| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
The getrandom() call is defined in sys/random.h.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
| |
This cipher is considered broken and no longer included in
the default set of ciphers.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
| |
That is, a server which utilizes both RSA and ECDSA keys.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
| |
That is, to avoid listing that option in p11tool --help, as it is
only useful for debugging very low level interfaces with PKCS#11
parameter passing.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
|
| |
Instead of adding more and more variants like x509dsakeyfile or
x509ecckeyfile (counting eddsa and gost in future), allow user to
specify x509certfile/x509keyfile multiple times. Keep the old
options as compatibility options.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |
|
|
|
|
|
| |
Change order of CFLAGS so that local headers always come before ones in
$(NETTLE_CFLAGS).
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
| |
Signing with one certificate, but includes the other certificates
inside the PKCS#7 structure.
Signed-off-by: Karl Tarbe <karl.tarbe@cyber.ee>
|
| |
|
|
| |
Signed-off-by: Karl Tarbe <karl.tarbe@cyber.ee>
|
| | |
|
| |
|
|
|
|
| |
Reported by Andreas Metzler.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
| |
This flag was introduced in order for reducing the number of duplicate
stapled extensions returned by p11-kit. Unfortunately that fix was bogus
and in fact it resulted to p11-kit not returning any stapled extensions.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
This verifies whether an Example Root CA can be read together
with its stapled extensions.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
This option allows passing parameters to the PKCS#11 module
loading process, i.e., passed to gnutls_pkcs11_add_provider().
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
When the @params argument of gnutls_pkcs11_add_provider() starts with
'p11-kit:' the specified provider is loaded as an unmanaged module
and the rest of parameters are being passed opaque to the module. This
allows loading for example the p11-kit trust module with a custom path
for the trust database.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
These cope with alternative chain discovery in the case of insecure
algorithm found in the chain.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
as unknown
The reason is that many servers utilize a legacy chain to improve compatibility
with old clients and that chain often contains insecure algorithm. In that case
try to construct alternative paths. To maintain compatibility with previous
versions, we ensure that the same error code (verification status) is returned
in these cases as before by sending the cached error if the alternative path fails
too.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
| |
This simplifies the update of files generated by autogen.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
| |
This allows overriding the value set on the TLS server name indication
extension.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
| |
In rsa-psk we properly request username for the case the
application uses a callback, but later we use the username
cached in the credentials structure. This will lead to empty
username issues.
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
|
| |
|
|
|
|
|
|
|
|
| |
This check verifies whether gnutls_psk_client_credentials_function
is operational, and the parameters sent are taken into account
by the server.
Relates !364
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
In addition modernize the used APIs and added explicit check
on the received by the server username value.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
This ensures that generated certificates and requests will
include that key purpose when the option is present.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
| |
This option was introduced in documentation for certtool without
an implementation of it. It is a shortcut for option
key_purpose_oid = 1.3.6.1.5.5.7.3.4
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Closes https://gitlab.com/gnutls/gnutls/issues/200
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Currently we support both IDNA2003 and IDNA2008. However, IDNA2003
is already obsolete by registrars and NICs, thus there is no reason
to continue supporting it. We switch to IDNA2008 exclusively using libidn2.
Resolves #194
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
This corresponds to libtasn1 ASN1_TIME_ENCODING_ERROR and
indicates an error in the DER or BER encoding of time field.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
This avoids having the variables being deinitialized twice during
cleanup.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
| |
That verifies that the hostname check verification function will
not succeed if given textual IPs, and the certificate contains
textual IPs in DNSname or in the CN fields.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Previously we were checking textual IP address matching against
the DNS fields. This match was non-standard and was intended to
work around few broken servers. However that also led to not
evaluating and IP constraints for that IP. No longer follow that
broken behavior.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
This aligns with the behavior of firefox, which maps to IDNA2008, and
fallbacks to IDNA2003 if that fails (e.g., mapping doesn't exist).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
