gnutls:gnutls.git
3 years agoupdated testcompat gnutls_3_1_28
Nikos Mavrogiannopoulos [Mon, 10 Nov 2014 07:12:03 +0000 (08:12 +0100)]
updated testcompat

3 years agobumped version
Nikos Mavrogiannopoulos [Mon, 10 Nov 2014 07:02:53 +0000 (08:02 +0100)]
bumped version

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 10 Nov 2014 06:51:53 +0000 (07:51 +0100)]
doc update

3 years agowhen exporting curve coordinates to X9.63 format, perform additional sanity checks...
Nikos Mavrogiannopoulos [Mon, 10 Nov 2014 06:50:18 +0000 (07:50 +0100)]
when exporting curve coordinates to X9.63 format, perform additional sanity checks on input

Reported by Sean Burford.

3 years agoFix double-free in gnutls_pkcs12_simple_parse()
Nikos Mavrogiannopoulos [Wed, 5 Nov 2014 12:35:43 +0000 (13:35 +0100)]
Fix double-free in gnutls_pkcs12_simple_parse()

3 years agobumped version gnutls_3_1_27
Nikos Mavrogiannopoulos [Mon, 13 Oct 2014 03:57:55 +0000 (05:57 +0200)]
bumped version

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 13 Oct 2014 03:55:34 +0000 (05:55 +0200)]
doc update

3 years agoprotect DTLS clients that don't handle GNUTLS_E_LARGE_PACKET from an infinite loop...
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 10:00:39 +0000 (12:00 +0200)]
protect DTLS clients that don't handle GNUTLS_E_LARGE_PACKET from an infinite loop on handshake

Conflicts:
lib/gnutls_int.h
lib/gnutls_state.c

3 years agorestrict the number of non-fatal errors gnutls_handshake() can return
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 10:27:48 +0000 (12:27 +0200)]
restrict the number of non-fatal errors gnutls_handshake() can return

Conflicts:
lib/gnutls_record.c

3 years agodoc update
Nikos Mavrogiannopoulos [Thu, 18 Sep 2014 09:10:16 +0000 (11:10 +0200)]
doc update

3 years agodoc update
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 17:32:29 +0000 (19:32 +0200)]
doc update

3 years agoupdated libopts to 5.18.3
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 11:07:08 +0000 (13:07 +0200)]
updated libopts to 5.18.3

3 years agodo not define sigaction when in win32
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 11:05:46 +0000 (13:05 +0200)]
do not define sigaction when in win32

Report and patch by Antoine Pierlot-Garcin

3 years agognutls_x509_crl_verify: do not always set the invalid status
Nikos Mavrogiannopoulos [Sat, 13 Sep 2014 11:31:45 +0000 (13:31 +0200)]
gnutls_x509_crl_verify: do not always set the invalid status

Reported by Armin Burgmeier.

3 years agoRevert "gnutls_x509_crl_verify: do not always set the invalid status"
Nikos Mavrogiannopoulos [Sat, 13 Sep 2014 08:32:52 +0000 (10:32 +0200)]
Revert "gnutls_x509_crl_verify: do not always set the invalid status"

This reverts commit a80ce2926941fd490a6f7ef7c2846de90c28f818.

3 years agognutls_x509_crl_verify: do not always set the invalid status
Nikos Mavrogiannopoulos [Sat, 13 Sep 2014 07:52:30 +0000 (09:52 +0200)]
gnutls_x509_crl_verify: do not always set the invalid status

Reported by Armin Burgmeier.

3 years agoreleased 3.1.26 gnutls_3_1_26
Nikos Mavrogiannopoulos [Sun, 24 Aug 2014 07:48:36 +0000 (09:48 +0200)]
released 3.1.26

3 years agorecord: tolerate a finished packet with errors in DTLS
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 19:18:59 +0000 (21:18 +0200)]
record: tolerate a finished packet with errors in DTLS

3 years agodoc update
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 15:39:19 +0000 (17:39 +0200)]
doc update

3 years agorecord: in DTLS discard only messages that cause unexpected packet errors
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 15:38:49 +0000 (17:38 +0200)]
record: in DTLS discard only messages that cause unexpected packet errors

4 years agobumped versions
Nikos Mavrogiannopoulos [Sun, 17 Aug 2014 13:48:28 +0000 (15:48 +0200)]
bumped versions

4 years agodoc update
Nikos Mavrogiannopoulos [Sun, 17 Aug 2014 13:36:54 +0000 (15:36 +0200)]
doc update

4 years agotests: check that gnutls_x509_crt_check_hostname() will correctly use the last CN...
Nikos Mavrogiannopoulos [Sun, 17 Aug 2014 13:33:28 +0000 (15:33 +0200)]
tests: check that gnutls_x509_crt_check_hostname() will correctly use the last CN when multiple

4 years agowhen checking the hostname of a certificate with multiple CNs use the "most specific" CN
Nikos Mavrogiannopoulos [Sun, 17 Aug 2014 13:25:24 +0000 (15:25 +0200)]
when checking the hostname of a certificate with multiple CNs use the "most specific" CN

In our case we use the last CN present in the DN. Reported
by David Woodhouse.

4 years agodoc update
Nikos Mavrogiannopoulos [Mon, 11 Aug 2014 08:18:07 +0000 (10:18 +0200)]
doc update

4 years agotests: updated string to keys tests for new internal API
Nikos Mavrogiannopoulos [Mon, 11 Aug 2014 08:17:25 +0000 (10:17 +0200)]
tests: updated string to keys tests for new internal API

4 years agotests: test the decoding of a PKCS #12 structure with SHA256 MAC
Nikos Mavrogiannopoulos [Sun, 10 Aug 2014 09:24:15 +0000 (11:24 +0200)]
tests: test the decoding of a PKCS #12 structure with SHA256 MAC

Conflicts:
tests/pkcs12-decode/pkcs12

Conflicts:
tests/pkcs12-decode/Makefile.am

4 years agopkcs11: Allow verification with structures that support other than HMAC-SHA1 MACs.
Nikos Mavrogiannopoulos [Mon, 11 Aug 2014 08:00:52 +0000 (10:00 +0200)]
pkcs11: Allow verification with structures that support other than HMAC-SHA1 MACs.

4 years agodoc update
Nikos Mavrogiannopoulos [Mon, 4 Aug 2014 14:34:15 +0000 (16:34 +0200)]
doc update

4 years agopkcs8: initialize parameters on decryption
Nikos Mavrogiannopoulos [Mon, 4 Aug 2014 14:33:47 +0000 (16:33 +0200)]
pkcs8: initialize parameters on decryption

4 years agoupdated auto-generated files
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 19:02:16 +0000 (21:02 +0200)]
updated auto-generated files

4 years agodoc update
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 18:59:23 +0000 (20:59 +0200)]
doc update

4 years agoAdded so-login flag to force security office login to the card
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 18:58:09 +0000 (20:58 +0200)]
Added so-login flag to force security office login to the card

4 years agop11tool: don't outsmart user and override login type
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 18:34:27 +0000 (20:34 +0200)]
p11tool: don't outsmart user and override login type

Unfortunately tokens vary on their requirements for writing trusted
and private objects, and there is no one-size fits all policy. Thus
allow a proper failure and warn the user that so-login may be required.

4 years agognutls_pkcs11_privkey_generate2(): corrected public key extraction (for ECDSA keys)
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 13:55:50 +0000 (15:55 +0200)]
gnutls_pkcs11_privkey_generate2(): corrected public key extraction (for ECDSA keys)

4 years agop11tool: Do not allow a newline as PIN.
Nikos Mavrogiannopoulos [Wed, 25 Jun 2014 13:30:30 +0000 (15:30 +0200)]
p11tool: Do not allow a newline as PIN.

4 years agopkcs11: avoid callig _gnutls_bin2hex() when length is zero.
Nikos Mavrogiannopoulos [Wed, 25 Jun 2014 12:29:36 +0000 (14:29 +0200)]
pkcs11: avoid callig _gnutls_bin2hex() when length is zero.

4 years agox509cert-tl: backported check from master
Nikos Mavrogiannopoulos [Tue, 10 Jun 2014 14:50:37 +0000 (16:50 +0200)]
x509cert-tl: backported check from master

4 years agodoc update
Nikos Mavrogiannopoulos [Tue, 10 Jun 2014 14:32:43 +0000 (16:32 +0200)]
doc update

4 years agoWhen decoding of a DN string fails, treat it as unknown string and print its hex...
Nikos Mavrogiannopoulos [Tue, 10 Jun 2014 14:32:19 +0000 (16:32 +0200)]
When decoding of a DN string fails, treat it as unknown string and print its hex value.

4 years agodoc update
Nikos Mavrogiannopoulos [Mon, 9 Jun 2014 15:08:21 +0000 (17:08 +0200)]
doc update

4 years agoDo not call the user_hello_func multiple times when performing ticket resumption.
Nikos Mavrogiannopoulos [Mon, 9 Jun 2014 15:07:41 +0000 (17:07 +0200)]
Do not call the user_hello_func multiple times when performing ticket resumption.

4 years agodoc update gnutls_3_1_25
Nikos Mavrogiannopoulos [Thu, 29 May 2014 17:47:31 +0000 (19:47 +0200)]
doc update

4 years agodoc update
Nikos Mavrogiannopoulos [Thu, 29 May 2014 17:44:20 +0000 (19:44 +0200)]
doc update

4 years agobumped version
Nikos Mavrogiannopoulos [Thu, 29 May 2014 17:13:50 +0000 (19:13 +0200)]
bumped version

4 years agoupdated libtasn1
Nikos Mavrogiannopoulos [Sun, 25 May 2014 19:37:19 +0000 (21:37 +0200)]
updated libtasn1

4 years agoPrevent memory corruption due to server hello parsing.
Nikos Mavrogiannopoulos [Fri, 23 May 2014 17:53:03 +0000 (19:53 +0200)]
Prevent memory corruption due to server hello parsing.

Issue discovered by Joonas Kuorilehto of Codenomicon.

4 years agodoc update
Nikos Mavrogiannopoulos [Thu, 29 May 2014 15:13:35 +0000 (17:13 +0200)]
doc update

4 years agoincreased the maximum certificate size buffer in the PKCS #11 subsystem.
Nikos Mavrogiannopoulos [Thu, 29 May 2014 15:05:39 +0000 (17:05 +0200)]
increased the maximum certificate size buffer in the PKCS #11 subsystem.

4 years agoFix capitalisation of ia5String
Nikos Mavrogiannopoulos [Thu, 29 May 2014 15:05:16 +0000 (17:05 +0200)]
Fix capitalisation of ia5String

4 years agocheck the return code of getpwuid_r()
Nikos Mavrogiannopoulos [Thu, 29 May 2014 07:23:50 +0000 (09:23 +0200)]
check the return code of getpwuid_r()

Reported by Viktor Dukhovni.

4 years agoocsptool: Include path in ocsp request.
Nikos Mavrogiannopoulos [Mon, 26 May 2014 15:25:42 +0000 (17:25 +0200)]
ocsptool: Include path in ocsp request.

This resolves #108582 (https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.

4 years agognutls_x509_crt_get_signature: corrected return size
Nikos Mavrogiannopoulos [Sat, 17 May 2014 13:06:31 +0000 (15:06 +0200)]
gnutls_x509_crt_get_signature: corrected return size

4 years agobackported signature checks.
Nikos Mavrogiannopoulos [Sat, 17 May 2014 13:04:16 +0000 (15:04 +0200)]
backported signature checks.

4 years agobumped version. gnutls_3_1_24
Nikos Mavrogiannopoulos [Tue, 6 May 2014 19:12:58 +0000 (21:12 +0200)]
bumped version.

4 years agodoc update
Nikos Mavrogiannopoulos [Mon, 5 May 2014 16:34:04 +0000 (18:34 +0200)]
doc update

4 years agoWhen generating ECDSA keys, generate 256-bit keys by default.
Nikos Mavrogiannopoulos [Mon, 5 May 2014 16:33:28 +0000 (18:33 +0200)]
When generating ECDSA keys, generate 256-bit keys by default.

Curves with less than 256 bits (i.e., SECP192R1 and SECP224R1) are
not widely supported.

4 years agodoc update
Nikos Mavrogiannopoulos [Mon, 5 May 2014 13:48:05 +0000 (15:48 +0200)]
doc update

4 years agosmall fixes identified by coverity.
Nikos Mavrogiannopoulos [Mon, 5 May 2014 13:47:25 +0000 (15:47 +0200)]
small fixes identified by coverity.

4 years agodoc update
Nikos Mavrogiannopoulos [Sun, 4 May 2014 10:50:54 +0000 (12:50 +0200)]
doc update

4 years agoinitialize to null the SRP extension data on allocation.
Nikos Mavrogiannopoulos [Sun, 4 May 2014 10:50:06 +0000 (12:50 +0200)]
initialize to null the SRP extension data on allocation.

Issue identified using valgrind and the Codenomicon TLS test suite.

4 years agoBetter check for null signature method.
Nikos Mavrogiannopoulos [Sun, 4 May 2014 10:49:25 +0000 (12:49 +0200)]
Better check for null signature method.

Issue identified using valgrind and the Codenomicon TLS test suite.

4 years agoMore precise packet length checking.
Nikos Mavrogiannopoulos [Sun, 4 May 2014 10:48:25 +0000 (12:48 +0200)]
More precise packet length checking.

Issue discovered using valgrind and the Codenomicon TLS test suite.

4 years agodoc update
Nikos Mavrogiannopoulos [Mon, 28 Apr 2014 11:56:31 +0000 (13:56 +0200)]
doc update

4 years agoincreased MAX_DATA_ENTRIES to 100.
Nikos Mavrogiannopoulos [Mon, 28 Apr 2014 09:28:28 +0000 (11:28 +0200)]
increased MAX_DATA_ENTRIES to 100.

4 years agoAccept a certificate using DANE if there is at least one entry that matches the certi...
Nikos Mavrogiannopoulos [Mon, 28 Apr 2014 09:22:00 +0000 (11:22 +0200)]
Accept a certificate using DANE if there is at least one entry that matches the certificate.

This corrects the previous behavior that was rejecting the certificate if there
were multiple entries and one couldn't be validated.
Patch by simon@arlott.org.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
4 years agoonly fail DANE verification if status is non-zero
Nikos Mavrogiannopoulos [Mon, 28 Apr 2014 09:18:42 +0000 (11:18 +0200)]
only fail DANE verification if status is non-zero

4 years agodoc update
Nikos Mavrogiannopoulos [Fri, 18 Apr 2014 08:45:52 +0000 (10:45 +0200)]
doc update

4 years agoWhen checking for data to be received use the 'transport_recv_ptr'
Nikos Mavrogiannopoulos [Fri, 18 Apr 2014 08:40:49 +0000 (10:40 +0200)]
When checking for data to be received use the 'transport_recv_ptr'

This affects cases where there is different send and recv pointers.
Reported and investigated by JMRecio.

4 years agoCorrected dane_verify_crt() to not deinitialize any input state.
Nikos Mavrogiannopoulos [Tue, 15 Apr 2014 12:22:26 +0000 (14:22 +0200)]
Corrected dane_verify_crt() to not deinitialize any input state.

4 years agocorrectly check for message upper limit.
Nikos Mavrogiannopoulos [Tue, 15 Apr 2014 12:19:24 +0000 (14:19 +0200)]
correctly check for message upper limit.

4 years agoreleased 3.1.23 gnutls_3_1_23
Nikos Mavrogiannopoulos [Mon, 7 Apr 2014 19:38:28 +0000 (21:38 +0200)]
released 3.1.23

4 years agobumped version
Nikos Mavrogiannopoulos [Mon, 7 Apr 2014 19:38:00 +0000 (21:38 +0200)]
bumped version

4 years agodoc update
Nikos Mavrogiannopoulos [Sun, 6 Apr 2014 11:05:55 +0000 (13:05 +0200)]
doc update

4 years agodoc update
Nikos Mavrogiannopoulos [Sat, 5 Apr 2014 08:52:06 +0000 (10:52 +0200)]
doc update

4 years agoWhen the --provider option is given, initialize PKCS #11 prior to calling gnutls_glob...
Nikos Mavrogiannopoulos [Sat, 5 Apr 2014 08:42:39 +0000 (10:42 +0200)]
When the --provider option is given, initialize PKCS #11 prior to calling gnutls_global_init().

This ensures that the PKCS #11 subsystem will not be initialized twice.

4 years agodoc update
Nikos Mavrogiannopoulos [Thu, 3 Apr 2014 18:57:00 +0000 (20:57 +0200)]
doc update

4 years agochanged the behavior in certtool's PKCS #8 key export with no password
Nikos Mavrogiannopoulos [Thu, 3 Apr 2014 18:55:20 +0000 (20:55 +0200)]
changed the behavior in certtool's PKCS #8 key export with no password

By default when no password is specified, an unencrypted key is output.
The previous behavior of encrypting using an empty password can be
replicated using --empty-password.

4 years agoWhen verifying check for the same certificate in the trusted list, not only the issuer
Nikos Mavrogiannopoulos [Thu, 3 Apr 2014 15:43:03 +0000 (17:43 +0200)]
When verifying check for the same certificate in the trusted list, not only the issuer

When the certificate list verifying ends in a non self-signed certificate,
and the self-signed isn't in our trusted list, make sure that we search
for the non-self-signed in our list as well. This affects,
gnutls_x509_trust_list_verify_crt() and makes its results identical to
gnutls_x509_crt_list_verify().

4 years agodoc update
Nikos Mavrogiannopoulos [Thu, 3 Apr 2014 08:35:46 +0000 (10:35 +0200)]
doc update

4 years agobackported fixes for gnutls_record_cork() and DTLS.
Nikos Mavrogiannopoulos [Wed, 2 Apr 2014 12:32:21 +0000 (14:32 +0200)]
backported fixes for gnutls_record_cork() and DTLS.

4 years agoCheck explicitly for the errors gnutls_record_uncork() should recover from.
Nikos Mavrogiannopoulos [Fri, 28 Mar 2014 09:55:56 +0000 (10:55 +0100)]
Check explicitly for the errors gnutls_record_uncork() should recover from.

4 years agodoc update
Nikos Mavrogiannopoulos [Thu, 27 Mar 2014 17:15:13 +0000 (18:15 +0100)]
doc update

4 years agodo not consider wildcards in non-ascii names.
Nikos Mavrogiannopoulos [Thu, 27 Mar 2014 17:10:10 +0000 (18:10 +0100)]
do not consider wildcards in non-ascii names.

4 years agoclang warning fixes
Nikos Mavrogiannopoulos [Sun, 23 Mar 2014 09:28:47 +0000 (10:28 +0100)]
clang warning fixes

4 years agodoc update
Nikos Mavrogiannopoulos [Thu, 20 Mar 2014 09:28:29 +0000 (10:28 +0100)]
doc update

4 years agoChanged the behaviour in wildcard acceptance in certificates.
Nikos Mavrogiannopoulos [Thu, 20 Mar 2014 09:27:44 +0000 (10:27 +0100)]
Changed the behaviour in wildcard acceptance in certificates.

Wildcards are only accepted when there are more than two domain components
after the wildcard. This will prevent accepting certificates from CAs
that issued '*.com', or 'www.*'.

4 years agodoc update
Nikos Mavrogiannopoulos [Sat, 8 Mar 2014 16:22:19 +0000 (17:22 +0100)]
doc update

4 years agocorrected parameter returned from stack
Nikos Mavrogiannopoulos [Sat, 8 Mar 2014 16:21:13 +0000 (17:21 +0100)]
corrected parameter returned from stack

4 years agoRevert "Allow all ciphersuites in SSL3.0 when they are available in TLS1.0"
Nikos Mavrogiannopoulos [Sat, 8 Mar 2014 16:18:15 +0000 (17:18 +0100)]
Revert "Allow all ciphersuites in SSL3.0 when they are available in TLS1.0"

This reverts commit 9aa5d308e44b35131fde3faf3273d0457d48788c.

4 years agocheck the blacklist for certificates provided in gnutls_x509_trust_list_verify_named_...
Nikos Mavrogiannopoulos [Sun, 2 Mar 2014 22:32:34 +0000 (23:32 +0100)]
check the blacklist for certificates provided in gnutls_x509_trust_list_verify_named_crt().

4 years agodoc update
Nikos Mavrogiannopoulos [Sun, 2 Mar 2014 20:47:20 +0000 (21:47 +0100)]
doc update

4 years agoadded release date
Nikos Mavrogiannopoulos [Sun, 2 Mar 2014 09:08:44 +0000 (10:08 +0100)]
added release date

4 years agodoc update
Nikos Mavrogiannopoulos [Fri, 28 Feb 2014 18:53:14 +0000 (19:53 +0100)]
doc update

4 years agoAllow all ciphersuites in SSL3.0 when they are available in TLS1.0
Nikos Mavrogiannopoulos [Fri, 28 Feb 2014 18:52:52 +0000 (19:52 +0100)]
Allow all ciphersuites in SSL3.0 when they are available in TLS1.0

4 years agocorrected return codes.
Nikos Mavrogiannopoulos [Wed, 19 Feb 2014 10:10:26 +0000 (11:10 +0100)]
corrected return codes.

4 years agoCorrected error checking in _gnutls_x509_ext_gen_proxyCertInfo
Nikos Mavrogiannopoulos [Fri, 28 Feb 2014 12:32:09 +0000 (13:32 +0100)]
Corrected error checking in _gnutls_x509_ext_gen_proxyCertInfo

Conflicts:
lib/x509/extensions.c

4 years agobumped version
Nikos Mavrogiannopoulos [Wed, 26 Feb 2014 18:18:51 +0000 (19:18 +0100)]
bumped version

4 years agodoc update
Nikos Mavrogiannopoulos [Wed, 26 Feb 2014 18:18:07 +0000 (19:18 +0100)]
doc update

4 years agoremoved not trusted message; reported by Michel Briand.
Nikos Mavrogiannopoulos [Wed, 26 Feb 2014 12:44:27 +0000 (13:44 +0100)]
removed not trusted message; reported by Michel Briand.

Conflicts:
lib/gnutls_cert.c