gnutls:gnutls.git
3 years agoUse libc-ares instead of unbound. ares
Nikos Mavrogiannopoulos [Wed, 11 Jun 2014 14:42:41 +0000 (16:42 +0200)]
Use libc-ares instead of unbound.

3 years agolibdane: bogus and secure values are always initialized in dane_query_to_raw_tlsa
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 16:22:40 +0000 (18:22 +0200)]
libdane: bogus and secure values are always initialized in dane_query_to_raw_tlsa

3 years agotests: eliminated leak from dane check
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 16:18:26 +0000 (18:18 +0200)]
tests: eliminated leak from dane check

3 years agolibdane: use gnutls_malloc() and doc update
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 16:14:50 +0000 (18:14 +0200)]
libdane: use gnutls_malloc() and doc update

3 years agoAdded self test for DANE raw functions
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 16:07:14 +0000 (18:07 +0200)]
Added self test for DANE raw functions

3 years agodanetool: added option to print the raw entries.
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 15:39:09 +0000 (17:39 +0200)]
danetool: added option to print the raw entries.

3 years agodoc update
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 15:18:31 +0000 (17:18 +0200)]
doc update

3 years agomoved _gnutls_prf_raw to FIPS140 symbols
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 14:39:23 +0000 (16:39 +0200)]
moved _gnutls_prf_raw to FIPS140 symbols

3 years agoAdded sanity check on padlock AES IV set.
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 13:34:51 +0000 (15:34 +0200)]
Added sanity check on padlock AES IV set.

3 years agofips140-2: Added _gnutls_prf_raw() which can calculate the TLS PRF without depending...
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 11:57:55 +0000 (13:57 +0200)]
fips140-2: Added _gnutls_prf_raw() which can calculate the TLS PRF without depending on a session structure.

3 years agofips140-2: do not check the libtasn1's integrity
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 11:38:25 +0000 (13:38 +0200)]
fips140-2: do not check the libtasn1's integrity

3 years agoRSA-PSK ciphersuites are only allowed in TLS 1.0.
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 11:30:33 +0000 (13:30 +0200)]
RSA-PSK ciphersuites are only allowed in TLS 1.0.

That is because they implement the EncryptedPreMasterSecret encoding
according to RFC 4279, which uses the TLS 1.0 (RFC 2246) encoding,
and there can be ambiguities when using that over SSL 3.0.

See: http://lists.gnupg.org/pipermail/gnutls-help/2014-July/003546.html

3 years agognutls_priority_init: set err_pos prior to any action
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 11:19:15 +0000 (13:19 +0200)]
gnutls_priority_init: set err_pos prior to any action

That allows a valid err_pos, even on a memory allocation
error. Reported by Dan Fandrich.

3 years agoupdated TODO
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 11:08:46 +0000 (13:08 +0200)]
updated TODO

3 years agominimum version was changed to TLS 1.0 for ciphersuites with SHA2
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 11:03:38 +0000 (13:03 +0200)]
minimum version was changed to TLS 1.0 for ciphersuites with SHA2

These ciphersuites could not be used with SSL 3.0 that only defines
usage of MD5 or SHA1 MACs. Reported by Manuel Pegourie-Gonnard.

3 years agoignore CKR_CRYPTOKI_ALREADY_INITIALIZED when returned on reinitialization
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 15:57:04 +0000 (17:57 +0200)]
ignore CKR_CRYPTOKI_ALREADY_INITIALIZED when returned on reinitialization

3 years agotests: x509cert-tl checks gnutls_x509_trust_list_add_trust_dir()
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 15:50:05 +0000 (17:50 +0200)]
tests: x509cert-tl checks gnutls_x509_trust_list_add_trust_dir()

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 15:45:09 +0000 (17:45 +0200)]
doc update

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 14:55:41 +0000 (16:55 +0200)]
doc update

3 years agoAdded gnutls_certificate_set_x509_trust_dir()
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 14:55:09 +0000 (16:55 +0200)]
Added gnutls_certificate_set_x509_trust_dir()

3 years agoAdded gnutls_x509_trust_list_add_trust_dir()
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 14:50:52 +0000 (16:50 +0200)]
Added gnutls_x509_trust_list_add_trust_dir()

This essentially exports the functionality to read from a directory
with trusted certificates.

3 years agoAllow specifying a directory as trust store
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 14:33:34 +0000 (16:33 +0200)]
Allow specifying a directory as trust store

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 11 Jul 2014 15:43:57 +0000 (17:43 +0200)]
doc update

3 years agolibdane: add function dane_query_to_raw_tlsa
Simon Arlott [Thu, 10 Jul 2014 21:08:30 +0000 (22:08 +0100)]
libdane: add function dane_query_to_raw_tlsa

This function converts a dane_query_t into the parameters needed for
dane_raw_tlsa() to make it easy to copy the results of the (synchronous)
lookup query from one process to another.

This code allocates an unnecessary extra NULL entry for dane_data_len
to avoid trying to malloc 0 bytes if q->data_entries is 0 (it is possible
for malloc/calloc to return NULL when requested to allocate 0 bytes).

Signed-off-by: Simon Arlott
3 years agoFIPS140-2 tests: no need for MD5 check
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 14:47:27 +0000 (16:47 +0200)]
FIPS140-2 tests: no need for MD5 check

3 years agoFIPS140-2 tests: removed redundant checks
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 13:14:20 +0000 (15:14 +0200)]
FIPS140-2 tests: removed redundant checks

We keep on check per cipher which is required, and avoid multiple
(and time-consuming) tests.

3 years agoAllow specifying GNUTLS_CPUID_OVERRIDE in either hex or decimal.
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 12:09:55 +0000 (14:09 +0200)]
Allow specifying GNUTLS_CPUID_OVERRIDE in either hex or decimal.

3 years agodoc update
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 12:06:53 +0000 (14:06 +0200)]
doc update

3 years agoAdded option to disable any cpu optimizations
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 12:02:18 +0000 (14:02 +0200)]
Added option to disable any cpu optimizations

3 years agosimplified housekeeping of CPUID registers
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 11:55:28 +0000 (13:55 +0200)]
simplified housekeeping of CPUID registers

3 years agoAllow overriding the detected CPUID using the GNUTLS_CPUID_OVERRIDE environment variable
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 11:50:15 +0000 (13:50 +0200)]
Allow overriding the detected CPUID using the GNUTLS_CPUID_OVERRIDE environment variable

3 years agoFIPS140-2 tests: Added pairwise consistency check for RSA encryption
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 09:15:05 +0000 (11:15 +0200)]
FIPS140-2 tests: Added pairwise consistency check for RSA encryption

3 years agoFIPS140-2 tests: check with DSA-2048 and DSA-3072 bit keys, as well as SHA256.
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 09:07:25 +0000 (11:07 +0200)]
FIPS140-2 tests: check with DSA-2048 and DSA-3072 bit keys, as well as SHA256.

3 years agoFIPS140-2 tests: check with RSA-2048 and RSA-3072 bit keys
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 08:59:27 +0000 (10:59 +0200)]
FIPS140-2 tests: check with RSA-2048 and RSA-3072 bit keys

3 years agotests: check RSA with SHA256
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 08:52:19 +0000 (10:52 +0200)]
tests: check RSA with SHA256

3 years agoFIPS140-2 mode: test whether RSA encrypted data differ from plaintext
Nikos Mavrogiannopoulos [Tue, 8 Jul 2014 08:46:56 +0000 (10:46 +0200)]
FIPS140-2 mode: test whether RSA encrypted data differ from plaintext

3 years agoFIPS140-2 mode: enforce the minimum GCM IV size required by SP800-38D (section 8.2)
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 16:34:02 +0000 (18:34 +0200)]
FIPS140-2 mode: enforce the minimum GCM IV size required by SP800-38D (section 8.2)

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 15:00:25 +0000 (17:00 +0200)]
doc update

3 years agop11tool/certtool: Added --curve parameter.
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 14:58:53 +0000 (16:58 +0200)]
p11tool/certtool: Added --curve parameter.

The curve parameter allows to explicitly specify the curve to use
when generating a key.

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 12:41:40 +0000 (14:41 +0200)]
doc update

3 years agoset CKA_EC_PARAMS when generating an ECDSA key
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 12:37:00 +0000 (14:37 +0200)]
set CKA_EC_PARAMS when generating an ECDSA key

3 years agop11tool: only print warning about key sizes in RSA keys
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 11:36:16 +0000 (13:36 +0200)]
p11tool: only print warning about key sizes in RSA keys

3 years agop11tool: make brief output more brief
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 11:32:56 +0000 (13:32 +0200)]
p11tool: make brief output more brief

3 years agompi: use zeroize_key() instead of memset()
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 10:13:31 +0000 (12:13 +0200)]
mpi: use zeroize_key() instead of memset()

3 years agodane: Skip DANE entries that may contain unknown info
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 21:11:00 +0000 (23:11 +0200)]
dane: Skip DANE entries that may contain unknown info

That would allow skipping any future entries without failing.
Reported by Simon Arlott.

3 years agodane: Added sanity check in dane_verify_crt_raw()
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 20:58:42 +0000 (22:58 +0200)]
dane: Added sanity check in dane_verify_crt_raw()

That allows calling the function will an empty chain.
Reported by Simon Arlott.

3 years agoexamples: mention that gnutls_global_init() is optional
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 16:40:57 +0000 (18:40 +0200)]
examples: mention that gnutls_global_init() is optional

3 years agodoc: mention and link to trust storage module
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 16:34:48 +0000 (18:34 +0200)]
doc: mention and link to trust storage module

3 years agodoc update
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 16:30:34 +0000 (18:30 +0200)]
doc update

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 4 Jul 2014 15:19:38 +0000 (17:19 +0200)]
doc update

3 years agopkcs11: Removed length check of attribute as a sanity check for valid keys.
Nikos Mavrogiannopoulos [Fri, 4 Jul 2014 13:44:38 +0000 (15:44 +0200)]
pkcs11: Removed length check of attribute as a sanity check for valid keys.

There can be keys where the id or label is empty and thus with zero length.

3 years agoIncreased number of attributes
Nikos Mavrogiannopoulos [Fri, 4 Jul 2014 13:44:12 +0000 (15:44 +0200)]
Increased number of attributes

3 years agodoc update
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 16:11:22 +0000 (18:11 +0200)]
doc update

3 years agotry to restart on session errors, to avoid having a failed call.
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 16:07:29 +0000 (18:07 +0200)]
try to restart on session errors, to avoid having a failed call.

3 years agocorrected pkcs11 reinitialization
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 16:04:46 +0000 (18:04 +0200)]
corrected pkcs11 reinitialization

3 years agoIf we get a PKCS #11 session error, invalidate the cached session.
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 13:36:11 +0000 (15:36 +0200)]
If we get a PKCS #11 session error, invalidate the cached session.

3 years agoset the maximum value when printing library_description
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 13:05:37 +0000 (15:05 +0200)]
set the maximum value when printing library_description

3 years agoOn fork invalidate the PKCS #11 privkey cached session
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 13:03:24 +0000 (15:03 +0200)]
On fork invalidate the PKCS #11 privkey cached session

3 years agodoc update
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 09:54:04 +0000 (11:54 +0200)]
doc update

3 years agop11tool: don't outsmart user and override login type
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 09:43:32 +0000 (11:43 +0200)]
p11tool: don't outsmart user and override login type

Unfortunately tokens vary on their requirements for writing trusted
and private objects, and there is no one-size fits all policy. Thus
allow a proper failure and warn the user that so-login may be required.

3 years agotestpkcs11: Try to write the trusted object both by so-pin and normal pin
Nikos Mavrogiannopoulos [Thu, 3 Jul 2014 09:45:39 +0000 (11:45 +0200)]
testpkcs11: Try to write the trusted object both by so-pin and normal pin

3 years agotests: testpkcs11: temp parameters are deleted after generation
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 21:14:28 +0000 (23:14 +0200)]
tests: testpkcs11: temp parameters are deleted after generation

3 years agobumped version
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 20:39:29 +0000 (22:39 +0200)]
bumped version

3 years agotests: added testpkcs11.sc-hsm
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:59:33 +0000 (15:59 +0200)]
tests: added testpkcs11.sc-hsm

3 years agodoc update
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:57:42 +0000 (15:57 +0200)]
doc update

3 years agop11tool: use GNUTLS_PIN and GNUTLS_SO_PIN when setting the PINs of an initialized...
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:54:24 +0000 (15:54 +0200)]
p11tool: use GNUTLS_PIN and GNUTLS_SO_PIN when setting the PINs of an initialized token.

3 years agotests: gendh: increased the DH prime size to allow usage under FIPS140-2 mode
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:51:11 +0000 (15:51 +0200)]
tests: gendh: increased the DH prime size to allow usage under FIPS140-2 mode

3 years agotools: when in batch mode and no PIN, print a note about using the environment variables
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:49:36 +0000 (15:49 +0200)]
tools: when in batch mode and no PIN, print a note about using the environment variables

3 years agotests: crq_key_id: increased generated DSA key size and changed hash to SHA256
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:43:31 +0000 (15:43 +0200)]
tests: crq_key_id: increased generated DSA key size and changed hash to SHA256

That allows the test to operate under the FIPS140-2 mode.

3 years agotests: improved error reporting in crq_key_id
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:41:10 +0000 (15:41 +0200)]
tests: improved error reporting in crq_key_id

3 years agodoc: properly terminate table
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:33:13 +0000 (15:33 +0200)]
doc: properly terminate table

3 years agoremoved pbits=1024, qbits=160 from the acceptable bit sizes in FIPS140-2 DSA paramete...
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 13:30:48 +0000 (15:30 +0200)]
removed pbits=1024, qbits=160 from the acceptable bit sizes in FIPS140-2 DSA parameter generation.

3 years agodoc update
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 11:53:22 +0000 (13:53 +0200)]
doc update

3 years agodoc update
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 11:40:48 +0000 (13:40 +0200)]
doc update

3 years agotools: PIN callback will respect batch mode and will not ask for PIN.
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 11:37:04 +0000 (13:37 +0200)]
tools: PIN callback will respect batch mode and will not ask for PIN.

3 years agop11tool: Ask for label if not specified.
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 11:26:58 +0000 (13:26 +0200)]
p11tool: Ask for label if not specified.

Added --batch parameter to disable interaction.

3 years agop11tool: If there is only a single token available, don't bother complaining about...
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 11:17:55 +0000 (13:17 +0200)]
p11tool: If there is only a single token available, don't bother complaining about specifying the correct URL

3 years agoupdated comment
Nikos Mavrogiannopoulos [Wed, 2 Jul 2014 09:45:05 +0000 (11:45 +0200)]
updated comment

3 years agodoc update
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 13:53:25 +0000 (15:53 +0200)]
doc update

3 years agocerttool: document that URLs are supported
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 13:52:32 +0000 (15:52 +0200)]
certtool: document that URLs are supported

3 years agop11tool: document GNUTLS_SO_PIN env variable
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 13:50:59 +0000 (15:50 +0200)]
p11tool: document GNUTLS_SO_PIN env variable

3 years agotests: improved testpkcs11 suite
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 13:39:48 +0000 (15:39 +0200)]
tests: improved testpkcs11 suite

3 years agognutls_pkcs11_privkey_generate2(): corrected public key extraction (for ECDSA keys)
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 13:17:38 +0000 (15:17 +0200)]
gnutls_pkcs11_privkey_generate2(): corrected public key extraction (for ECDSA keys)

3 years agop11tool/certtool: use GNUTLS_SO_PIN for reading security officer's PIN
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 12:36:30 +0000 (14:36 +0200)]
p11tool/certtool: use GNUTLS_SO_PIN for reading security officer's PIN

3 years agop11tool: added options --set-pin and --set-so-pin
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 13:37:56 +0000 (15:37 +0200)]
p11tool: added options --set-pin and --set-so-pin

These allow for an non-interactive --initialize process.

3 years agoAdded explicit documentation on IPv4 and IPv6 address matching.
Nikos Mavrogiannopoulos [Mon, 30 Jun 2014 20:53:04 +0000 (22:53 +0200)]
Added explicit documentation on IPv4 and IPv6 address matching.

3 years agotests: long-session-id: ignore SIGPIPE
Nikos Mavrogiannopoulos [Sun, 29 Jun 2014 11:18:32 +0000 (13:18 +0200)]
tests: long-session-id: ignore SIGPIPE

3 years agodoc: Added text on upgrading to 3.3.x from 3.2.x
Nikos Mavrogiannopoulos [Sun, 29 Jun 2014 10:22:42 +0000 (12:22 +0200)]
doc: Added text on upgrading to 3.3.x from 3.2.x

3 years agodo not exit the loop in case a name doesn't fit into our buffer.
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 15:36:45 +0000 (17:36 +0200)]
do not exit the loop in case a name doesn't fit into our buffer.

3 years agowhen verifying an IP, also verify it as a hostname
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 15:34:49 +0000 (17:34 +0200)]
when verifying an IP, also verify it as a hostname

There are several misconfigured servers that placed their IP
as a DNS name. Pointed out by David Woodhouse.

3 years agosupress warnings
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 09:38:34 +0000 (11:38 +0200)]
supress warnings

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 09:34:02 +0000 (11:34 +0200)]
doc update

3 years agocheck of inet_pton instead for AF_INET6
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 09:32:23 +0000 (11:32 +0200)]
check of inet_pton instead for AF_INET6

3 years agoUse inet_ntop() for printing IP addresses.
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 09:30:25 +0000 (11:30 +0200)]
Use inet_ntop() for printing IP addresses.

The old dumb code is used in systems that don't have that function.

3 years agotests: Added test cases for IPv4/6 matching.
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 09:24:29 +0000 (11:24 +0200)]
tests: Added test cases for IPv4/6 matching.

3 years agognutls_x509_crt_check_hostname() checks text ip addresses as well.
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 09:06:34 +0000 (11:06 +0200)]
gnutls_x509_crt_check_hostname() checks text ip addresses as well.

That aligns the documentation with the implementation. Reported by David Woodhouse.

3 years agoinitialize str to NULL
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 07:08:18 +0000 (09:08 +0200)]
initialize str to NULL

3 years agofixed documentation
Nikos Mavrogiannopoulos [Thu, 26 Jun 2014 18:41:09 +0000 (20:41 +0200)]
fixed documentation

3 years agotests: better replacement of LIBTOOL variable in scripts gnutls_3_3_5
Nikos Mavrogiannopoulos [Thu, 26 Jun 2014 18:27:59 +0000 (20:27 +0200)]
tests: better replacement of LIBTOOL variable in scripts

3 years agotests: ship certs/
Nikos Mavrogiannopoulos [Thu, 26 Jun 2014 18:27:38 +0000 (20:27 +0200)]
tests: ship certs/