gnutls:gnutls.git
2 years agoreleased 3.2.21 gnutls_3_2_21
Nikos Mavrogiannopoulos [Thu, 11 Dec 2014 08:06:21 +0000 (09:06 +0100)]
released 3.2.21

2 years agobumped version
Nikos Mavrogiannopoulos [Thu, 11 Dec 2014 04:59:52 +0000 (05:59 +0100)]
bumped version

2 years agodoc update
Nikos Mavrogiannopoulos [Thu, 11 Dec 2014 04:41:48 +0000 (05:41 +0100)]
doc update

2 years agoutilize the gnutls 3.2 functions
Nikos Mavrogiannopoulos [Thu, 11 Dec 2014 04:33:14 +0000 (05:33 +0100)]
utilize the gnutls 3.2 functions

2 years agodeinitialize the OCSP response der data
Nikos Mavrogiannopoulos [Fri, 21 Nov 2014 14:02:40 +0000 (15:02 +0100)]
deinitialize the OCSP response der data

That also makes sure that reinitialization of ASN1 structures
are done when it is required only.

2 years agouse the original DER/BER data when verifying an OCSP response
Nikos Mavrogiannopoulos [Fri, 14 Nov 2014 15:17:58 +0000 (16:17 +0100)]
use the original DER/BER data when verifying an OCSP response

Conflicts:
lib/x509/ocsp.c

2 years ago_gnutls_x509_get_dn() always return a null terminated string
Nikos Mavrogiannopoulos [Fri, 5 Dec 2014 09:37:25 +0000 (10:37 +0100)]
_gnutls_x509_get_dn() always return a null terminated string

2 years agocorrected memleak in read_key_mem()
Nikos Mavrogiannopoulos [Mon, 24 Nov 2014 17:54:28 +0000 (18:54 +0100)]
corrected memleak in read_key_mem()

Patch by Georg Richter.

2 years agorestore only the documented behavior
Nikos Mavrogiannopoulos [Sat, 22 Nov 2014 09:55:21 +0000 (10:55 +0100)]
restore only the documented behavior

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 21 Nov 2014 20:06:27 +0000 (21:06 +0100)]
doc update

3 years agotests: added test for GNUTLS_E_GOT_APPLICATION_DATA on rehandshake
Nikos Mavrogiannopoulos [Fri, 21 Nov 2014 19:42:21 +0000 (20:42 +0100)]
tests: added test for GNUTLS_E_GOT_APPLICATION_DATA on rehandshake

Conflicts:
tests/Makefile.am

3 years agotreat GNUTLS_E_GOT_APPLICATION_DATA as non-fatal if initial negotiation is complete
Nikos Mavrogiannopoulos [Fri, 21 Nov 2014 19:18:08 +0000 (20:18 +0100)]
treat GNUTLS_E_GOT_APPLICATION_DATA as non-fatal if initial negotiation is complete

This corrects a regression introduced in b5a0de2e6da98866cafb770c3141b7353d030ab2
Reported by Dan Winship. https://savannah.gnu.org/support/?108690

3 years agotestcompat: updated gnutls_3_2_20
Nikos Mavrogiannopoulos [Mon, 10 Nov 2014 07:22:34 +0000 (08:22 +0100)]
testcompat: updated

3 years agobumped version
Nikos Mavrogiannopoulos [Mon, 10 Nov 2014 07:00:16 +0000 (08:00 +0100)]
bumped version

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 10 Nov 2014 06:44:44 +0000 (07:44 +0100)]
doc update

3 years agowhen exporting curve coordinates to X9.63 format, perform additional sanity checks...
Nikos Mavrogiannopoulos [Mon, 10 Nov 2014 06:44:11 +0000 (07:44 +0100)]
when exporting curve coordinates to X9.63 format, perform additional sanity checks on input

Reported by Sean Burford.

3 years agodoc update
Nikos Mavrogiannopoulos [Sun, 2 Nov 2014 15:21:05 +0000 (16:21 +0100)]
doc update

3 years agodo not explicitly refresh rnd state on session deinit
Nikos Mavrogiannopoulos [Tue, 28 Oct 2014 09:43:04 +0000 (10:43 +0100)]
do not explicitly refresh rnd state on session deinit

It is already being refreshed during the session lifetime.

3 years agoguile: Remove trailing zero in 'gnutls_server_name_set' call.
Ludovic Courtès [Tue, 14 Oct 2014 20:33:10 +0000 (22:33 +0200)]
guile: Remove trailing zero in 'gnutls_server_name_set' call.

In GnuTLS 3.2.19 (and possibly 3.3.9 and 3.1.17),
'set-session-server-name!' would pass a trailing nul character on the
wire after the server name, which would thus be rejected by servers.

3 years agocorrected libopt's Makefile.am
Nikos Mavrogiannopoulos [Tue, 14 Oct 2014 19:05:34 +0000 (21:05 +0200)]
corrected libopt's Makefile.am

reported by Marius Schamschula.

3 years agocorrected the SSSE3 optimized SHA224
Nikos Mavrogiannopoulos [Tue, 14 Oct 2014 09:05:20 +0000 (11:05 +0200)]
corrected the SSSE3 optimized SHA224

3 years agosimplified getrusage code; the failure check code wasn't needed
Nikos Mavrogiannopoulos [Tue, 14 Oct 2014 07:23:13 +0000 (09:23 +0200)]
simplified getrusage code; the failure check code wasn't needed

3 years agobumped version gnutls_3_2_19
Nikos Mavrogiannopoulos [Mon, 13 Oct 2014 03:57:15 +0000 (05:57 +0200)]
bumped version

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 13 Oct 2014 03:55:57 +0000 (05:55 +0200)]
doc update

3 years agoupdated to libopts 5.18.4
Nikos Mavrogiannopoulos [Sat, 11 Oct 2014 21:04:04 +0000 (23:04 +0200)]
updated to libopts 5.18.4

3 years agoplaced all rusage variables into HAVE_GETRUSAGE block
Nikos Mavrogiannopoulos [Sat, 11 Oct 2014 17:44:09 +0000 (19:44 +0200)]
placed all rusage variables into HAVE_GETRUSAGE block

3 years agodoc update
Nikos Mavrogiannopoulos [Sat, 11 Oct 2014 12:47:06 +0000 (14:47 +0200)]
doc update

3 years agornd: if RUSAGE_THREAD fails try RUSAGE_SELF
Nikos Mavrogiannopoulos [Sat, 11 Oct 2014 12:39:41 +0000 (14:39 +0200)]
rnd: if RUSAGE_THREAD fails try RUSAGE_SELF

3 years agodoc update
Nikos Mavrogiannopoulos [Sat, 11 Oct 2014 07:09:42 +0000 (09:09 +0200)]
doc update

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 10 Oct 2014 07:56:46 +0000 (09:56 +0200)]
doc update

3 years agouse wait and retransmit when receiving session tickets
Nikos Mavrogiannopoulos [Thu, 2 Oct 2014 12:55:01 +0000 (14:55 +0200)]
use wait and retransmit when receiving session tickets

3 years agodoc update
Nikos Mavrogiannopoulos [Tue, 30 Sep 2014 18:57:00 +0000 (20:57 +0200)]
doc update

3 years agodo not allow GNUTLS_E_LARGE_PACKET to be returned from non-DTLS sessions
Nikos Mavrogiannopoulos [Fri, 26 Sep 2014 07:01:15 +0000 (09:01 +0200)]
do not allow GNUTLS_E_LARGE_PACKET to be returned from non-DTLS sessions

Conflicts:
lib/gnutls_handshake.c

3 years agoprotect DTLS clients that don't handle GNUTLS_E_LARGE_PACKET from an infinite loop...
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 10:00:39 +0000 (12:00 +0200)]
protect DTLS clients that don't handle GNUTLS_E_LARGE_PACKET from an infinite loop on handshake

3 years agorestrict the number of non-fatal errors gnutls_handshake() can return
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 10:27:48 +0000 (12:27 +0200)]
restrict the number of non-fatal errors gnutls_handshake() can return

3 years agoguile: Restore cross-reference in 'set-session-priorities!' docstring.
Ludovic Courtès [Mon, 22 Sep 2014 14:20:07 +0000 (16:20 +0200)]
guile: Restore cross-reference in 'set-session-priorities!' docstring.

This had been destroyed in 32d90395.

3 years agoguile: Add bindings for 'gnutls_server_name_set'.
Ludovic Courtès [Mon, 22 Sep 2014 14:10:36 +0000 (16:10 +0200)]
guile: Add bindings for 'gnutls_server_name_set'.

This adds the 'set-session-server-name!' procedure and the
'server-name-type' enum type.

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 09:40:36 +0000 (11:40 +0200)]
doc update

3 years agocleaned up memory deallocation in read_cert_url()
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 07:43:22 +0000 (09:43 +0200)]
cleaned up memory deallocation in read_cert_url()

That caused unexpected results when loading PKCS #11 URLs.
Reported by Joseph Peruski.

3 years agobumped version gnutls_3_2_18
Nikos Mavrogiannopoulos [Thu, 18 Sep 2014 12:01:15 +0000 (14:01 +0200)]
bumped version

3 years agodoc update
Nikos Mavrogiannopoulos [Thu, 18 Sep 2014 11:59:34 +0000 (13:59 +0200)]
doc update

3 years agodoc update
Nikos Mavrogiannopoulos [Thu, 18 Sep 2014 09:09:03 +0000 (11:09 +0200)]
doc update

3 years agognutls_x509_crl_verify: do not always set the invalid status
Nikos Mavrogiannopoulos [Sat, 13 Sep 2014 08:34:29 +0000 (10:34 +0200)]
gnutls_x509_crl_verify: do not always set the invalid status

Reported by Armin Burgmeier.

3 years agoRevert "gnutls_x509_crl_verify: do not always set the invalid status"
Nikos Mavrogiannopoulos [Sat, 13 Sep 2014 08:33:08 +0000 (10:33 +0200)]
Revert "gnutls_x509_crl_verify: do not always set the invalid status"

This reverts commit d29a0027fd554ee1aa92c186c6040f53f15cdab7.

3 years agognutls_x509_crl_verify: do not always set the invalid status
Nikos Mavrogiannopoulos [Sat, 13 Sep 2014 07:50:22 +0000 (09:50 +0200)]
gnutls_x509_crl_verify: do not always set the invalid status

Reported by Armin Burgmeier.

3 years agooptimized escaped comma handling
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 21:30:46 +0000 (23:30 +0200)]
optimized escaped comma handling

3 years agodoc update
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 19:08:10 +0000 (21:08 +0200)]
doc update

3 years agowhen setting a DN properly handle spaces and escaped commas
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 18:39:34 +0000 (20:39 +0200)]
when setting a DN properly handle spaces and escaped commas

3 years agosteal openconnect's vasprintf() implementation
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 11:48:20 +0000 (13:48 +0200)]
steal openconnect's vasprintf() implementation

3 years agocorrected bundled vasprintf(); reported by Jeff Lee
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 11:37:30 +0000 (13:37 +0200)]
corrected bundled vasprintf(); reported by Jeff Lee

3 years agoavoid new allocations and keep a pointer to the DER data for DN
Nikos Mavrogiannopoulos [Fri, 29 Aug 2014 13:25:40 +0000 (15:25 +0200)]
avoid new allocations and keep a pointer to the DER data for DN

Conflicts:
lib/x509/crl.c
lib/x509/x509.c

3 years agowhen importing a CRL keep the DER data
Nikos Mavrogiannopoulos [Fri, 29 Aug 2014 13:21:55 +0000 (15:21 +0200)]
when importing a CRL keep the DER data

3 years agowhen importing a certificate, keep the DER data
Nikos Mavrogiannopoulos [Fri, 29 Aug 2014 13:17:42 +0000 (15:17 +0200)]
when importing a certificate, keep the DER data

Conflicts:
lib/x509/verify.c

3 years agoupdated included libtasn1
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 08:45:01 +0000 (10:45 +0200)]
updated included libtasn1

3 years agoalpn: fix version documentation
Tristan Matthews [Fri, 29 Aug 2014 17:42:09 +0000 (13:42 -0400)]
alpn: fix version documentation

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
3 years agocheck for stdnoreturn.h presence
Nikos Mavrogiannopoulos [Mon, 25 Aug 2014 17:29:55 +0000 (19:29 +0200)]
check for stdnoreturn.h presence

3 years agoauto-generated file update gnutls_3_2_17
Nikos Mavrogiannopoulos [Sun, 24 Aug 2014 07:46:05 +0000 (09:46 +0200)]
auto-generated file update

3 years agoreleased 3.2.17
Nikos Mavrogiannopoulos [Sun, 24 Aug 2014 07:32:55 +0000 (09:32 +0200)]
released 3.2.17

3 years agorecord: tolerate a finished packet with errors in DTLS
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 19:17:45 +0000 (21:17 +0200)]
record: tolerate a finished packet with errors in DTLS

3 years agodoc update
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 15:35:51 +0000 (17:35 +0200)]
doc update

3 years agorecord: in DTLS discard only messages that cause unexpected packet errors
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 15:28:59 +0000 (17:28 +0200)]
record: in DTLS discard only messages that cause unexpected packet errors

3 years agoupdated minitasn1
Nikos Mavrogiannopoulos [Sat, 23 Aug 2014 06:18:53 +0000 (08:18 +0200)]
updated minitasn1

3 years agouse the windows API in windows even if iconv is available
Nikos Mavrogiannopoulos [Thu, 21 Aug 2014 09:45:48 +0000 (11:45 +0200)]
use the windows API in windows even if iconv is available

3 years agoconfigure: print error message when nettle is 3.0 or later
Nikos Mavrogiannopoulos [Wed, 20 Aug 2014 08:49:39 +0000 (10:49 +0200)]
configure: print error message when nettle is 3.0 or later

3 years agodoc update
Nikos Mavrogiannopoulos [Sun, 17 Aug 2014 13:06:24 +0000 (15:06 +0200)]
doc update

3 years agotests: check that gnutls_x509_crt_check_hostname() will correctly use the last CN...
Nikos Mavrogiannopoulos [Tue, 12 Aug 2014 20:48:04 +0000 (22:48 +0200)]
tests: check that gnutls_x509_crt_check_hostname() will correctly use the last CN when multiple

3 years agowhen checking the hostname of a certificate with multiple CNs use the "most specific" CN
Nikos Mavrogiannopoulos [Tue, 12 Aug 2014 20:38:58 +0000 (22:38 +0200)]
when checking the hostname of a certificate with multiple CNs use the "most specific" CN

In our case we use the last CN present in the DN. Reported
by David Woodhouse.

https://bugzilla.mozilla.org/show_bug.cgi?id=307234#c2

3 years agodoc update
Nikos Mavrogiannopoulos [Sun, 10 Aug 2014 11:31:22 +0000 (13:31 +0200)]
doc update

3 years agotests: test the decoding of a PKCS #12 structure with SHA256 MAC
Nikos Mavrogiannopoulos [Sun, 10 Aug 2014 09:24:15 +0000 (11:24 +0200)]
tests: test the decoding of a PKCS #12 structure with SHA256 MAC

Conflicts:
tests/pkcs12-decode/pkcs12

3 years agotests: updated string to keys tests for new internal API
Nikos Mavrogiannopoulos [Sun, 10 Aug 2014 09:26:34 +0000 (11:26 +0200)]
tests: updated string to keys tests for new internal API

3 years agopkcs12: Allow verification with structures that support other than HMAC-SHA1 MACs.
Nikos Mavrogiannopoulos [Sun, 10 Aug 2014 08:28:57 +0000 (10:28 +0200)]
pkcs12: Allow verification with structures that support other than HMAC-SHA1 MACs.

Conflicts:
lib/x509/pkcs12_encr.c

3 years agodoc update
Nikos Mavrogiannopoulos [Wed, 6 Aug 2014 13:18:02 +0000 (15:18 +0200)]
doc update

3 years agoimprove compatibility in pkcs11 key generation
Wolfgang Meyer zu Bergsten [Mon, 4 Aug 2014 13:32:53 +0000 (15:32 +0200)]
improve compatibility in pkcs11 key generation

* explicitly set public exponent in template

Signed-off-by: Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com>
3 years agognutls-cli-debug: added AES and CAMELLIA to the list of default ciphers
Nikos Mavrogiannopoulos [Wed, 6 Aug 2014 11:39:09 +0000 (13:39 +0200)]
gnutls-cli-debug: added AES and CAMELLIA to the list of default ciphers

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 4 Aug 2014 14:32:14 +0000 (16:32 +0200)]
doc update

3 years agopkcs8: initialize parameters on decryption
Nikos Mavrogiannopoulos [Mon, 4 Aug 2014 14:28:55 +0000 (16:28 +0200)]
pkcs8: initialize parameters on decryption

3 years agoupdated to libopts 5.18.3
Nikos Mavrogiannopoulos [Tue, 29 Jul 2014 20:21:36 +0000 (22:21 +0200)]
updated to libopts 5.18.3

3 years agoupdated gnulib
Nikos Mavrogiannopoulos [Tue, 29 Jul 2014 20:13:29 +0000 (22:13 +0200)]
updated gnulib

3 years agoAdded replacements of inet_aton and inet_pton on systems they are not present
Nikos Mavrogiannopoulos [Mon, 28 Jul 2014 13:05:37 +0000 (15:05 +0200)]
Added replacements of inet_aton and inet_pton on systems they are not present

gnulib is avoided due to keep the gnulib network replacements out of
the library

3 years agoreleased 3.2.16 gnutls_3_2_16
Nikos Mavrogiannopoulos [Wed, 23 Jul 2014 07:25:19 +0000 (09:25 +0200)]
released 3.2.16

3 years agouse const return value in ip_to_string
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 21:48:23 +0000 (23:48 +0200)]
use const return value in ip_to_string

3 years agobumped version
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 21:46:25 +0000 (23:46 +0200)]
bumped version

3 years agominimum version was changed to TLS 1.0 for ciphersuites with SHA2
Nikos Mavrogiannopoulos [Tue, 22 Jul 2014 11:03:38 +0000 (13:03 +0200)]
minimum version was changed to TLS 1.0 for ciphersuites with SHA2

These ciphersuites could not be used with SSL 3.0 that only defines
usage of MD5 or SHA1 MACs. Reported by Manuel Pegourie-Gonnard.

3 years agoignore CKR_CRYPTOKI_ALREADY_INITIALIZED when returned on reinitialization
Nikos Mavrogiannopoulos [Mon, 21 Jul 2014 15:58:28 +0000 (17:58 +0200)]
ignore CKR_CRYPTOKI_ALREADY_INITIALIZED when returned on reinitialization

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 12:40:59 +0000 (14:40 +0200)]
doc update

3 years agoset CKA_EC_PARAMS when generating an ECDSA key
Nikos Mavrogiannopoulos [Mon, 7 Jul 2014 12:37:00 +0000 (14:37 +0200)]
set CKA_EC_PARAMS when generating an ECDSA key

Conflicts:
lib/pkcs11.c

3 years agodane: Skip DANE entries that may contain unknown info
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 21:11:00 +0000 (23:11 +0200)]
dane: Skip DANE entries that may contain unknown info

That would allow skipping any future entries without failing.
Reported by Simon Arlott.

3 years agodane: Added sanity check in dane_verify_crt_raw()
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 20:58:42 +0000 (22:58 +0200)]
dane: Added sanity check in dane_verify_crt_raw()

That allows calling the function will an empty chain.
Reported by Simon Arlott.

3 years agodoc update
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 18:32:07 +0000 (20:32 +0200)]
doc update

3 years agop11tool: don't outsmart user and override login type
Nikos Mavrogiannopoulos [Sun, 6 Jul 2014 18:30:13 +0000 (20:30 +0200)]
p11tool: don't outsmart user and override login type

Unfortunately tokens vary on their requirements for writing trusted
and private objects, and there is no one-size fits all policy. Thus
allow a proper failure and warn the user that so-login may be required.

3 years agopkcs11: Removed length check of attribute as a sanity check for valid keys.
Nikos Mavrogiannopoulos [Fri, 4 Jul 2014 13:44:38 +0000 (15:44 +0200)]
pkcs11: Removed length check of attribute as a sanity check for valid keys.

There can be keys where the id or label is empty and thus with zero length.

3 years agodoc update
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 13:53:05 +0000 (15:53 +0200)]
doc update

3 years agognutls_pkcs11_privkey_generate2(): corrected public key extraction (for ECDSA keys)
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 13:17:38 +0000 (15:17 +0200)]
gnutls_pkcs11_privkey_generate2(): corrected public key extraction (for ECDSA keys)

3 years agop11tool/certtool: use GNUTLS_SO_PIN for reading security officer's PIN
Nikos Mavrogiannopoulos [Tue, 1 Jul 2014 12:36:30 +0000 (14:36 +0200)]
p11tool/certtool: use GNUTLS_SO_PIN for reading security officer's PIN

3 years agomention that IPv4 and IPv6 address comparison is since 3.2.16.
Nikos Mavrogiannopoulos [Mon, 30 Jun 2014 20:55:37 +0000 (22:55 +0200)]
mention that IPv4 and IPv6 address comparison is since 3.2.16.

3 years agoAdded explicit documentation on IPv4 and IPv6 address matching.
Nikos Mavrogiannopoulos [Mon, 30 Jun 2014 20:54:13 +0000 (22:54 +0200)]
Added explicit documentation on IPv4 and IPv6 address matching.

3 years agodoc update
Nikos Mavrogiannopoulos [Mon, 30 Jun 2014 20:31:58 +0000 (22:31 +0200)]
doc update

3 years agotests: Added test cases for IPv4/6 matching.
Nikos Mavrogiannopoulos [Fri, 27 Jun 2014 09:24:29 +0000 (11:24 +0200)]
tests: Added test cases for IPv4/6 matching.

3 years agognutls_x509_crt_check_hostname() checks text ip addresses as well.
Nikos Mavrogiannopoulos [Mon, 30 Jun 2014 20:31:14 +0000 (22:31 +0200)]
gnutls_x509_crt_check_hostname() checks text ip addresses as well.

That aligns the documentation with the implementation.

3 years agodoc update
Nikos Mavrogiannopoulos [Sat, 28 Jun 2014 12:09:28 +0000 (14:09 +0200)]
doc update