summaryrefslogtreecommitdiff
path: root/lib/includes
Commit message (Collapse)AuthorAgeFilesLines
* tolerate non-valid UTF8 passwords when decryptingNikos Mavrogiannopoulos2016-11-201-0/+1
|
* PKCS#7/8: normalize the password according to rfc7613Nikos Mavrogiannopoulos2016-11-201-0/+1
|
* Added function for UTF-8 normalization based on RFC7613Nikos Mavrogiannopoulos2016-11-201-0/+3
| | | | This introduces gnutls_utf8_password_normalize() and a dependency on libunistring.
* Introduced new functions to allow multiple DN parsing modesNikos Mavrogiannopoulos2016-11-142-0/+20
| | | | | | | | The old DN parsing functions are changed to return the original non-fully compliant with RFC4514 string format, while the new ones return the compliant string by default. This allows applications which relied on the previous format to continue functioning without changes.
* Reverted the behavior of sending a status request extension even without a ↵Nikos Mavrogiannopoulos2016-10-271-1/+1
| | | | | | | | | | | | | | | response That is, we no longer reply to a client's hello with a status request, with a status request extension. Although that behavior which was introduced in 6b76e0c899b1ff08df9bd9b41588f771f050be89 is legal, it creates incompatibility issues with gnutls 3.3.x branch. That is because versions prior 3.3.26 translates the presence of the extension as a guarrantee that the status response data will be sent. Even though, that is false assumption we replicate the previous behavior to allow such clients to connect to a gnutls 3.5.x server. Relates !66
* modified the gnutls_certificate_set_key* changeNikos Mavrogiannopoulos2016-10-241-1/+3
| | | | | | | | | While the change was fully backwards compatible for applications that were adding a single certificate, and applications that were checking for negative errors codes, many applications do not. As this may cause incompatibility issues with software properly utilizing the previously documented API, the change is reverted, and applications need to explicitly enable a flag (GNUTLS_CERTIFICATE_API_V2) in the credentials structure for the set_key functions to return an index.
* gnutls_init: added GNUTLS_NO_TICKETS flagsNikos Mavrogiannopoulos2016-10-211-1/+6
| | | | | | These flags allow the callers to disable the automatically enabled session tickets. This could be done only with GNUTLS_NO_EXTENSIONS which also disabled other useful extensions.
* x509: introduced gnutls_x509_crt_check_key_purpose()Nikos Mavrogiannopoulos2016-10-181-0/+5
|
* gnutls_x509_crt_verify_data2: introduce constraints checks on the provided ↵Nikos Mavrogiannopoulos2016-10-181-0/+1
| | | | | | certificate That is check the provided certificate for validity in time and key usage.
* DH: introduced gnutls_*_set_known_dh_params()Nikos Mavrogiannopoulos2016-10-141-0/+12
| | | | | | | | | | | That is, the functions gnutls_certificate_set_known_dh_params(), gnutls_anon_set_server_known_dh_params(), gnutls_psk_set_server_known_dh_params(). These functions allow to statically set the DH parameters, based on the RFC7919 FFDHE parameters. This can simplify server configuration by allowing DH without loading parameters from file. Relates #37
* DH: export the FFDHE Diffie-Hellman valuesNikos Mavrogiannopoulos2016-10-141-0/+18
|
* gnutls_pkcs7_get_embedded_data: added GNUTLS_PKCS7_EDATA_GET_RAW flagNikos Mavrogiannopoulos2016-10-121-1/+3
| | | | | | | | This flag allows the export of the stored embedded data with any wrapping encoding included. This in particular, it allows to read the data from the microsoft catalog PKCS#7 structures, which store as embedded data elements of a SEQUENCE, but only authenticate the inner parts without the bytes forming the SEQUENCE header.
* pkcs7: allow unknown and legacy signature data OIDs to be importedNikos Mavrogiannopoulos2016-10-111-0/+3
| | | | | | This allows to decode very old PKCS#7 structures where the content is not an octet string. In addition, it introduces gnutls_pkcs7_get_embedded_data_oid() to obtain the OID of the signature data.
* Added session-specific supplemental data handlingNikos Mavrogiannopoulos2016-10-061-0/+6
| | | | | This allows a caller to add supplemental data handling which will only be made available for a specific session.
* Added session-specific TLS extensionsNikos Mavrogiannopoulos2016-10-061-0/+5
| | | | | This allows a caller to add extensions which will be made available for a specific session.
* pkcs11: introduced flag GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTEDNikos Mavrogiannopoulos2016-09-261-1/+3
| | | | | This allows to mark objects as distrusted, as well as to be able to list distrusted objects.
* Introduced separate error codes for invalid private and public keysNikos Mavrogiannopoulos2016-09-171-0/+2
| | | | | | This allows functions like decryption and verification to report the specific issue they encountered on public key error. The new codes are GNUTLS_E_PK_INVALID_PUBKEY and GNUTLS_E_PK_INVALID_PRIVKEY
* Added gnutls_certificate_set_ocsp_status_request_function2Nikos Mavrogiannopoulos2016-09-121-1/+6
| | | | | | | | | | | That introduces a new function to allow setting an OCSP status request handling function per certificate. Furthermore it repurposes the flag parameters to an index option on gnutls_certificate_set_ocsp_status_request_file. The changes above allow setting a different OCSP status response file per certificate, and a different function. The indexes they rely on to associate with existing certs are the indexes returned by the gnutls_certificate_set_key() and friends functions.
* several spacing fixes to keep syntax-check happyNikos Mavrogiannopoulos2016-09-114-14/+14
|
* pkcs8: added support for decryption with PBES1-DES-CBC-MD5Nikos Mavrogiannopoulos2016-08-261-1/+5
| | | | | | | While this is a legacy (and insecure) cipher combination it is the default output of openssl up until the 1.0.2 version. We introduce this option to allow decrypting private keys from these versions of openssl.
* Added support for decrypting PKCS#8 files which use HMAC-SHA256 as PRFNikos Mavrogiannopoulos2016-08-241-0/+2
| | | | This improves compatibility with new openssl versions.
* gnutls_safe_renegotiation_status: changed return type to unsignedNikos Mavrogiannopoulos2016-08-091-1/+1
|
* x509: Separate out IP handling functionsMartin Ukrop2016-08-092-0/+3
| | | | | | | | | | | | | | - Moved IP/CIDR to string conversion functions into separate header and export privately for the use in tests. - Placed ip_in_cidr() into separate header for easy testing - Add publicly available function to convert text CIDR to RFC5280 format for the use in name constraints extension. - certtool: Use GnuTLS exported CIDR functions instead of local ones. - Export mask_to_prefix, mask_ip for internal GnuTLS use. - Introduce new error value (malformed cidr) and add to description functions in errors.c. Signed-off-by: Martin Ukrop <mukrop@redhat.com>
* gnutls_transport_set_fastopen: added flags optionstcp-fast-openNikos Mavrogiannopoulos2016-08-081-1/+2
| | | | | This will allow minor modifications to the semantics of the function in the future, without introducing a new API.
* gnutls.h: moved all compatibility defines outside the enumNikos Mavrogiannopoulos2016-08-081-8/+11
|
* gnutls_fips140_mode_enabled: changed return type to unsignedNikos Mavrogiannopoulos2016-08-051-1/+1
|
* gnutls_pkcs11_privkey_status: return type changed to unsignedNikos Mavrogiannopoulos2016-08-041-1/+1
|
* gnutls.h: giovec_t is a typedef to iovec where that is availableNikos Mavrogiannopoulos2016-07-261-4/+1
|
* Support TCP Fast OpenTim Ruehsen2016-07-262-1/+51
| | | | | | | This introduces a new function gnutls_transport_set_fastopen(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> Signed-off-by: Tim Ruehsen <tim.ruehsen@gmx.de>
* gnutls_x509_crt_check_hostname*: use unsigned a return valueNikos Mavrogiannopoulos2016-07-221-2/+2
| | | | | This is to prevent issues to callers who may check for negative error values.
* introduced: GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKENikos Mavrogiannopoulos2016-07-221-0/+1
| | | | | | | | | This error code is returned when the session resumption parameters are requested during a handshake. That is, to increase the clarity when requesting these parameters while false start is active and the handshake is not complete even if gnutls_handshake() has returned. Relates #114
* x509: Fix DNS name constraints checkingMartin Ukrop2016-07-211-0/+1
| | | | | | | - If the intersection of name constraints of the given type was empty, the results allowed all names instead of none. - Fixed by adding an universal excluded name constraint in case the intersection for the particular type is empty. - Moved the logic of creating a name constraint node copy from _gnutls_name_constraints_intersect to name_constraints_intersect_nodes (previously name_constraints_match), as intersecting IP addresses will require further processing (not just taking one of the compared nodes as was the implementation till now). - GNUTLS_SAN_MAX added in order to comfortably iterate over SAN type enum.
* gnutls.h: define elements of gnutls_init_flags_tNikos Mavrogiannopoulos2016-07-201-0/+8
| | | | | That is, define all the elements that were available prior the move from #define to enum, to allow code relying on
* gnutls.h: documented the version various gnutls_init flags were introducedNikos Mavrogiannopoulos2016-07-201-3/+3
|
* Added gnutls_x509_dn_set_str()Nikos Mavrogiannopoulos2016-07-191-0/+2
| | | | This allows initializing a gnutls_x509_dn_t structure via a DN string.
* added gnutls_x509_crq_set_extension_by_oid()Nikos Mavrogiannopoulos2016-07-131-0/+6
| | | | | This is a function to add an arbitrary extension into a certificate request.
* gnutls_pkcs11_crt_is_known: changed to unsigned typeNikos Mavrogiannopoulos2016-06-241-1/+1
|
* During PKIX chain verification check the TLSFeatures complianceNikos Mavrogiannopoulos2016-06-141-4/+14
| | | | | | | | | This verifies whether a chain complies with RFC7366 p.4.2.2 requirements. That is whether the issuer's features are a superset of the certificate under verification. This enhances gnutls_x509_crt_get_tlsfeatures() to allow appending of TLSFeatures, and introduces gnutls_x509_tlsfeatures_check_crt().
* Added gnutls_x509_crt_set_crq_extension_by_oid()Nikos Mavrogiannopoulos2016-06-141-0/+5
| | | | | This allows copying specific OIDs from a certificate request to the certificate.
* pkcs12: corrected return type of gnutls_pkcs12_bag_get_type()Nikos Mavrogiannopoulos2016-06-041-1/+1
|
* ocsp: Introduced GNUTLS_CERT_INVALID_OCSP_STATUSNikos Mavrogiannopoulos2016-06-011-1/+3
| | | | | | This verification status flag indicates an OCSP status response being stapled but it being invalid for some reason (e.g., unable to parse or doesn't contain the expected certificate).
* gnutls_url_is_supported: type changed to unsignedNikos Mavrogiannopoulos2016-05-311-1/+1
| | | | In addition function documentation was updated.
* several sign-related API changesNikos Mavrogiannopoulos2016-05-314-54/+54
| | | | | | | | | | This replaces the usage of "int" in functions which could only have accepted an "unsigned" value. Also functions which return unsigned values are explicitly tagged as such. The ABI remains the same with these changes. This allows easier catching of sign/unsigned related errors from the calling applications.
* Account the TLSFeature certificate extension in certificate verificationTim Kosse2016-05-301-1/+3
| | | | | | That is, account for the OCSP-Must staple extension. If we have sent an OCSP status request and have not gotten anything, but the certificate has the Status Request TLSFeature extension present, fail to verify the certificate.
* exported function to convert TLS extension numbers to stringsNikos Mavrogiannopoulos2016-05-301-0/+2
| | | | The exported function is gnutls_ext_get_name()
* Add functions to get/set the tlsfeatures to certificate requests.Tim Kosse2016-05-301-0/+6
|
* Added gnutls_x509_crt_set_tlsfeaturesTim Kosse2016-05-301-0/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Added functions to add features and convert tlsfeatures back to DERTim Kosse2016-05-301-0/+5
| | | | | | | | That adds: gnutls_x509_ext_export_tlsfeatures gnutls_x509_tlsfeatures_add Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Added functions to parse the TLSFeatures X.509 extension.Tim Kosse2016-05-302-0/+14
| | | | | | | | | | | | | In addition provide function to enumerate the features it lists, and output information with the output functions. This adds: gnutls_x509_tlsfeatures_init gnutls_x509_tlsfeatures_deinit gnutls_x509_tlsfeatures_get gnutls_x509_ext_import_tlsfeatures gnutls_x509_crt_get_tlsfeatures Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Add support for sending unrecognized name alertsHubert Kario2016-05-061-0/+2
| | | | | | To better test support for server_name extension in TLS, it's necessary to be able to differentiate between name being rejected because it is unknown to the server and it being malformed.
View Lorry Controller Status