gnutls:gnutls.git
3 years agoreleased 3.2.16 gnutls_3_2_16
Nikos Mavrogiannopoulos [Wed, 23 Jul 2014 07:25:19 +0000 (09:25 +0200)]
released 3.2.16

3 years agouse const return value in ip_to_string
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 21:48:23 +0000 (23:48 +0200)]
use const return value in ip_to_string

3 years agobumped version
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 21:46:25 +0000 (23:46 +0200)]
bumped version

3 years agominimum version was changed to TLS 1.0 for ciphersuites with SHA2
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 11:03:38 +0000 (13:03 +0200)]
minimum version was changed to TLS 1.0 for ciphersuites with SHA2

These ciphersuites could not be used with SSL 3.0 that only defines
usage of MD5 or SHA1 MACs. Reported by Manuel Pegourie-Gonnard.

3 years agoignore CKR_CRYPTOKI_ALREADY_INITIALIZED when returned on reinitialization
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 15:58:28 +0000 (17:58 +0200)]
ignore CKR_CRYPTOKI_ALREADY_INITIALIZED when returned on reinitialization

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 12:40:59 +0000 (14:40 +0200)]
doc update

3 years agoset CKA_EC_PARAMS when generating an ECDSA key
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 12:37:00 +0000 (14:37 +0200)]
set CKA_EC_PARAMS when generating an ECDSA key

Conflicts:
lib/pkcs11.c

3 years agodane: Skip DANE entries that may contain unknown info
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 21:11:00 +0000 (23:11 +0200)]
dane: Skip DANE entries that may contain unknown info

That would allow skipping any future entries without failing.
Reported by Simon Arlott.

3 years agodane: Added sanity check in dane_verify_crt_raw()
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 20:58:42 +0000 (22:58 +0200)]
dane: Added sanity check in dane_verify_crt_raw()

That allows calling the function will an empty chain.
Reported by Simon Arlott.

3 years agodoc update
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 18:32:07 +0000 (20:32 +0200)]
doc update

3 years agop11tool: don't outsmart user and override login type
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 18:30:13 +0000 (20:30 +0200)]
p11tool: don't outsmart user and override login type

Unfortunately tokens vary on their requirements for writing trusted
and private objects, and there is no one-size fits all policy. Thus
allow a proper failure and warn the user that so-login may be required.

3 years agopkcs11: Removed length check of attribute as a sanity check for valid keys.
Nikos Mavrogiannopoulos [Fri, 4 Jul 2014 13:44:38 +0000 (15:44 +0200)]
pkcs11: Removed length check of attribute as a sanity check for valid keys.

There can be keys where the id or label is empty and thus with zero length.

3 years agodoc update
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 13:53:05 +0000 (15:53 +0200)]
doc update

3 years agognutls_pkcs11_privkey_generate2(): corrected public key extraction (for ECDSA keys)
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 13:17:38 +0000 (15:17 +0200)]
gnutls_pkcs11_privkey_generate2(): corrected public key extraction (for ECDSA keys)

3 years agop11tool/certtool: use GNUTLS_SO_PIN for reading security officer's PIN
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 12:36:30 +0000 (14:36 +0200)]
p11tool/certtool: use GNUTLS_SO_PIN for reading security officer's PIN

3 years agomention that IPv4 and IPv6 address comparison is since 3.2.16.
Nikos Mavrogiannopoulos [Mon, 30 Jun 2014 20:55:37 +0000 (22:55 +0200)]
mention that IPv4 and IPv6 address comparison is since 3.2.16.

3 years agoAdded explicit documentation on IPv4 and IPv6 address matching.
Nikos Mavrogiannopoulos [Mon, 30 Jun 2014 20:54:13 +0000 (22:54 +0200)]
Added explicit documentation on IPv4 and IPv6 address matching.

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 30 Jun 2014 20:31:58 +0000 (22:31 +0200)]
doc update

3 years agotests: Added test cases for IPv4/6 matching.
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 09:24:29 +0000 (11:24 +0200)]
tests: Added test cases for IPv4/6 matching.

3 years agognutls_x509_crt_check_hostname() checks text ip addresses as well.
Nikos Mavrogiannopoulos [Mon, 30 Jun 2014 20:31:14 +0000 (22:31 +0200)]
gnutls_x509_crt_check_hostname() checks text ip addresses as well.

That aligns the documentation with the implementation.

3 years agodoc update
Nikos Mavrogiannopoulos [Sat, 28 Jun 2014 12:09:28 +0000 (14:09 +0200)]
doc update

3 years agoUse inet_ntop() for printing IP addresses.
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 09:30:25 +0000 (11:30 +0200)]
Use inet_ntop() for printing IP addresses.

The old dumb code is used in systems that don't have that function.

3 years agoinitialize str to NULL
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 07:08:18 +0000 (09:08 +0200)]
initialize str to NULL

3 years agop11tool: Do not allow a newline as PIN.
Nikos Mavrogiannopoulos [Wed, 25 Jun 2014 13:29:35 +0000 (15:29 +0200)]
p11tool: Do not allow a newline as PIN.

3 years agopkcs11: avoid callig _gnutls_bin2hex() when length is zero.
Nikos Mavrogiannopoulos [Wed, 25 Jun 2014 12:16:22 +0000 (14:16 +0200)]
pkcs11: avoid callig _gnutls_bin2hex() when length is zero.

3 years agodoc: Corrections for gnutls_handshake_set_hook_function()
Attila Molnar [Sun, 15 Jun 2014 15:42:28 +0000 (17:42 +0200)]
doc: Corrections for gnutls_handshake_set_hook_function()

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 9 Jun 2014 15:08:43 +0000 (17:08 +0200)]
doc update

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 9 Jun 2014 15:06:43 +0000 (17:06 +0200)]
doc update

3 years agoDo not call the user_hello_func multiple times when performing ticket resumption.
Nikos Mavrogiannopoulos [Thu, 22 May 2014 15:36:46 +0000 (17:36 +0200)]
Do not call the user_hello_func multiple times when performing ticket resumption.

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 6 Jun 2014 08:16:45 +0000 (10:16 +0200)]
doc update

3 years agoWhen decoding of a DN string fails, treat it as unknown string and print its hex...
Nikos Mavrogiannopoulos [Fri, 6 Jun 2014 08:13:19 +0000 (10:13 +0200)]
When decoding of a DN string fails, treat it as unknown string and print its hex value.

3 years agodefine NN_HASH unconditionally
Nikos Mavrogiannopoulos [Wed, 4 Jun 2014 16:21:24 +0000 (18:21 +0200)]
define NN_HASH unconditionally

3 years agom4/hooks.m4: use enableval rather than fixed values.
Nikos Mavrogiannopoulos [Tue, 3 Jun 2014 11:48:32 +0000 (13:48 +0200)]
m4/hooks.m4: use enableval rather than fixed values.

That should resolve issue #108592 at
http://savannah.gnu.org/support/?108592

3 years agodoc update gnutls_3_2_15
Nikos Mavrogiannopoulos [Thu, 29 May 2014 17:43:09 +0000 (19:43 +0200)]
doc update

3 years agoinclude config.h
Nikos Mavrogiannopoulos [Thu, 29 May 2014 17:37:03 +0000 (19:37 +0200)]
include config.h

3 years agobumped version
Nikos Mavrogiannopoulos [Thu, 29 May 2014 17:13:28 +0000 (19:13 +0200)]
bumped version

3 years agoupdated libtasn1
Nikos Mavrogiannopoulos [Sun, 25 May 2014 19:36:57 +0000 (21:36 +0200)]
updated libtasn1

3 years agoPrevent memory corruption due to server hello parsing.
Nikos Mavrogiannopoulos [Fri, 23 May 2014 17:50:31 +0000 (19:50 +0200)]
Prevent memory corruption due to server hello parsing.

Issue discovered by Joonas Kuorilehto of Codenomicon.

3 years agodoc update
Nikos Mavrogiannopoulos [Thu, 29 May 2014 15:14:18 +0000 (17:14 +0200)]
doc update

3 years agoFix capitalisation of ia5String
Nikos Mavrogiannopoulos [Thu, 29 May 2014 15:04:18 +0000 (17:04 +0200)]
Fix capitalisation of ia5String

3 years agoincreased the maximum certificate size buffer in the PKCS #11 subsystem.
Nikos Mavrogiannopoulos [Thu, 29 May 2014 14:20:59 +0000 (16:20 +0200)]
increased the maximum certificate size buffer in the PKCS #11 subsystem.

3 years agocheck the return code of getpwuid_r()
Nikos Mavrogiannopoulos [Thu, 29 May 2014 07:23:05 +0000 (09:23 +0200)]
check the return code of getpwuid_r()

Reported by Viktor Dukhovni.

3 years agoocsptool: Include path in ocsp request.
Nikos Mavrogiannopoulos [Mon, 26 May 2014 15:18:44 +0000 (17:18 +0200)]
ocsptool: Include path in ocsp request.

This resolves #108582 (https://savannah.gnu.org/support/?108582), reported
by Matt McCutchen.

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 23 May 2014 11:35:59 +0000 (13:35 +0200)]
doc update

3 years agoDo not allow null strings to be read from ASN.1 structures.
Nikos Mavrogiannopoulos [Thu, 22 May 2014 18:43:24 +0000 (20:43 +0200)]
Do not allow null strings to be read from ASN.1 structures.

This corrects a null pointer dereference when parsing some specially
crafted certificates. Issue discovered using the Codenomicon TLS
test suite.

3 years agognutls_x509_crt_get_extension_data: will return zero if data is NULL and memory buffe...
Nikos Mavrogiannopoulos [Thu, 22 May 2014 11:35:22 +0000 (13:35 +0200)]
gnutls_x509_crt_get_extension_data: will return zero if data is NULL and memory buffer size is not sufficient.

3 years agocheck for correct error codes in print_extensions().
Nikos Mavrogiannopoulos [Thu, 22 May 2014 11:33:22 +0000 (13:33 +0200)]
check for correct error codes in print_extensions().

3 years agoWhen assigning the TLS version, double check that it is valid.
Nikos Mavrogiannopoulos [Thu, 22 May 2014 07:21:20 +0000 (09:21 +0200)]
When assigning the TLS version, double check that it is valid.

3 years agoPrevent a crash by ensuring that there is a valid negotiated version.
Nikos Mavrogiannopoulos [Thu, 22 May 2014 07:12:37 +0000 (09:12 +0200)]
Prevent a crash by ensuring that there is a valid negotiated version.

Issue discovered by Joonas Kuorilehto of Codenomicon.

3 years agobackported signature checks
Nikos Mavrogiannopoulos [Sat, 17 May 2014 13:05:30 +0000 (15:05 +0200)]
backported signature checks

3 years agodoc update
Nikos Mavrogiannopoulos [Sat, 17 May 2014 06:35:51 +0000 (08:35 +0200)]
doc update

3 years agouse gnutls_set_default_priority() in examples.
Nikos Mavrogiannopoulos [Sun, 11 May 2014 07:52:17 +0000 (09:52 +0200)]
use gnutls_set_default_priority() in examples.

3 years agognutls_x509_crt_get_signature() will return the correct signature size rather than...
Nikos Mavrogiannopoulos [Fri, 16 May 2014 22:26:25 +0000 (00:26 +0200)]
gnutls_x509_crt_get_signature() will return the correct signature size rather than the max.

3 years agoPrint the openpgp DN only when gnutls_openpgp_crt_get_name() failed appropriately.
Nikos Mavrogiannopoulos [Fri, 16 May 2014 22:36:49 +0000 (00:36 +0200)]
Print the openpgp DN only when gnutls_openpgp_crt_get_name() failed appropriately.

3 years agocorrected error checking in gnutls_x509_crt_get_extension_data()
Nikos Mavrogiannopoulos [Fri, 16 May 2014 22:28:23 +0000 (00:28 +0200)]
corrected error checking in gnutls_x509_crt_get_extension_data()

3 years agoAllow null list_size argument in gnutls_certificate_get_peers()
Nikos Mavrogiannopoulos [Fri, 16 May 2014 05:09:45 +0000 (07:09 +0200)]
Allow null list_size argument in gnutls_certificate_get_peers()

3 years agotests/slow: add -I flags necessary for out-of-source builds.
Michał Górny [Thu, 15 May 2014 21:53:17 +0000 (23:53 +0200)]
tests/slow: add -I flags necessary for out-of-source builds.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
3 years agotests: pass PKCS12PATH to fix tests in out-of-source builds.
Michał Górny [Thu, 15 May 2014 21:46:03 +0000 (23:46 +0200)]
tests: pass PKCS12PATH to fix tests in out-of-source builds.

The set_pkcs12_cred used to default to looking for input files in a
subdirectory of the current working directory. When an out-of-source
build is performed, the files reside in a subdirectory of source
directory instead. Set PKCS12PATH to that directory in order to fix the
build.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
3 years agoAddressed memory leak in status request extension handling during rehandshake.
Nikos Mavrogiannopoulos [Fri, 9 May 2014 17:51:37 +0000 (19:51 +0200)]
Addressed memory leak in status request extension handling during rehandshake.

The memory leak was uncovered by the Codenomicon TLS suite.

3 years agoAvoid memory leak in safe renegotiation extension handling.
Nikos Mavrogiannopoulos [Thu, 8 May 2014 17:46:51 +0000 (19:46 +0200)]
Avoid memory leak in safe renegotiation extension handling.

The memory leak was uncovered by the Codenomicon TLS suite.

3 years agoSmall cleanups in packet receive as well as a memory leak error.
Nikos Mavrogiannopoulos [Thu, 8 May 2014 14:59:21 +0000 (16:59 +0200)]
Small cleanups in packet receive as well as a memory leak error.

The memory leak was uncovered by the Codenomicon TLS suite.

3 years agocleanup in the initialization of ECDH parameters.
Nikos Mavrogiannopoulos [Sun, 11 May 2014 11:05:46 +0000 (13:05 +0200)]
cleanup in the initialization of ECDH parameters.

3 years agoEliminated memory leak on failed curve assignment.
Nikos Mavrogiannopoulos [Wed, 14 May 2014 13:47:48 +0000 (15:47 +0200)]
Eliminated memory leak on failed curve assignment.

The memory leak was uncovered by the Codenomicon TLS suite.

3 years agognutls-cli: if dane verification is used but not PKIX only check the end certificate.
Nikos Mavrogiannopoulos [Tue, 13 May 2014 07:52:22 +0000 (09:52 +0200)]
gnutls-cli: if dane verification is used but not PKIX only check the end certificate.

3 years agocerttool: check for null prior to checking for empty passwd
Nikos Mavrogiannopoulos [Wed, 14 May 2014 19:59:17 +0000 (21:59 +0200)]
certtool: check for null prior to checking for empty passwd

3 years agoDo not use autogen's file option for input parameters.
Nikos Mavrogiannopoulos [Thu, 15 May 2014 12:01:56 +0000 (14:01 +0200)]
Do not use autogen's file option for input parameters.

Instead use a string. We check the file for validity and autogen's
check was imposing rules such as normal file (as opposed to a device),
that were not needed.

3 years agobumped version gnutls_3_2_14
Nikos Mavrogiannopoulos [Tue, 6 May 2014 18:55:27 +0000 (20:55 +0200)]
bumped version

3 years agodoc update
Nikos Mavrogiannopoulos [Sun, 4 May 2014 18:58:48 +0000 (20:58 +0200)]
doc update

3 years agoWhen generating ECDSA keys, generate 256-bit keys by default.
Nikos Mavrogiannopoulos [Sun, 4 May 2014 11:54:58 +0000 (13:54 +0200)]
When generating ECDSA keys, generate 256-bit keys by default.

Curves with less than 256 bits (i.e., SECP192R1 and SECP224R1) are
not widely supported.

Conflicts:
src/certtool-common.c

3 years agoCorrected an off-by-one error.
Nikos Mavrogiannopoulos [Sun, 4 May 2014 10:52:25 +0000 (12:52 +0200)]
Corrected an off-by-one error.

The issue was discovered using the codenomicon TLS suite.

3 years agodoc update
Nikos Mavrogiannopoulos [Sun, 4 May 2014 10:44:28 +0000 (12:44 +0200)]
doc update

3 years agoinitialize to null the SRP extension data on allocation.
Nikos Mavrogiannopoulos [Sun, 4 May 2014 10:35:52 +0000 (12:35 +0200)]
initialize to null the SRP extension data on allocation.

Issue identified using valgrind and the Codenomicon TLS test suite.

3 years agoBetter check for null signature method.
Nikos Mavrogiannopoulos [Sun, 4 May 2014 10:19:33 +0000 (12:19 +0200)]
Better check for null signature method.

Issue identified using valgrind and the Codenomicon TLS test suite.

3 years agoMore precise packet length checking.
Nikos Mavrogiannopoulos [Sun, 4 May 2014 10:18:41 +0000 (12:18 +0200)]
More precise packet length checking.

Issue discovered using valgrind and the Codenomicon TLS test suite.

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 2 May 2014 13:20:20 +0000 (15:20 +0200)]
doc update

3 years agosimplify casting to mpz_t using __mpz_struct and cleaned up mpz_t access.
Nikos Mavrogiannopoulos [Fri, 2 May 2014 07:10:49 +0000 (09:10 +0200)]
simplify casting to mpz_t using __mpz_struct and cleaned up mpz_t access.

Conflicts:
lib/nettle/mpi.c
lib/nettle/pk.c

3 years agosimplify casting to mpz_t using __mpz_struct.
Nikos Mavrogiannopoulos [Fri, 2 May 2014 07:10:49 +0000 (09:10 +0200)]
simplify casting to mpz_t using __mpz_struct.

3 years agoupdated included libtasn1.
Nikos Mavrogiannopoulos [Thu, 1 May 2014 21:15:59 +0000 (23:15 +0200)]
updated included libtasn1.

3 years agoAdded option to enable linking with nettle-mini
Nikos Mavrogiannopoulos [Sun, 9 Mar 2014 12:40:39 +0000 (13:40 +0100)]
Added option to enable linking with nettle-mini

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 28 Apr 2014 09:51:56 +0000 (11:51 +0200)]
doc update

3 years agoremoved redundant code. Reported by David Binderman.
Nikos Mavrogiannopoulos [Mon, 28 Apr 2014 09:49:25 +0000 (11:49 +0200)]
removed redundant code. Reported by David Binderman.

3 years agoincreased MAX_DATA_ENTRIES to 100.
Nikos Mavrogiannopoulos [Mon, 28 Apr 2014 09:28:28 +0000 (11:28 +0200)]
increased MAX_DATA_ENTRIES to 100.

3 years agoonly fail DANE verification if status is non-zero
Nikos Mavrogiannopoulos [Mon, 28 Apr 2014 09:17:04 +0000 (11:17 +0200)]
only fail DANE verification if status is non-zero

3 years agoAccept a certificate using DANE if there is at least one entry that matches the certi...
Nikos Mavrogiannopoulos [Mon, 28 Apr 2014 09:10:07 +0000 (11:10 +0200)]
Accept a certificate using DANE if there is at least one entry that matches the certificate.

This corrects the previous behavior that was rejecting the certificate if there
were multiple entries and one couldn't be validated. New flag DANE_VERIFY_UNKNOWN_DANE_INFO
is synonymous to DANE_VERIFY_NO_DANE_INFO. Patch by simon@arlott.org.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
3 years agoDo not print certificates twice.
Nikos Mavrogiannopoulos [Thu, 17 Apr 2014 19:18:08 +0000 (21:18 +0200)]
Do not print certificates twice.

That will improve the visibility of messages of the various verification methods.

3 years agoDANE verification is advisory when tofu is being used.
Nikos Mavrogiannopoulos [Mon, 28 Apr 2014 09:06:16 +0000 (11:06 +0200)]
DANE verification is advisory when tofu is being used.

3 years agodocumentation update.
Nikos Mavrogiannopoulos [Thu, 17 Apr 2014 19:19:14 +0000 (21:19 +0200)]
documentation update.

3 years agoinitialize the asn1 pointers.
Nikos Mavrogiannopoulos [Mon, 28 Apr 2014 08:24:51 +0000 (10:24 +0200)]
initialize the asn1 pointers.

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 18 Apr 2014 14:45:45 +0000 (16:45 +0200)]
doc update

3 years agox86.h was renamed to x86-common.h to avoid clashes with system headers.
Nikos Mavrogiannopoulos [Sun, 27 Apr 2014 17:34:38 +0000 (19:34 +0200)]
x86.h was renamed to x86-common.h to avoid clashes with system headers.

3 years agognutls-cli will no longer allow the session to proceed if DANE verification fails.
Nikos Mavrogiannopoulos [Fri, 18 Apr 2014 23:22:40 +0000 (01:22 +0200)]
gnutls-cli will no longer allow the session to proceed if DANE verification fails.

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 18 Apr 2014 12:41:04 +0000 (14:41 +0200)]
doc update

3 years agoAvoid dual generation of key.
Nikos Mavrogiannopoulos [Fri, 18 Apr 2014 10:17:29 +0000 (12:17 +0200)]
Avoid dual generation of key.

3 years agoupdated gnulib
Nikos Mavrogiannopoulos [Fri, 18 Apr 2014 12:08:28 +0000 (14:08 +0200)]
updated gnulib

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 18 Apr 2014 11:28:20 +0000 (13:28 +0200)]
doc update

3 years agoEnable hint in the rsa-psk test.
Nikos Mavrogiannopoulos [Fri, 18 Apr 2014 10:13:08 +0000 (12:13 +0200)]
Enable hint in the rsa-psk test.

3 years agouse custom proc_server_kx for RSA-PSK
Nikos Mavrogiannopoulos [Fri, 18 Apr 2014 10:12:48 +0000 (12:12 +0200)]
use custom proc_server_kx for RSA-PSK

3 years agoeliminated the leak of hint when deallocating the credentials.
Nikos Mavrogiannopoulos [Fri, 18 Apr 2014 10:02:39 +0000 (12:02 +0200)]
eliminated the leak of hint when deallocating the credentials.

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 18 Apr 2014 08:44:17 +0000 (10:44 +0200)]
doc update

3 years agoWhen checking for data to be received use the 'transport_recv_ptr'
Nikos Mavrogiannopoulos [Fri, 18 Apr 2014 08:40:49 +0000 (10:40 +0200)]
When checking for data to be received use the 'transport_recv_ptr'

This affects cases where there is different send and recv pointers.
Reported and investigated by JMRecio.