gnutls:gnutls.git
2 years agobumped version gnutls_3_3_9
Nikos Mavrogiannopoulos [Mon, 13 Oct 2014 04:18:35 +0000 (06:18 +0200)]
bumped version

2 years agodoc update
Nikos Mavrogiannopoulos [Mon, 13 Oct 2014 04:18:03 +0000 (06:18 +0200)]
doc update

2 years agoupdated to libopts 5.18.4
Nikos Mavrogiannopoulos [Sat, 11 Oct 2014 21:04:04 +0000 (23:04 +0200)]
updated to libopts 5.18.4

2 years agoplace all rusage variables into HAVE_GETRUSAGE block
Nikos Mavrogiannopoulos [Sat, 11 Oct 2014 17:42:56 +0000 (19:42 +0200)]
place all rusage variables into HAVE_GETRUSAGE block

2 years agodoc update
Nikos Mavrogiannopoulos [Sat, 11 Oct 2014 12:46:45 +0000 (14:46 +0200)]
doc update

2 years agornd: if RUSAGE_THREAD fails try RUSAGE_SELF
Nikos Mavrogiannopoulos [Sat, 11 Oct 2014 12:34:02 +0000 (14:34 +0200)]
rnd: if RUSAGE_THREAD fails try RUSAGE_SELF

2 years agotests: pkcs11-combo: use unique db file
Nikos Mavrogiannopoulos [Fri, 10 Oct 2014 07:29:58 +0000 (09:29 +0200)]
tests: pkcs11-combo: use unique db file

2 years agodoc update
Nikos Mavrogiannopoulos [Fri, 10 Oct 2014 07:27:54 +0000 (09:27 +0200)]
doc update

2 years agouse wait and retransmit when receiving session tickets
Nikos Mavrogiannopoulos [Thu, 2 Oct 2014 12:55:01 +0000 (14:55 +0200)]
use wait and retransmit when receiving session tickets

2 years agotests: added -r option to dtls-stress
Nikos Mavrogiannopoulos [Thu, 2 Oct 2014 12:10:16 +0000 (14:10 +0200)]
tests: added -r option to dtls-stress

That allows it to replay messages in a kind of arbitrary way.

2 years agoforbid heartbeat messages during a handshake
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 10:04:32 +0000 (12:04 +0200)]
forbid heartbeat messages during a handshake

2 years agoadded internal variable to track handshake status
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 16:15:01 +0000 (18:15 +0200)]
added internal variable to track handshake status

Conflicts:
lib/gnutls_handshake.c

2 years agomore files to ignore
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 12:19:10 +0000 (14:19 +0200)]
more files to ignore

2 years agotests: updated time in pkcs11-is-known
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 12:09:01 +0000 (14:09 +0200)]
tests: updated time in pkcs11-is-known

2 years agopkcs11: handle errors from override_cert_exts as fatal
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 11:16:32 +0000 (13:16 +0200)]
pkcs11: handle errors from override_cert_exts as fatal

2 years agotests: allow running specific chainverify tests on fixed dates
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 10:34:46 +0000 (12:34 +0200)]
tests: allow running specific chainverify tests on fixed dates

Conflicts:
tests/chainverify.c
tests/suite/pkcs11-chainverify.c
tests/test-chains.h

2 years ago_gnutls_check_valid_key_id: corrected activation/expiration check
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 10:28:34 +0000 (12:28 +0200)]
_gnutls_check_valid_key_id: corrected activation/expiration check

2 years agopkcs11: simplified and optimized loop
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 10:09:52 +0000 (12:09 +0200)]
pkcs11: simplified and optimized loop

2 years agomention nettle as the recommended crypto backend
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 09:35:10 +0000 (11:35 +0200)]
mention nettle as the recommended crypto backend

2 years agotests: Added check to ensure that trust list combination with extra certificates...
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 09:10:15 +0000 (11:10 +0200)]
tests: Added check to ensure that trust list combination with extra certificates works

2 years agodoc update
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 08:52:43 +0000 (10:52 +0200)]
doc update

2 years agowhen both a trust module and additional CAs are present account the latter as well
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 08:41:57 +0000 (10:41 +0200)]
when both a trust module and additional CAs are present account the latter as well

That solves an issue in openconnect which used the system trust module,
plus additional certificates.

Conflicts:
lib/x509/verify-high.c

2 years agosimplify the handling of trust_list_get_issuer() when GNUTLS_TL_GET_COPY is not given
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 08:13:48 +0000 (10:13 +0200)]
simplify the handling of trust_list_get_issuer() when GNUTLS_TL_GET_COPY is not given

2 years agocorrected assignment
Nikos Mavrogiannopoulos [Wed, 8 Oct 2014 09:47:49 +0000 (11:47 +0200)]
corrected assignment

2 years agocorrected the name of exported function
Nikos Mavrogiannopoulos [Wed, 8 Oct 2014 08:21:43 +0000 (10:21 +0200)]
corrected the name of exported function

2 years agodoc update
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 14:52:33 +0000 (16:52 +0200)]
doc update

2 years agotests: corrected test for v1 cert signing (removed bogus authorityIdentifier)
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 14:50:05 +0000 (16:50 +0200)]
tests: corrected test for v1 cert signing (removed bogus authorityIdentifier)

2 years agocerttool: only set the authority key identifier, if there is a corresponding subject...
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 14:44:26 +0000 (16:44 +0200)]
certtool: only set the authority key identifier, if there is a corresponding subject key identifier

2 years agopkcs11: do not shortcut checks when GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY is specified
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 14:28:19 +0000 (16:28 +0200)]
pkcs11: do not shortcut checks when GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY is specified

2 years agopkcs11: always check for a valid subjectKeyIdentifier match
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 14:20:18 +0000 (16:20 +0200)]
pkcs11: always check for a valid subjectKeyIdentifier match

That way, expired certificates can co-exist with their replacements.

2 years agoReturn an error if multiple PKCS11 URLs are added to a trust list
Armin Burgmeier [Mon, 6 Oct 2014 21:22:28 +0000 (17:22 -0400)]
Return an error if multiple PKCS11 URLs are added to a trust list

Before, the new URL would overwrite the old URL, and the memory of theold URL
would be leaked. It is documented that only one URL can be used, so it should
be safe to reject any attempt to add another one.

Signed-off-by: Armin Burgmeier <armin@arbur.net>
2 years agopkcs11: when no CKA_ID can be relied on fallback on checking the SubjectKeyIdentifier
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 13:14:34 +0000 (15:14 +0200)]
pkcs11: when no CKA_ID can be relied on fallback on checking the SubjectKeyIdentifier

Patch by David Woodhouse.

2 years agoreport the FIPS140-2 mode
Nikos Mavrogiannopoulos [Thu, 2 Oct 2014 07:25:58 +0000 (09:25 +0200)]
report the FIPS140-2 mode

2 years agoadded FIPS140-2 ECDH verification functions
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 11:40:50 +0000 (13:40 +0200)]
added FIPS140-2 ECDH verification functions

2 years agoadded FIPS140-2 DH verification functions
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 08:02:56 +0000 (10:02 +0200)]
added FIPS140-2 DH verification functions

2 years agotests: corrected check with gnutls_x509_trust_list_get_issuer
Nikos Mavrogiannopoulos [Mon, 6 Oct 2014 22:12:37 +0000 (00:12 +0200)]
tests: corrected check with gnutls_x509_trust_list_get_issuer

2 years agocorrected remove_pkcs11_url()
Nikos Mavrogiannopoulos [Mon, 6 Oct 2014 21:22:45 +0000 (23:22 +0200)]
corrected remove_pkcs11_url()

2 years agotests: check gnutls_pkcs11_crt_is_known() when multiple same DNs are present
Nikos Mavrogiannopoulos [Mon, 6 Oct 2014 21:18:08 +0000 (23:18 +0200)]
tests: check gnutls_pkcs11_crt_is_known() when multiple same DNs are present

2 years agopkcs11: when checking for presence do not give up on the first mismatch
Nikos Mavrogiannopoulos [Mon, 6 Oct 2014 21:17:29 +0000 (23:17 +0200)]
pkcs11: when checking for presence do not give up on the first mismatch

2 years agoaddress memory leak in gnutls_pkcs11_crt_is_known()
Nikos Mavrogiannopoulos [Mon, 6 Oct 2014 17:50:39 +0000 (19:50 +0200)]
address memory leak in gnutls_pkcs11_crt_is_known()

2 years agodoc update: clarifications in gnutls_x509_trust_list_add_trust_file
Nikos Mavrogiannopoulos [Sun, 5 Oct 2014 08:09:22 +0000 (10:09 +0200)]
doc update: clarifications in gnutls_x509_trust_list_add_trust_file

2 years agocorrected compilation for non-pkcs11; reported by David Woodhouse.
Nikos Mavrogiannopoulos [Thu, 2 Oct 2014 14:24:41 +0000 (16:24 +0200)]
corrected compilation for non-pkcs11; reported by David Woodhouse.

2 years agocorrected typo
Nikos Mavrogiannopoulos [Mon, 29 Sep 2014 08:37:12 +0000 (10:37 +0200)]
corrected typo

2 years agodoc update
Nikos Mavrogiannopoulos [Wed, 1 Oct 2014 18:43:55 +0000 (20:43 +0200)]
doc update

2 years agotests: added check for GNUTLS_TL_GET_COPY
Nikos Mavrogiannopoulos [Wed, 1 Oct 2014 18:29:49 +0000 (20:29 +0200)]
tests: added check for GNUTLS_TL_GET_COPY

2 years agoAdded GNUTLS_TL_GET_COPY flag and documented the limitations of gnutls_x509_trust_lis...
Nikos Mavrogiannopoulos [Wed, 1 Oct 2014 18:27:51 +0000 (20:27 +0200)]
Added GNUTLS_TL_GET_COPY flag and documented the limitations of gnutls_x509_trust_list_get_issuer()

2 years agoopencdk: changed filter_fnct_t to match the actual function prototypes
Nikos Mavrogiannopoulos [Tue, 30 Sep 2014 19:15:11 +0000 (21:15 +0200)]
opencdk: changed filter_fnct_t to match the actual function prototypes

2 years agodoc update
Nikos Mavrogiannopoulos [Tue, 30 Sep 2014 18:56:20 +0000 (20:56 +0200)]
doc update

2 years agodo not allow GNUTLS_E_LARGE_PACKET to be returned from non-DTLS sessions
Nikos Mavrogiannopoulos [Fri, 26 Sep 2014 07:01:15 +0000 (09:01 +0200)]
do not allow GNUTLS_E_LARGE_PACKET to be returned from non-DTLS sessions

2 years agognutls_x509_trust_list_add_system_trust() will not allow duplicate entries
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 17:37:48 +0000 (19:37 +0200)]
gnutls_x509_trust_list_add_system_trust() will not allow duplicate entries

2 years agouse _DIRENT_HAVE_D_TYPE to detect d->d_type
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 16:54:57 +0000 (18:54 +0200)]
use _DIRENT_HAVE_D_TYPE to detect d->d_type

2 years agocorrected type
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 16:50:35 +0000 (18:50 +0200)]
corrected type

2 years agoprotect DTLS clients that don't handle GNUTLS_E_LARGE_PACKET from an infinite loop...
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 10:00:39 +0000 (12:00 +0200)]
protect DTLS clients that don't handle GNUTLS_E_LARGE_PACKET from an infinite loop on handshake

2 years agoremoved unused error values
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 09:52:52 +0000 (11:52 +0200)]
removed unused error values

2 years agorestrict the number of non-fatal errors gnutls_handshake() can return
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 09:49:52 +0000 (11:49 +0200)]
restrict the number of non-fatal errors gnutls_handshake() can return

2 years agooptimized gnutls_error_is_fatal() by splitting the errors to two tables
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 07:55:53 +0000 (09:55 +0200)]
optimized gnutls_error_is_fatal() by splitting the errors to two tables

2 years agoguile: Restore cross-reference in 'set-session-priorities!' docstring.
Ludovic Courtès [Mon, 22 Sep 2014 14:20:07 +0000 (16:20 +0200)]
guile: Restore cross-reference in 'set-session-priorities!' docstring.

This had been destroyed in 32d90395.

2 years agoguile: Add bindings for 'gnutls_server_name_set'.
Ludovic Courtès [Mon, 22 Sep 2014 14:10:36 +0000 (16:10 +0200)]
guile: Add bindings for 'gnutls_server_name_set'.

This adds the 'set-session-server-name!' procedure and the
'server-name-type' enum type.

3 years agoMemory leak fix on certificate copy failure
Armin Burgmeier [Thu, 18 Sep 2014 15:22:50 +0000 (11:22 -0400)]
Memory leak fix on certificate copy failure

Signed-off-by: Armin Burgmeier <armin@arbur.net>
3 years agoFix a documentation typo
Armin Burgmeier [Wed, 17 Sep 2014 16:31:19 +0000 (12:31 -0400)]
Fix a documentation typo

Signed-off-by: Armin Burgmeier <armin@arbur.net>
3 years agoregenerated files.mk
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 14:24:57 +0000 (16:24 +0200)]
regenerated files.mk

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 09:32:37 +0000 (11:32 +0200)]
doc update

3 years agolibdane: do not require the CA to be a direct CA
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 09:31:51 +0000 (11:31 +0200)]
libdane: do not require the CA to be a direct CA

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 08:53:32 +0000 (10:53 +0200)]
doc update

3 years agotests: enhanced test suite to pass more of the PKCS #11 API under valgrind
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 08:40:44 +0000 (10:40 +0200)]
tests: enhanced test suite to pass more of the PKCS #11 API under valgrind

3 years agognutls-serv: added the --provider option
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 08:40:14 +0000 (10:40 +0200)]
gnutls-serv: added the --provider option

3 years agotools: corrected pin entry
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 08:03:05 +0000 (10:03 +0200)]
tools: corrected pin entry

3 years agocleaned up memory deallocation in read_cert_url()
Nikos Mavrogiannopoulos [Fri, 19 Sep 2014 07:43:22 +0000 (09:43 +0200)]
cleaned up memory deallocation in read_cert_url()

That caused unexpected results when loading PKCS #11 URLs.
Reported by Joseph Peruski.

3 years agoupdated certtool.cfg
Nikos Mavrogiannopoulos [Thu, 18 Sep 2014 19:09:11 +0000 (21:09 +0200)]
updated certtool.cfg

3 years agoupdated auto-generated files gnutls_3_3_8
Nikos Mavrogiannopoulos [Thu, 18 Sep 2014 11:52:31 +0000 (13:52 +0200)]
updated auto-generated files

3 years agotests: added checks with modified certificate
Nikos Mavrogiannopoulos [Mon, 15 Sep 2014 14:09:29 +0000 (16:09 +0200)]
tests: added checks with modified certificate

This tests whether a modified of a DER certificate, that is cancelled
out while we parse it, would result to a good signature.

3 years agodoc update
Nikos Mavrogiannopoulos [Thu, 18 Sep 2014 05:59:14 +0000 (07:59 +0200)]
doc update

3 years agodepend on p11-kit 0.20.7
Nikos Mavrogiannopoulos [Thu, 18 Sep 2014 08:37:32 +0000 (10:37 +0200)]
depend on p11-kit 0.20.7

3 years agodepend on p11-kit 0.20.6
Nikos Mavrogiannopoulos [Wed, 17 Sep 2014 14:54:05 +0000 (16:54 +0200)]
depend on p11-kit 0.20.6

3 years agorequire libtasn1 3.9 or later
Nikos Mavrogiannopoulos [Thu, 4 Sep 2014 18:56:02 +0000 (20:56 +0200)]
require libtasn1 3.9 or later

That is because of the ocsp fix.

3 years agoremoved unused variable
Nikos Mavrogiannopoulos [Wed, 17 Sep 2014 07:13:44 +0000 (09:13 +0200)]
removed unused variable

3 years agoadded sanity check on cleanup
Nikos Mavrogiannopoulos [Wed, 17 Sep 2014 07:23:07 +0000 (09:23 +0200)]
added sanity check on cleanup

3 years agocerttool: corrected typo in printing error
Nikos Mavrogiannopoulos [Wed, 17 Sep 2014 07:11:48 +0000 (09:11 +0200)]
certtool: corrected typo in printing error

3 years agopkcs11: correctly reallocate the read buffer
Nikos Mavrogiannopoulos [Wed, 17 Sep 2014 07:03:11 +0000 (09:03 +0200)]
pkcs11: correctly reallocate the read buffer

Report and patch by David Woodhouse.

3 years agoupdated documentation on PKCS #11 trust module verification
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 13:38:19 +0000 (15:38 +0200)]
updated documentation on PKCS #11 trust module verification

3 years agounified the key purpose checks functions
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 09:08:37 +0000 (11:08 +0200)]
unified the key purpose checks functions

3 years agocheck for CAs with the same key in gnutls_x509_trust_list_add_cas
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 08:49:19 +0000 (10:49 +0200)]
check for CAs with the same key in gnutls_x509_trust_list_add_cas

That way when GNUTLS_TL_NO_DUPLICATE_KEY is specified the added CA will
overwrite any previous one with the same name and key.

3 years agohostname and key purpose checks were moved above CRL checks
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 08:58:06 +0000 (10:58 +0200)]
hostname and key purpose checks were moved above CRL checks

3 years agodoc update
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 08:40:37 +0000 (10:40 +0200)]
doc update

3 years agobumped library version
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 08:32:37 +0000 (10:32 +0200)]
bumped library version

3 years agocorrected gnutls_x509_crl_get_raw_issuer_dn()
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 08:30:05 +0000 (10:30 +0200)]
corrected gnutls_x509_crl_get_raw_issuer_dn()

3 years agoonly deallocate data when allocation succeeds
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 08:24:37 +0000 (10:24 +0200)]
only deallocate data when allocation succeeds

3 years agodoc update
Nikos Mavrogiannopoulos [Tue, 16 Sep 2014 08:08:19 +0000 (10:08 +0200)]
doc update

3 years agoupdated libtasn1
Nikos Mavrogiannopoulos [Mon, 15 Sep 2014 14:06:16 +0000 (16:06 +0200)]
updated libtasn1

3 years agodocumented the environment variables
Nikos Mavrogiannopoulos [Mon, 15 Sep 2014 12:49:45 +0000 (14:49 +0200)]
documented the environment variables

3 years agoBackported x509_raw_crt_to_raw_pubkey and x509_crt_to_raw_pubkey
Nikos Mavrogiannopoulos [Mon, 15 Sep 2014 12:24:03 +0000 (14:24 +0200)]
Backported x509_raw_crt_to_raw_pubkey and x509_crt_to_raw_pubkey

3 years agodoc update
Nikos Mavrogiannopoulos [Fri, 12 Sep 2014 14:42:06 +0000 (16:42 +0200)]
doc update

3 years agop11tool: print Attached Extensions, instead of extensions
Nikos Mavrogiannopoulos [Fri, 12 Sep 2014 14:22:57 +0000 (16:22 +0200)]
p11tool: print Attached Extensions, instead of extensions

3 years agowhen adding a duplicate certificate, keep the last entry
Nikos Mavrogiannopoulos [Fri, 12 Sep 2014 14:22:43 +0000 (16:22 +0200)]
when adding a duplicate certificate, keep the last entry

3 years agopkcs11-get-issuer: do not hardcode the chain number, use its name
Nikos Mavrogiannopoulos [Fri, 12 Sep 2014 09:31:28 +0000 (11:31 +0200)]
pkcs11-get-issuer: do not hardcode the chain number, use its name

3 years agofixes in the extension handling
Nikos Mavrogiannopoulos [Thu, 11 Sep 2014 16:09:50 +0000 (18:09 +0200)]
fixes in the extension handling

3 years agop11tool: will print trust module extensions if present
Nikos Mavrogiannopoulos [Thu, 11 Sep 2014 16:07:46 +0000 (18:07 +0200)]
p11tool: will print trust module extensions if present

3 years agocheck the key purpose of the CA certificate when in pkcs11 cert validation
Nikos Mavrogiannopoulos [Wed, 10 Sep 2014 14:55:05 +0000 (16:55 +0200)]
check the key purpose of the CA certificate when in pkcs11 cert validation

3 years agoallow retrieving extensions in a trust module using GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_...
Nikos Mavrogiannopoulos [Wed, 10 Sep 2014 14:02:12 +0000 (16:02 +0200)]
allow retrieving extensions in a trust module using GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT

Conflicts:
lib/pkcs11.c

3 years agoexport x509_crt_to_raw_pubkey() in x509/common.h and prefixed s/get_extension with...
Nikos Mavrogiannopoulos [Wed, 10 Sep 2014 13:29:59 +0000 (15:29 +0200)]
export x509_crt_to_raw_pubkey() in x509/common.h and prefixed s/get_extension with _gnutls