| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
| |
This error code is returned when the session resumption parameters
are requested during a handshake. That is, to increase the clarity
when requesting these parameters while false start is active and
the handshake is not complete even if gnutls_handshake() has returned.
Relates #114
|
|
|
|
|
|
|
| |
- If the intersection of name constraints of the given type was empty, the results allowed all names instead of none.
- Fixed by adding an universal excluded name constraint in case the intersection for the particular type is empty.
- Moved the logic of creating a name constraint node copy from _gnutls_name_constraints_intersect to name_constraints_intersect_nodes (previously name_constraints_match), as intersecting IP addresses will require further processing (not just taking one of the compared nodes as was the implementation till now).
- GNUTLS_SAN_MAX added in order to comfortably iterate over SAN type enum.
|
|
|
|
|
| |
That is, define all the elements that were available prior
the move from #define to enum, to allow code relying on
|
| |
|
|
|
|
|
|
| |
This verification status flag indicates an OCSP status response
being stapled but it being invalid for some reason (e.g., unable
to parse or doesn't contain the expected certificate).
|
|
|
|
| |
In addition function documentation was updated.
|
|
|
|
|
|
| |
That is, account for the OCSP-Must staple extension. If we have sent an OCSP
status request and have not gotten anything, but the certificate has the
Status Request TLSFeature extension present, fail to verify the certificate.
|
|
|
|
| |
The exported function is gnutls_ext_get_name()
|
|
|
|
|
|
| |
To better test support for server_name extension in TLS, it's
necessary to be able to differentiate between name being rejected
because it is unknown to the server and it being malformed.
|
|
|
|
|
|
| |
That is, unless GNUTLS_ALLOW_ID_CHANGE is specified, during a rehandshake
clients will not be allowed to present another certificate than the original,
or change their username for PSK or SRP ciphersuites.
|
|
|
|
|
|
|
|
|
| |
This handles the use case of a client connecting to a server
which incorrectly lists the CA certificates it supports. Without
that change the only option was to avoid using the "automatic"
client certificate functions, but rather utilize callbacks.
With that approach this use case is handled by the "automatic"
certificate selection functions.
|
|
|
|
| |
This follows draft-ietf-tls-rfc4492bis-07 and rfc7748
|
|
|
|
|
|
|
| |
That is, an additional flag GNUTLS_ENABLE_FALSE_START is introduced
for gnutls_init(), and that enables support for false start. At
this point false start will be performed by the handshake if possible,
and gnutls_record_recv() will handle handshake completion.
|
|
|
|
| |
available flags
|
|
|
|
|
| |
This error code is returned when an embedded NULL is detected in
a string.
|
| |
|
|
|
|
|
| |
This function allows to use TLS False-start, by using the provided
function to send data just after finished message.
|
|
|
|
|
|
|
| |
This provides the ability to export all session parameters in various
formats.
Resolves #64
|
|
|
|
|
|
| |
This function would allow to simplify handling of future
flags which we may want to indicate, and would not require
API additions for new flags.
|
| |
|
|
|
|
| |
This allows to generate certificates signed with SHA3.
|
|
|
|
|
|
| |
into DH ones
This simplifies importing DSA private keys into DH parameters.
|
|
|
|
|
|
|
| |
This allows the server to set precedence on the protocols
it supports, rather than following the client's order.
Resolves #71
|
|
|
|
|
| |
That allows to print and write KRB5PrincipalName othernames
in subject alternative name.
|
| |
|
|
|
|
|
|
| |
That is require that the certificate of the peer remains the same
and return GNUTLS_E_SESSION_CERTIFICATE_CHANGED otherwise. To revert
to the previous behavior the GNUTLS_ALLOW_CERT_CHANGE flag was introduced.
|
|
|
|
|
|
| |
That is, move from a parsing error tolerance to a more strict
decoding approach.
Relates #40
|
| |
|
|
|
|
|
| |
That allows a user of the credentials to disable the certificate matching
action. That is, to disable the calls to sign and verify on initialization.
|
|
|
|
| |
initialization
|
|
|
|
|
| |
For ultra, this was its documented strength, and now follows RFC3766 recommendations
for sizes.
|
|
|
|
|
|
|
| |
This allows to specify an indefinite timeout to gnutls_record_set_timeout().
In addition this flag is accepted by gnutls_handshake_set_timeout() and
cancels out a previously set timeout.
Resolves #41
|
| |
|
| |
|
|
|
|
| |
The names are more consistent with the rest of the library.
|
|
|
|
| |
auto-verification functions
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The major use-case for the TLS protocol is verification of PKIX
certificates. However, certificate verification support while is
similar for almost all projects it requires around 100 lines of code
(a callback) to be duplicated to all applications. That patch
set gets rid of the callback and simplifies certificate verification
support, by introducing a very simple API; one that would accept
the session and the hostname only.
Resolves #27
|
|
|
|
|
| |
That allows to set a verification callback per session rather
than only globally on the credentials structure.
|
|
|
|
|
|
|
| |
This simplifies version checking, and allows the compiler to optimize
out. It can only accept numerals.
Patch by David Woodhouse.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
If TLS_FALLBACK_SCSV was sent by the client during the handshake, and
the advertised protocol version is lower than GNUTLS_TLS_VERSION_MAX,
send the "Inappropriate fallback" fatal alert and abort the handshake.
This mechanism was defined in RFC7507.
|
|
|
|
|
| |
These also use safer hex decoding functions which don't skip
invalid input.
|
|
|
|
|
| |
That includes support for RFC5705 when the context field is used.
Initial patch by Rick van Rein.
|
|
|
|
|
|
|
| |
That introduces --with-trousers-lib which can be used to specify the
library to dlopen().
Resolves #18
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
That introduces the GNUTLS_NO_SIGNAL flag for gnutls_init(),
which is available in systems that support the MSG_NOSIGNAL
flag to send(). That eases the usage of the library within
other libraries.
Resolves #11
|