gnutls:gnutls.git
3 years agoauto-generated file update gnutls_3_2_17
Nikos Mavrogiannopoulos [Sun, 24 Aug 2014 07:46:05 +0000 (09:46 +0200)]
auto-generated file update

3 years agoreleased 3.2.17
Nikos Mavrogiannopoulos [Sun, 24 Aug 2014 07:32:55 +0000 (09:32 +0200)]
released 3.2.17

3 years agorecord: tolerate a finished packet with errors in DTLS
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 19:17:45 +0000 (21:17 +0200)]
record: tolerate a finished packet with errors in DTLS

3 years agodoc update
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 15:35:51 +0000 (17:35 +0200)]
doc update

3 years agorecord: in DTLS discard only messages that cause unexpected packet errors
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 15:28:59 +0000 (17:28 +0200)]
record: in DTLS discard only messages that cause unexpected packet errors

3 years agoupdated minitasn1
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 06:18:53 +0000 (08:18 +0200)]
updated minitasn1

3 years agouse the windows API in windows even if iconv is available
Nikos Mavrogiannopoulos [Thu, 21 Aug 2014 09:45:48 +0000 (11:45 +0200)]
use the windows API in windows even if iconv is available

3 years agoconfigure: print error message when nettle is 3.0 or later
Nikos Mavrogiannopoulos [Wed, 20 Aug 2014 08:49:39 +0000 (10:49 +0200)]
configure: print error message when nettle is 3.0 or later

3 years agodoc update
Nikos Mavrogiannopoulos [Sun, 17 Aug 2014 13:06:24 +0000 (15:06 +0200)]
doc update

3 years agotests: check that gnutls_x509_crt_check_hostname() will correctly use the last CN...
Nikos Mavrogiannopoulos [Tue, 12 Aug 2014 20:48:04 +0000 (22:48 +0200)]
tests: check that gnutls_x509_crt_check_hostname() will correctly use the last CN when multiple

3 years agowhen checking the hostname of a certificate with multiple CNs use the "most specific" CN
Nikos Mavrogiannopoulos [Tue, 12 Aug 2014 20:38:58 +0000 (22:38 +0200)]
when checking the hostname of a certificate with multiple CNs use the "most specific" CN

In our case we use the last CN present in the DN. Reported
by David Woodhouse.

https://bugzilla.mozilla.org/show_bug.cgi?id=307234#c2

3 years agodoc update
Nikos Mavrogiannopoulos [Sun, 10 Aug 2014 11:31:22 +0000 (13:31 +0200)]
doc update

3 years agotests: test the decoding of a PKCS #12 structure with SHA256 MAC
Nikos Mavrogiannopoulos [Sun, 10 Aug 2014 09:24:15 +0000 (11:24 +0200)]
tests: test the decoding of a PKCS #12 structure with SHA256 MAC

Conflicts:
tests/pkcs12-decode/pkcs12

3 years agotests: updated string to keys tests for new internal API
Nikos Mavrogiannopoulos [Sun, 10 Aug 2014 09:26:34 +0000 (11:26 +0200)]
tests: updated string to keys tests for new internal API

3 years agopkcs12: Allow verification with structures that support other than HMAC-SHA1 MACs.
Nikos Mavrogiannopoulos [Sun, 10 Aug 2014 08:28:57 +0000 (10:28 +0200)]
pkcs12: Allow verification with structures that support other than HMAC-SHA1 MACs.

Conflicts:
lib/x509/pkcs12_encr.c

3 years agodoc update
Nikos Mavrogiannopoulos [Wed, 6 Aug 2014 13:18:02 +0000 (15:18 +0200)]
doc update

3 years agoimprove compatibility in pkcs11 key generation
Wolfgang Meyer zu Bergsten [Mon, 4 Aug 2014 13:32:53 +0000 (15:32 +0200)]
improve compatibility in pkcs11 key generation

* explicitly set public exponent in template

Signed-off-by: Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com>
3 years agognutls-cli-debug: added AES and CAMELLIA to the list of default ciphers
Nikos Mavrogiannopoulos [Wed, 6 Aug 2014 11:39:09 +0000 (13:39 +0200)]
gnutls-cli-debug: added AES and CAMELLIA to the list of default ciphers

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 4 Aug 2014 14:32:14 +0000 (16:32 +0200)]
doc update

3 years agopkcs8: initialize parameters on decryption
Nikos Mavrogiannopoulos [Mon, 4 Aug 2014 14:28:55 +0000 (16:28 +0200)]
pkcs8: initialize parameters on decryption

3 years agoupdated to libopts 5.18.3
Nikos Mavrogiannopoulos [Tue, 29 Jul 2014 20:21:36 +0000 (22:21 +0200)]
updated to libopts 5.18.3

3 years agoupdated gnulib
Nikos Mavrogiannopoulos [Tue, 29 Jul 2014 20:13:29 +0000 (22:13 +0200)]
updated gnulib

3 years agoAdded replacements of inet_aton and inet_pton on systems they are not present
Nikos Mavrogiannopoulos [Mon, 28 Jul 2014 13:05:37 +0000 (15:05 +0200)]
Added replacements of inet_aton and inet_pton on systems they are not present

gnulib is avoided due to keep the gnulib network replacements out of
the library

3 years agoreleased 3.2.16 gnutls_3_2_16
Nikos Mavrogiannopoulos [Wed, 23 Jul 2014 07:25:19 +0000 (09:25 +0200)]
released 3.2.16

3 years agouse const return value in ip_to_string
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 21:48:23 +0000 (23:48 +0200)]
use const return value in ip_to_string

3 years agobumped version
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 21:46:25 +0000 (23:46 +0200)]
bumped version

3 years agominimum version was changed to TLS 1.0 for ciphersuites with SHA2
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 11:03:38 +0000 (13:03 +0200)]
minimum version was changed to TLS 1.0 for ciphersuites with SHA2

These ciphersuites could not be used with SSL 3.0 that only defines
usage of MD5 or SHA1 MACs. Reported by Manuel Pegourie-Gonnard.

3 years agoignore CKR_CRYPTOKI_ALREADY_INITIALIZED when returned on reinitialization
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 15:58:28 +0000 (17:58 +0200)]
ignore CKR_CRYPTOKI_ALREADY_INITIALIZED when returned on reinitialization

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 12:40:59 +0000 (14:40 +0200)]
doc update

3 years agoset CKA_EC_PARAMS when generating an ECDSA key
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 12:37:00 +0000 (14:37 +0200)]
set CKA_EC_PARAMS when generating an ECDSA key

Conflicts:
lib/pkcs11.c

3 years agodane: Skip DANE entries that may contain unknown info
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 21:11:00 +0000 (23:11 +0200)]
dane: Skip DANE entries that may contain unknown info

That would allow skipping any future entries without failing.
Reported by Simon Arlott.

3 years agodane: Added sanity check in dane_verify_crt_raw()
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 20:58:42 +0000 (22:58 +0200)]
dane: Added sanity check in dane_verify_crt_raw()

That allows calling the function will an empty chain.
Reported by Simon Arlott.

3 years agodoc update
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 18:32:07 +0000 (20:32 +0200)]
doc update

3 years agop11tool: don't outsmart user and override login type
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 18:30:13 +0000 (20:30 +0200)]
p11tool: don't outsmart user and override login type

Unfortunately tokens vary on their requirements for writing trusted
and private objects, and there is no one-size fits all policy. Thus
allow a proper failure and warn the user that so-login may be required.

3 years agopkcs11: Removed length check of attribute as a sanity check for valid keys.
Nikos Mavrogiannopoulos [Fri, 4 Jul 2014 13:44:38 +0000 (15:44 +0200)]
pkcs11: Removed length check of attribute as a sanity check for valid keys.

There can be keys where the id or label is empty and thus with zero length.

3 years agodoc update
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 13:53:05 +0000 (15:53 +0200)]
doc update

3 years agognutls_pkcs11_privkey_generate2(): corrected public key extraction (for ECDSA keys)
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 13:17:38 +0000 (15:17 +0200)]
gnutls_pkcs11_privkey_generate2(): corrected public key extraction (for ECDSA keys)

3 years agop11tool/certtool: use GNUTLS_SO_PIN for reading security officer's PIN
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 12:36:30 +0000 (14:36 +0200)]
p11tool/certtool: use GNUTLS_SO_PIN for reading security officer's PIN

3 years agomention that IPv4 and IPv6 address comparison is since 3.2.16.
Nikos Mavrogiannopoulos [Mon, 30 Jun 2014 20:55:37 +0000 (22:55 +0200)]
mention that IPv4 and IPv6 address comparison is since 3.2.16.

3 years agoAdded explicit documentation on IPv4 and IPv6 address matching.
Nikos Mavrogiannopoulos [Mon, 30 Jun 2014 20:54:13 +0000 (22:54 +0200)]
Added explicit documentation on IPv4 and IPv6 address matching.

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 30 Jun 2014 20:31:58 +0000 (22:31 +0200)]
doc update

3 years agotests: Added test cases for IPv4/6 matching.
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 09:24:29 +0000 (11:24 +0200)]
tests: Added test cases for IPv4/6 matching.

3 years agognutls_x509_crt_check_hostname() checks text ip addresses as well.
Nikos Mavrogiannopoulos [Mon, 30 Jun 2014 20:31:14 +0000 (22:31 +0200)]
gnutls_x509_crt_check_hostname() checks text ip addresses as well.

That aligns the documentation with the implementation.

3 years agodoc update
Nikos Mavrogiannopoulos [Sat, 28 Jun 2014 12:09:28 +0000 (14:09 +0200)]
doc update

3 years agoUse inet_ntop() for printing IP addresses.
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 09:30:25 +0000 (11:30 +0200)]
Use inet_ntop() for printing IP addresses.

The old dumb code is used in systems that don't have that function.

3 years agoinitialize str to NULL
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 07:08:18 +0000 (09:08 +0200)]
initialize str to NULL

3 years agop11tool: Do not allow a newline as PIN.
Nikos Mavrogiannopoulos [Wed, 25 Jun 2014 13:29:35 +0000 (15:29 +0200)]
p11tool: Do not allow a newline as PIN.

3 years agopkcs11: avoid callig _gnutls_bin2hex() when length is zero.
Nikos Mavrogiannopoulos [Wed, 25 Jun 2014 12:16:22 +0000 (14:16 +0200)]
pkcs11: avoid callig _gnutls_bin2hex() when length is zero.

3 years agodoc: Corrections for gnutls_handshake_set_hook_function()
Attila Molnar [Sun, 15 Jun 2014 15:42:28 +0000 (17:42 +0200)]
doc: Corrections for gnutls_handshake_set_hook_function()

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 9 Jun 2014 15:08:43 +0000 (17:08 +0200)]
doc update

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 9 Jun 2014 15:06:43 +0000 (17:06 +0200)]
doc update

3 years agoDo not call the user_hello_func multiple times when performing ticket resumption.
Nikos Mavrogiannopoulos [Thu, 22 May 2014 15:36:46 +0000 (17:36 +0200)]
Do not call the user_hello_func multiple times when performing ticket resumption.

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 6 Jun 2014 08:16:45 +0000 (10:16 +0200)]
doc update

3 years agoWhen decoding of a DN string fails, treat it as unknown string and print its hex...
Nikos Mavrogiannopoulos [Fri, 6 Jun 2014 08:13:19 +0000 (10:13 +0200)]
When decoding of a DN string fails, treat it as unknown string and print its hex value.

3 years agodefine NN_HASH unconditionally
Nikos Mavrogiannopoulos [Wed, 4 Jun 2014 16:21:24 +0000 (18:21 +0200)]
define NN_HASH unconditionally

3 years agom4/hooks.m4: use enableval rather than fixed values.
Nikos Mavrogiannopoulos [Tue, 3 Jun 2014 11:48:32 +0000 (13:48 +0200)]
m4/hooks.m4: use enableval rather than fixed values.

That should resolve issue #108592 at
http://savannah.gnu.org/support/?108592

3 years agodoc update gnutls_3_2_15
Nikos Mavrogiannopoulos [Thu, 29 May 2014 17:43:09 +0000 (19:43 +0200)]
doc update

3 years agoinclude config.h
Nikos Mavrogiannopoulos [Thu, 29 May 2014 17:37:03 +0000 (19:37 +0200)]
include config.h

3 years agobumped version
Nikos Mavrogiannopoulos [Thu, 29 May 2014 17:13:28 +0000 (19:13 +0200)]
bumped version

3 years agoupdated libtasn1
Nikos Mavrogiannopoulos [Sun, 25 May 2014 19:36:57 +0000 (21:36 +0200)]
updated libtasn1

3 years agoPrevent memory corruption due to server hello parsing.
Nikos Mavrogiannopoulos [Fri, 23 May 2014 17:50:31 +0000 (19:50 +0200)]
Prevent memory corruption due to server hello parsing.

Issue discovered by Joonas Kuorilehto of Codenomicon.

3 years agodoc update
Nikos Mavrogiannopoulos [Thu, 29 May 2014 15:14:18 +0000 (17:14 +0200)]
doc update

3 years agoFix capitalisation of ia5String
Nikos Mavrogiannopoulos [Thu, 29 May 2014 15:04:18 +0000 (17:04 +0200)]
Fix capitalisation of ia5String

3 years agoincreased the maximum certificate size buffer in the PKCS #11 subsystem.
Nikos Mavrogiannopoulos [Thu, 29 May 2014 14:20:59 +0000 (16:20 +0200)]
increased the maximum certificate size buffer in the PKCS #11 subsystem.

3 years agocheck the return code of getpwuid_r()
Nikos Mavrogiannopoulos [Thu, 29 May 2014 07:23:05 +0000 (09:23 +0200)]
check the return code of getpwuid_r()

Reported by Viktor Dukhovni.

3 years agoocsptool: Include path in ocsp request.
Nikos Mavrogiannopoulos [Mon, 26 May 2014 15:18:44 +0000 (17:18 +0200)]
ocsptool: Include path in ocsp request.

This resolves #108582 (https://savannah.gnu.org/support/?108582), reported
by Matt McCutchen.

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 23 May 2014 11:35:59 +0000 (13:35 +0200)]
doc update

3 years agoDo not allow null strings to be read from ASN.1 structures.
Nikos Mavrogiannopoulos [Thu, 22 May 2014 18:43:24 +0000 (20:43 +0200)]
Do not allow null strings to be read from ASN.1 structures.

This corrects a null pointer dereference when parsing some specially
crafted certificates. Issue discovered using the Codenomicon TLS
test suite.

3 years agognutls_x509_crt_get_extension_data: will return zero if data is NULL and memory buffe...
Nikos Mavrogiannopoulos [Thu, 22 May 2014 11:35:22 +0000 (13:35 +0200)]
gnutls_x509_crt_get_extension_data: will return zero if data is NULL and memory buffer size is not sufficient.

3 years agocheck for correct error codes in print_extensions().
Nikos Mavrogiannopoulos [Thu, 22 May 2014 11:33:22 +0000 (13:33 +0200)]
check for correct error codes in print_extensions().

3 years agoWhen assigning the TLS version, double check that it is valid.
Nikos Mavrogiannopoulos [Thu, 22 May 2014 07:21:20 +0000 (09:21 +0200)]
When assigning the TLS version, double check that it is valid.

3 years agoPrevent a crash by ensuring that there is a valid negotiated version.
Nikos Mavrogiannopoulos [Thu, 22 May 2014 07:12:37 +0000 (09:12 +0200)]
Prevent a crash by ensuring that there is a valid negotiated version.

Issue discovered by Joonas Kuorilehto of Codenomicon.

3 years agobackported signature checks
Nikos Mavrogiannopoulos [Sat, 17 May 2014 13:05:30 +0000 (15:05 +0200)]
backported signature checks

3 years agodoc update
Nikos Mavrogiannopoulos [Sat, 17 May 2014 06:35:51 +0000 (08:35 +0200)]
doc update

3 years agouse gnutls_set_default_priority() in examples.
Nikos Mavrogiannopoulos [Sun, 11 May 2014 07:52:17 +0000 (09:52 +0200)]
use gnutls_set_default_priority() in examples.

3 years agognutls_x509_crt_get_signature() will return the correct signature size rather than...
Nikos Mavrogiannopoulos [Fri, 16 May 2014 22:26:25 +0000 (00:26 +0200)]
gnutls_x509_crt_get_signature() will return the correct signature size rather than the max.

3 years agoPrint the openpgp DN only when gnutls_openpgp_crt_get_name() failed appropriately.
Nikos Mavrogiannopoulos [Fri, 16 May 2014 22:36:49 +0000 (00:36 +0200)]
Print the openpgp DN only when gnutls_openpgp_crt_get_name() failed appropriately.

3 years agocorrected error checking in gnutls_x509_crt_get_extension_data()
Nikos Mavrogiannopoulos [Fri, 16 May 2014 22:28:23 +0000 (00:28 +0200)]
corrected error checking in gnutls_x509_crt_get_extension_data()

3 years agoAllow null list_size argument in gnutls_certificate_get_peers()
Nikos Mavrogiannopoulos [Fri, 16 May 2014 05:09:45 +0000 (07:09 +0200)]
Allow null list_size argument in gnutls_certificate_get_peers()

3 years agotests/slow: add -I flags necessary for out-of-source builds.
Michał Górny [Thu, 15 May 2014 21:53:17 +0000 (23:53 +0200)]
tests/slow: add -I flags necessary for out-of-source builds.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
3 years agotests: pass PKCS12PATH to fix tests in out-of-source builds.
Michał Górny [Thu, 15 May 2014 21:46:03 +0000 (23:46 +0200)]
tests: pass PKCS12PATH to fix tests in out-of-source builds.

The set_pkcs12_cred used to default to looking for input files in a
subdirectory of the current working directory. When an out-of-source
build is performed, the files reside in a subdirectory of source
directory instead. Set PKCS12PATH to that directory in order to fix the
build.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
3 years agoAddressed memory leak in status request extension handling during rehandshake.
Nikos Mavrogiannopoulos [Fri, 9 May 2014 17:51:37 +0000 (19:51 +0200)]
Addressed memory leak in status request extension handling during rehandshake.

The memory leak was uncovered by the Codenomicon TLS suite.

3 years agoAvoid memory leak in safe renegotiation extension handling.
Nikos Mavrogiannopoulos [Thu, 8 May 2014 17:46:51 +0000 (19:46 +0200)]
Avoid memory leak in safe renegotiation extension handling.

The memory leak was uncovered by the Codenomicon TLS suite.

3 years agoSmall cleanups in packet receive as well as a memory leak error.
Nikos Mavrogiannopoulos [Thu, 8 May 2014 14:59:21 +0000 (16:59 +0200)]
Small cleanups in packet receive as well as a memory leak error.

The memory leak was uncovered by the Codenomicon TLS suite.

3 years agocleanup in the initialization of ECDH parameters.
Nikos Mavrogiannopoulos [Sun, 11 May 2014 11:05:46 +0000 (13:05 +0200)]
cleanup in the initialization of ECDH parameters.

3 years agoEliminated memory leak on failed curve assignment.
Nikos Mavrogiannopoulos [Wed, 14 May 2014 13:47:48 +0000 (15:47 +0200)]
Eliminated memory leak on failed curve assignment.

The memory leak was uncovered by the Codenomicon TLS suite.

3 years agognutls-cli: if dane verification is used but not PKIX only check the end certificate.
Nikos Mavrogiannopoulos [Tue, 13 May 2014 07:52:22 +0000 (09:52 +0200)]
gnutls-cli: if dane verification is used but not PKIX only check the end certificate.

3 years agocerttool: check for null prior to checking for empty passwd
Nikos Mavrogiannopoulos [Wed, 14 May 2014 19:59:17 +0000 (21:59 +0200)]
certtool: check for null prior to checking for empty passwd

3 years agoDo not use autogen's file option for input parameters.
Nikos Mavrogiannopoulos [Thu, 15 May 2014 12:01:56 +0000 (14:01 +0200)]
Do not use autogen's file option for input parameters.

Instead use a string. We check the file for validity and autogen's
check was imposing rules such as normal file (as opposed to a device),
that were not needed.

3 years agobumped version gnutls_3_2_14
Nikos Mavrogiannopoulos [Tue, 6 May 2014 18:55:27 +0000 (20:55 +0200)]
bumped version

3 years agodoc update
Nikos Mavrogiannopoulos [Sun, 4 May 2014 18:58:48 +0000 (20:58 +0200)]
doc update

3 years agoWhen generating ECDSA keys, generate 256-bit keys by default.
Nikos Mavrogiannopoulos [Sun, 4 May 2014 11:54:58 +0000 (13:54 +0200)]
When generating ECDSA keys, generate 256-bit keys by default.

Curves with less than 256 bits (i.e., SECP192R1 and SECP224R1) are
not widely supported.

Conflicts:
src/certtool-common.c

3 years agoCorrected an off-by-one error.
Nikos Mavrogiannopoulos [Sun, 4 May 2014 10:52:25 +0000 (12:52 +0200)]
Corrected an off-by-one error.

The issue was discovered using the codenomicon TLS suite.

3 years agodoc update
Nikos Mavrogiannopoulos [Sun, 4 May 2014 10:44:28 +0000 (12:44 +0200)]
doc update

3 years agoinitialize to null the SRP extension data on allocation.
Nikos Mavrogiannopoulos [Sun, 4 May 2014 10:35:52 +0000 (12:35 +0200)]
initialize to null the SRP extension data on allocation.

Issue identified using valgrind and the Codenomicon TLS test suite.

3 years agoBetter check for null signature method.
Nikos Mavrogiannopoulos [Sun, 4 May 2014 10:19:33 +0000 (12:19 +0200)]
Better check for null signature method.

Issue identified using valgrind and the Codenomicon TLS test suite.

3 years agoMore precise packet length checking.
Nikos Mavrogiannopoulos [Sun, 4 May 2014 10:18:41 +0000 (12:18 +0200)]
More precise packet length checking.

Issue discovered using valgrind and the Codenomicon TLS test suite.

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 2 May 2014 13:20:20 +0000 (15:20 +0200)]
doc update

3 years agosimplify casting to mpz_t using __mpz_struct and cleaned up mpz_t access.
Nikos Mavrogiannopoulos [Fri, 2 May 2014 07:10:49 +0000 (09:10 +0200)]
simplify casting to mpz_t using __mpz_struct and cleaned up mpz_t access.

Conflicts:
lib/nettle/mpi.c
lib/nettle/pk.c

3 years agosimplify casting to mpz_t using __mpz_struct.
Nikos Mavrogiannopoulos [Fri, 2 May 2014 07:10:49 +0000 (09:10 +0200)]
simplify casting to mpz_t using __mpz_struct.