoulos2014-06-091-2/+2
| | | | | That is, when the callback returns GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED the handshake will return GNUTLS_E_INTERRUPTED, and can be resumed when needed.
* When assigning the TLS version, double check that it is valid.Nikos Mavrogiannopoulos2014-05-221-4/+9
|
* Ensure that there is no remainders in the TLS handshake packets.Nikos Mavrogiannopoulos2014-05-051-0/+5
| | | | The issue was discovered using the codenomicon TLS suite.
* Prevent gnulib from replacing strdup as we don't include this gnulib module.Nikos Mavrogiannopoulos2014-04-091-0/+6
|
* Use the IANA assigned padding extension number.Nikos Mavrogiannopoulos2014-04-071-1/+3
|
* The %COMPAT keyword no longer reduces security.Nikos Mavrogiannopoulos2014-03-271-2/+1
| | | | | | | Introduced the LEGACY keyword which will enable the settings used in GnuTLS 3.2.x for NORMAL keyword. That is to be used in cases where compatibility with weak or misconfigured servers is required.
* stricter type usageNikos Mavrogiannopoulos2014-03-081-2/+4
|
* NEW_PADDING has been removed.Nikos Mavrogiannopoulos2014-03-051-8/+0
| | | | | | | This extension did not get accepted by IETF so it is now being removed. The gnutls_range API is kept in case length hiding is implemented in a different way at some point.
* %COMPAT implies %DUMBFWNikos Mavrogiannopoulos2014-01-191-0/+1
|
* The simple bit size check in certificates is now replaced by the ↵Nikos Mavrogiannopoulos2014-01-151-2/+0
| | | | verification profiles.
* no need to set profile to LOW as it is already the defaultNikos Mavrogiannopoulos2014-01-151-2/+0
|
* When verifying a certificate's security level ensure that the hash is within ↵Nikos Mavrogiannopoulos2014-01-151-1/+3
| | | | the level
* enforce certificate verification profiles when setting priority stringsNikos Mavrogiannopoulos2014-01-131-1/+4
|
* use better definitionsNikos Mavrogiannopoulos2013-12-151-0/+4
|
* Align on 16-byte boundaries the buffers provided to cryptodev.Nikos Mavrogiannopoulos2013-12-151-2/+3
| | | | | | | When gnutls is compiled with support for cryptodev, the buffers provided to crypto backend are ensured to be 16-byte aligned (except the ones provided by the user). That increases performance in several crypto accelerators.
* FIPS140 mode is detected on run-time.Nikos Mavrogiannopoulos2013-12-091-0/+2
| | | | | That allows a library compiled in FIPS140 mode to operate as the full library if the system is not in FIPS mode.
* DH key exchange uses the _gnutls_pk_derive and _gnutls_pk_generate_key ↵Nikos Mavrogiannopoulos2013-11-281-4/+7
| | | | | | functions. This allows handling DH key generation in the crypto backend files.
* overwrite temp buffers of private keys.Nikos Mavrogiannopoulos2013-11-271-14/+0
|
* zeroize ECC secret scalars and points.Nikos Mavrogiannopoulos2013-11-271-3/+6
|
* Added key zeroization primitives.Nikos Mavrogiannopoulos2013-11-271-0/+11
|
* Corrected bug which affected compressed records.Nikos Mavrogiannopoulos2013-11-221-4/+6
| | | | | | | | | Less space was provided for decryption than the required causing disconnection issues when compression was used. The issue was pointed by Frank Zschockelt. Also replaced the macros MAX_RECORD_RECV_SIZE and MAX_RECV_SIZE with max_decrypted_size() and max_record_recv_size().
* Use AES-GCM to encrypt session tickets.Nikos Mavrogiannopoulos2013-11-221-2/+0
|
* use the bool expression instead of unsigned int:1.Nikos Mavrogiannopoulos2013-11-121-38/+39
|
* Added %DUMBFW priority string option.Nikos Mavrogiannopoulos2013-11-101-0/+2
| | | | This works around issues when connecting behind some firewalls.
* reindented codeNikos Mavrogiannopoulos2013-11-081-686/+652
|
* separated the TLS IV size and the cipher IV size.Nikos Mavrogiannopoulos2013-11-061-1/+2
|
* corrected max_user_send_size() for DTLS.Nikos Mavrogiannopoulos2013-09-011-6/+9
|
* _gnutls_send_tlen_int() accepts the actual pad rather than the intended ↵Nikos Mavrogiannopoulos2013-09-011-1/+19
| | | | data. Corrections in sending records with %NEW_PADDING.
View Lorry Controller Status