summaryrefslogtreecommitdiff
path: root/lib/includes/gnutls/gnutls.h.in
Commit message (Collapse)AuthorAgeFilesLines
* gnutls.h: giovec_t is a typedef to iovec where that is availableNikos Mavrogiannopoulos2016-07-261-4/+1
|
* introduced: GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKENikos Mavrogiannopoulos2016-07-221-0/+1
| | | | | | | | | This error code is returned when the session resumption parameters are requested during a handshake. That is, to increase the clarity when requesting these parameters while false start is active and the handshake is not complete even if gnutls_handshake() has returned. Relates #114
* x509: Fix DNS name constraints checkingMartin Ukrop2016-07-211-0/+1
| | | | | | | - If the intersection of name constraints of the given type was empty, the results allowed all names instead of none. - Fixed by adding an universal excluded name constraint in case the intersection for the particular type is empty. - Moved the logic of creating a name constraint node copy from _gnutls_name_constraints_intersect to name_constraints_intersect_nodes (previously name_constraints_match), as intersecting IP addresses will require further processing (not just taking one of the compared nodes as was the implementation till now). - GNUTLS_SAN_MAX added in order to comfortably iterate over SAN type enum.
* gnutls.h: define elements of gnutls_init_flags_tNikos Mavrogiannopoulos2016-07-201-0/+8
| | | | | That is, define all the elements that were available prior the move from #define to enum, to allow code relying on
* gnutls.h: documented the version various gnutls_init flags were introducedNikos Mavrogiannopoulos2016-07-201-3/+3
|
* ocsp: Introduced GNUTLS_CERT_INVALID_OCSP_STATUSNikos Mavrogiannopoulos2016-06-011-1/+3
| | | | | | This verification status flag indicates an OCSP status response being stapled but it being invalid for some reason (e.g., unable to parse or doesn't contain the expected certificate).
* gnutls_url_is_supported: type changed to unsignedNikos Mavrogiannopoulos2016-05-311-1/+1
| | | | In addition function documentation was updated.
* Account the TLSFeature certificate extension in certificate verificationTim Kosse2016-05-301-1/+3
| | | | | | That is, account for the OCSP-Must staple extension. If we have sent an OCSP status request and have not gotten anything, but the certificate has the Status Request TLSFeature extension present, fail to verify the certificate.
* exported function to convert TLS extension numbers to stringsNikos Mavrogiannopoulos2016-05-301-0/+2
| | | | The exported function is gnutls_ext_get_name()
* Add support for sending unrecognized name alertsHubert Kario2016-05-061-0/+2
| | | | | | To better test support for server_name extension in TLS, it's necessary to be able to differentiate between name being rejected because it is unknown to the server and it being malformed.
* handshake: enhance same certificate checks to apply to PSK/SRP usernameNikos Mavrogiannopoulos2016-04-291-3/+3
| | | | | | That is, unless GNUTLS_ALLOW_ID_CHANGE is specified, during a rehandshake clients will not be allowed to present another certificate than the original, or change their username for PSK or SRP ciphersuites.
* added flag in session to force sending a client certificateNikos Mavrogiannopoulos2016-04-281-3/+5
| | | | | | | | | This handles the use case of a client connecting to a server which incorrectly lists the CA certificates it supports. Without that change the only option was to avoid using the "automatic" client certificate functions, but rather utilize callbacks. With that approach this use case is handled by the "automatic" certificate selection functions.
* handshake: added support for ECDH with curve X25519Nikos Mavrogiannopoulos2016-04-241-4/+12
| | | | This follows draft-ietf-tls-rfc4492bis-07 and rfc7748
* Updated false start support to be transparent to applications.Nikos Mavrogiannopoulos2016-04-151-5/+4
| | | | | | | That is, an additional flag GNUTLS_ENABLE_FALSE_START is introduced for gnutls_init(), and that enables support for false start. At this point false start will be performed by the handshake if possible, and gnutls_record_recv() will handle handshake completion.
* gnutls_init(): refer to gnutls_init_flags_t for the documentation of ↵Nikos Mavrogiannopoulos2016-04-021-21/+27
| | | | available flags
* Introduced GNUTLS_E_ASN1_EMBEDDED_NULL_IN_STRINGNikos Mavrogiannopoulos2016-03-161-0/+1
| | | | | This error code is returned when an embedded NULL is detected in a string.
* gnutls.h: Fixes to prevent undefined behavior (found with libubsan)Nikos Mavrogiannopoulos2016-02-291-1/+1
|
* Added gnutls_handshake_set_false_start_function()Nikos Mavrogiannopoulos2016-02-271-4/+12
| | | | | This function allows to use TLS False-start, by using the provided function to send data just after finished message.
* Added gnutls_session_get_master_secretNikos Mavrogiannopoulos2016-02-241-0/+4
| | | | | | | This provides the ability to export all session parameters in various formats. Resolves #64
* Added gnutls_session_get_flags()Nikos Mavrogiannopoulos2016-02-221-1/+20
| | | | | | This function would allow to simplify handling of future flags which we may want to indicate, and would not require API additions for new flags.
* bumped the version of max algorithm num to account for new signing algorithmsNikos Mavrogiannopoulos2016-02-181-1/+1
|
* Added NIST's OIDs for SHA3 signature algorithmsNikos Mavrogiannopoulos2016-02-151-2/+27
| | | | This allows to generate certificates signed with SHA3.
* Added gnutls_dh_params_import_dsa() which allows to import DSA parameters ↵Nikos Mavrogiannopoulos2016-02-111-0/+1
| | | | | | into DH ones This simplifies importing DSA private keys into DH parameters.
* ALPN: added the GNUTLS_ALPN_SERVER_PRECEDENCE flagNikos Mavrogiannopoulos2016-02-101-1/+16
| | | | | | | This allows the server to set precedence on the protocols it supports, rather than following the client's order. Resolves #71
* x509: introduced GNUTLS_SAN_OTHERNAME_KRB5PRINCIPALNikos Mavrogiannopoulos2016-01-121-3/+4
| | | | | That allows to print and write KRB5PrincipalName othernames in subject alternative name.
* updated documentation on supported algorithms [ci skip]Nikos Mavrogiannopoulos2015-12-221-11/+11
|
* Do not allow certificate change during a rehandshakeNikos Mavrogiannopoulos2015-12-081-0/+3
| | | | | | That is require that the certificate of the peer remains the same and return GNUTLS_E_SESSION_CERTIFICATE_CHANGED otherwise. To revert to the previous behavior the GNUTLS_ALLOW_CERT_CHANGE flag was introduced.
* When decoding extensions do not ignore decoding errorsNikos Mavrogiannopoulos2015-11-291-0/+1
| | | | | | That is, move from a parsing error tolerance to a more strict decoding approach. Relates #40
* gnutls_global_init_skip: prefixed with an underscoreNikos Mavrogiannopoulos2015-11-211-2/+2
|
* Added gnutls_certificate_flags() and GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCHNikos Mavrogiannopoulos2015-11-181-0/+13
| | | | | That allows a user of the credentials to disable the certificate matching action. That is, to disable the calls to sign and verify on initialization.
* Added GNUTLS_SKIP_GLOBAL_INIT macro to allow programs skip implicit global ↵Nikos Mavrogiannopoulos2015-11-161-0/+6
| | | | initialization
* Introduced the security parameter future (256) and switched ultra to 192 bitsNikos Mavrogiannopoulos2015-10-121-1/+3
| | | | | For ultra, this was its documented strength, and now follows RFC3766 recommendations for sizes.
* Introduced GNUTLS_INDEFINITE_TIMEOUTNikos Mavrogiannopoulos2015-10-121-0/+1
| | | | | | | This allows to specify an indefinite timeout to gnutls_record_set_timeout(). In addition this flag is accepted by gnutls_handshake_set_timeout() and cancels out a previously set timeout. Resolves #41
* updated documentation on gnutls_vdata_types_t based on DKG's suggestionsNikos Mavrogiannopoulos2015-09-171-4/+11
|
* Added API to verify private keys generated with seedNikos Mavrogiannopoulos2015-09-131-0/+1
|
* renamed the auto-verification functionsNikos Mavrogiannopoulos2015-09-051-2/+2
| | | | The names are more consistent with the rest of the library.
* Introduced GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR to be returned by the ↵Nikos Mavrogiannopoulos2015-08-271-0/+1
| | | | auto-verification functions
* Added support for the SHA3 digest algorithmNikos Mavrogiannopoulos2015-08-261-1/+13
|
* Added simpler verification functions for clientsNikos Mavrogiannopoulos2015-08-241-22/+32
| | | | | | | | | | | | The major use-case for the TLS protocol is verification of PKIX certificates. However, certificate verification support while is similar for almost all projects it requires around 100 lines of code (a callback) to be duplicated to all applications. That patch set gets rid of the callback and simplifies certificate verification support, by introducing a very simple API; one that would accept the session and the hostname only. Resolves #27
* Added gnutls_session_set_verify_functionNikos Mavrogiannopoulos2015-08-241-1/+3
| | | | | That allows to set a verification callback per session rather than only globally on the credentials structure.
* gnutls.h: added macro gnutls_check_version_numericNikos Mavrogiannopoulos2015-08-071-0/+10
| | | | | | | This simplifies version checking, and allows the compiler to optimize out. It can only accept numerals. Patch by David Woodhouse.
* use pure and const gcc attributes in headersNikos Mavrogiannopoulos2015-08-071-70/+118
|
* corrected GNUTLS_E_INAPPROPRIATE_FALLBACK error codeNikos Mavrogiannopoulos2015-08-011-1/+1
|
* handshake: check for TLS_FALLBACK_SCSVAlessandro Ghedini2015-08-011-0/+3
| | | | | | | | If TLS_FALLBACK_SCSV was sent by the client during the handshake, and the advertised protocol version is lower than GNUTLS_TLS_VERSION_MAX, send the "Inappropriate fallback" fatal alert and abort the handshake. This mechanism was defined in RFC7507.
* Introduced gnutls_hex_encode2() and gnutls_hex_decode2()Nikos Mavrogiannopoulos2015-07-211-0/+3
| | | | | These also use safer hex decoding functions which don't skip invalid input.
* gnutls_prf_rfc5705: addedNikos Mavrogiannopoulos2015-07-201-0/+4
| | | | | That includes support for RFC5705 when the context field is used. Initial patch by Rick van Rein.
* TPM: don't link to trousers, use dlopen()Nikos Mavrogiannopoulos2015-07-131-0/+1
| | | | | | | That introduces --with-trousers-lib which can be used to specify the library to dlopen(). Resolves #18
* Exported functions to convert from and to OIDsNikos Mavrogiannopoulos2015-06-181-0/+15
|
* use the same flags in all verification functionsNikos Mavrogiannopoulos2015-06-021-0/+1
|
* Allow the usage of MSG_NOSIGNAL in send functionsNikos Mavrogiannopoulos2015-05-171-0/+2
| | | | | | | | That introduces the GNUTLS_NO_SIGNAL flag for gnutls_init(), which is available in systems that support the MSG_NOSIGNAL flag to send(). That eases the usage of the library within other libraries. Resolves #11
View Lorry Controller Status