| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
This test was failing because datefudge couldn't run under win32.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
This reverts commit 90d5ad5a42759957866ba1d9c96f5dccfd3ea1cc.
|
|
|
|
|
|
|
| |
Travis build seem to fail for some reason since pkg-config is already
installed.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
| |
This test was failing because datefudge couldn't run under win32.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
| |
This allows to re-run failed builds on the depending stages
during that time.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
| |
It was already being included in Requires.private. Reported
by Andreas Metzler.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
| |
We were previously exporting certificates with serial number being
zero, which is not allowed by RFC5280.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
This is a unit test for GNUTLS_DT_IP_ADDRESS as used in
gnutls_certificate_verify_peers().
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
This allows verifying an IP address using gnutls_certificate_verify_peers()
or gnutls_x509_trust_list_verify_crt2().
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
This is a unit test for:
"gnutls_x509_crt_check_hostname2: do not fallback to CN unconditionally"
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Do not fallback to checking the CN of a certificate for a hostname
if supported names such as IP addresses were found in gnutls_x509_crt_check_hostname2().
This behavioral change is in order to satisfy the RFC6125 requirement
of not falling back to CN in that case. Reported by Suphannee Sivakorn.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This flag when provided to the gnutls_x509_crt_check_hostname2() function
(and its callers), will prevent IP matching of the subject alternative
name. This can be utilized by applications which directly check for
IP addresses using gnutls_x509_crt_check_ip().
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function allows to directly verify IP addresses on a certificate.
That is a first step towards making gnutls_x509_crt_check_hostname2()
not verify IP addresses.
Based on discussion and suggestion by Suphannee Sivakorn. See
https://lists.gnupg.org/pipermail/gnutls-devel/2017-March/008368.html
Relates #185
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
That ensures that when loading a certificate pair with SHA1, when
SHA1 is disabled will not cause the server to fail to load.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
That is, ensure that results from all verification functions,
including gnutls_pubkey_verify_data2(), will be consistent with
SHA1 and other algorithms deprecation.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
That ensures that overrides like using broken algorithms are considered
in OCSP validation.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
That is, whether the generated gnutls.pc will function for
compiling and linking.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
| |
Used common definitions from cert-common.h for certificates,
and improved error detection in tls-rehandshake-cert-2.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
| |
That is, check whether if on initial handshake the server requests
a certificate, but on the following rehandshake he doesn't, whether
the client behaves as expected. This tests:
1f685db853db6e48c77c6dbde0cdf716a7303baa
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
That addresses a bug which on client side on case of an initial
handshake with a client certificate, we continue to send this
certificate even if on rehandshake we were not requested with on.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
This reverts commit c4842a21f65c7fc9a27932eb1792b1fc9e65f722.
The time() syscall is also implemented as syscall() and is in
fact performing better than gettime().
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
| |
The gnulib gettime() maps to gettimeofday() or clock_gettime()
which are both implemented as fast system calls - see vdso(7)-
and as such are available without a switch to kernel mode.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The time(0) is quite cheap on modern operating systems, and thus we
can rely on it to provide improved assurance in the output randomness.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since ac3de8f5, when all openpgp functionality was deprecated, a
library user including gnutls/abstract.h gets warnings about
deprecated declarations, like this:
gnutls/openpgp.h:328:10: warning: ‘gnutls_openpgp_recv_key_func’ is deprecated [-Wdeprecated-declarations]
gnutls_openpgp_recv_key_func func) _GNUTLS_GCC_ATTR_DEPRECATED;
This warning is emitted since the gnutls_openpgp_set_recv_key_function
prototype uses the deprecated typedef gnutls_openpgp_recv_key_func.
By omitting the deprecation attribute from this individual
typedef, we avoid the spurious warnings in calling code which just
includes gnutls/abstract.h without actually using anything related
to openpgp.
Signed-off-by: Martin Storsjo <martin@martin.st>
|
|
|
|
|
|
| |
enumerations
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
| |
In addition verify whether the GNUTLS_VERIFY_ALLOW_BROKEN flag
works when MD5 is present.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This allows performing a verification with only SHA1 allowed
from the broken algorithms. This can be used to fine-tune
verification in case default verification fails, to detect
whether the failed algorithm was SHA1.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
This allows enabling broken signature algorithms in certificate verification.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
This allows distributors to decide not to ban SHA1. This
option may be removed in the future.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|