summaryrefslogtreecommitdiff
path: root/lib/x509
Commit message (Collapse)AuthorAgeFilesLines
* lib: mark infinite loops explicitlytmp-mark-infinite-loopsNikos Mavrogiannopoulos2019-07-102-35/+24
| | | | | | | | | There were few infinite loop constructions which were checking for an always true condition. Make sure that this construction is marked explicitly as while(1) to assist static analysers, or reviewers. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_crt_list_import2: updated doc to reflect the actual return value ↵Nikos Mavrogiannopoulos2019-06-281-1/+1
| | | | | | | | options Resolves: #794 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* config: added ability to override and mark algorithms as disabledNikos Mavrogiannopoulos2019-06-201-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | This allows the system administrator or the distributor to use the gnutls configuration file to mark hashes, signature algorithms, TLS versions, curves, groups, ciphers KX, and MAC algorithms as insecure (the last four only in the context of a TLS session). It also allows to set a minimum profile which the applications cannot fall below. The options intentionally do not allow marking algorithms as secure so that the configuration file cannot be used as an attack vector. This change also makes sure that unsupported and disabled protocols during compile time (e.g., SSL3.0), do not get listed by gnutls-cli. The configuration file feature can be disabled at compile time with an empty --with-system-priority-file. This patch it introduces the function gnutls_get_system_config_file() allowing applications to check whether a configuration file was used. Resolves: #587 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'mark_const' into 'master'Tim Rühsen2019-05-211-1/+1
|\ | | | | | | | | Mark second argument of function gnutls_x509_crt_equals2 as const See merge request gnutls/gnutls!1000
| * Mark second argument of function gnutls_x509_crt_equals2 as constAleksei Nikiforov2019-05-211-1/+1
| | | | | | | | | | | | | | | | | | This will allow using this function with certificates returned by function gnutls_certificate_get_peers without casts dropping const qualifier or making temporary copies out of retrieved data. Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
* | Added profile to correspond to the future security parameterNikos Mavrogiannopoulos2019-05-201-1/+5
| | | | | | | | | | | | | | | | | | | | It seems that the FUTURE security level parameter was added without a corresponding verification profile. This patch address the issue by introducing it. Resolves: #770 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | tests: added unit tests of utc and generalTime convertorNikos Mavrogiannopoulos2019-05-201-2/+4
|/ | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Add or clean header guards in lib/x509/Tim Rühsen2019-05-0712-21/+46
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* [OSCP] Fix : null pointer respElta Koepp2019-04-051-0/+3
| | | | Signed-off-by: Elta Koepp <elta_koepp@gmail.com>
* _x509_en/decode_provable_seed: clarified purpose of functions [ci skip]Nikos Mavrogiannopoulos2019-03-201-0/+6
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Removed all FIXME comments in code [ci skip]Nikos Mavrogiannopoulos2019-03-163-14/+2
| | | | | | | | We expand informational comments on limitations, but with removing FIXME (keyword didn't help fixing these), and remove completely unhelpful comments, obsolete ones, or comments about ideas. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Use https:// in lib/, src/, and m4/Tim Rühsen2019-03-131-1/+1
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Use https:// for www.gnu.org and www.example.comTim Rühsen2019-03-1355-55/+55
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Merge branch 'tmp-reset-after-free' into 'master'Tim Rühsen2019-02-239-29/+4
|\ | | | | | | | | Automatically NULLify after gnutls_free() See merge request gnutls/gnutls!923
| * gnutls_x509_crt_init: Fix dereference of NULL pointertmp-reset-after-freeTim Rühsen2019-02-221-1/+1
| | | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
| * Remove redundant resets of variables after free()Tim Rühsen2019-02-229-28/+3
| | | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | lib: x509: Minor directory browsing simplificationHugo Beauzée-Luyssen2019-02-211-6/+3
| | | | | | | | Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
* | Revert "Revert "verify-high2: Fix cert dir iteration on Win32""Hugo Beauzée-Luyssen2019-02-211-2/+49
| | | | | | | | | | | | | | | | | | This reverts commit 681330882da19099eea360fab141cab937c45677. Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr> This revert also contains the fix to the original commit (invalid utf8->utf16 conversion) and a minor simplification of the _treaddir loop.
* | iconv: Allow _gnutls_utf8_to_ucs2 to output little endianHugo Beauzée-Luyssen2019-02-211-1/+1
|/ | | | Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
* x509: corrected issue in the algorithm parameters comparisonNikos Mavrogiannopoulos2019-02-141-1/+1
| | | | | | | | | | | | | | | | Each certificate has two fields to set the signature algorithm and parameters used for the digital signature. One of the fields is authenticated and the other is not. It is required from RFC5280 to enforce the equality of these fields, but currently due to an issue we wouldn't enforce the equality of the parameters fields. This fix corrects the issue. We also move an RSA-PSS certificate in chainverify that was relying on invalid parameters, to this set of invalid certificates. Resolves: #698 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Use inet_pton() from gnulibtmp-gnulib-ptonTim Rühsen2019-02-101-1/+3
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Use inet_ntop() from gnulibtmp-gnulib-ntopTim Rühsen2019-02-071-4/+1
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Fix _gnutls_write_new_general_name() result checkingMaks Naumov2019-01-081-1/+1
|
* Fix typos in lib/tmp-fix-typos-in-libTim Rühsen2019-01-0412-16/+16
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Revert "verify-high2: Fix cert dir iteration on Win32"tmp-revert-835Nikos Mavrogiannopoulos2019-01-041-48/+2
| | | | | | | | | This was failing CI (x509cert-tl) but was not detected due to a bug. This reverts commit 362a0c30b79ccede7e5bc3a7747c3e7f1d30889a. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION: deprecatedtmp-no-well-definedNikos Mavrogiannopoulos2018-12-211-4/+1
| | | | | | | | | | | This removes the documented use of this macro. It was non-functional. Given the nature of the definition of the non-well defined date for certificates, it may be wise not to use a special macro at all. The reason is that the no-well defined date is a real date (~year 9999), and any approximation with seconds will be unstable due to irregular leap seconds. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* verify-high2: Fix cert dir iteration on Win32Hugo Beauzée-Luyssen2018-12-191-2/+48
| | | | | And especially when building for windows store, which only allows unicode version of opendir & friends functions.
* Implemented support for raw public-key functionality (RFC7250).Tom Vrancken2018-12-152-2/+2
| | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* gnutls_x509_crt_set_expiration_time: fixed documentation [ci skip]Nikos Mavrogiannopoulos2018-11-301-3/+3
| | | | | | | | Fixed the documentation of the function to reflect reality. This function did not accept the GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION macro. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pkcs8: support GOST keys without encapsulationDmitry Eremin-Solenikov2018-11-161-2/+22
| | | | | | | | Add support for yet another representation of GOST private keys: LE-formatted number encoded into pkcs-8-PrivateKeyInfo.privateKey without any additional encapsulation. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* _gnutls_x509_read_eddsa_pubkey(): sanity check the input valuestmp-cert-statusNikos Mavrogiannopoulos2018-11-151-4/+10
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls_x509_privkey_import_ecc_raw(): fail on invalid sizesNikos Mavrogiannopoulos2018-11-151-0/+7
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: minor updates in elliptic curve documentationNikos Mavrogiannopoulos2018-11-152-22/+25
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* pkcs7: allow BER encoding when parsing encapContentInfo.eContentDmitry Eremin-Solenikov2018-11-141-2/+2
| | | | | | | CMS specification explicitly allows BER encoding in CMS files. RFC 4134 example 4.5 uses BER indefinite encoding. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* pkcs12: cleanups, and two memory leak fixesNikos Mavrogiannopoulos2018-11-101-10/+8
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Added checks to avoid false negatives reported by static analyzersNikos Mavrogiannopoulos2018-11-102-2/+9
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Initialize output var to avoid false negative from static analyzersNikos Mavrogiannopoulos2018-11-091-1/+4
| | | | | | | This was identified by clang analyzer's on _gnutls_x509_dn_to_string and _gnutls_x509_decode_string. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* pkcs11 uris: the URI scheme is case insensitivetmp-urisNikos Mavrogiannopoulos2018-10-122-3/+6
| | | | | | | | | | | Makes the comparisons of the URI scheme to use c_strcasecmp from gnulib. It also replaces various straw strcasecmp with the gnulib variant. This ensures that comparison will be reliable irrespective of the locale. Resolves #590 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* privkey_pkcs8: added reference for validation parameters OID [ci skip]Nikos Mavrogiannopoulos2018-10-012-0/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'tmp-cleanup-in-docs' into 'master'Tim Rühsen2018-09-282-3/+5
|\ | | | | | | | | manpage generation cleanup See merge request gnutls/gnutls!760
| * doc: fixed missing function and enumeration parametersNikos Mavrogiannopoulos2018-09-262-3/+5
| | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | _gnutls_check_key_purpose: eliminated dead codetmp-eliminate-dead-codeNikos Mavrogiannopoulos2018-09-261-2/+0
|/ | | | | | Resolves #573 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'tmp-pkcs11-lax-search' into 'master'Nikos Mavrogiannopoulos2018-09-242-2/+10
|\ | | | | | | | | | | | | Provide a less restrictive PKCS#11 search of certificates Closes #569 See merge request gnutls/gnutls!757
| * Provide a more flexible PKCS#11 search of trust store certificatestmp-pkcs11-lax-searchNikos Mavrogiannopoulos2018-09-212-2/+10
| | | | | | | | | | | | | | | | | | | | This addresses the problem where the CA certificate doesn't have a subject key identifier whereas the end certificates have an authority key identifier. Resolves #569 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | trust list: added flag to force failure on CRL validation errorNikos Mavrogiannopoulos2018-09-211-0/+2
|/ | | | | | | This allows an application to be notified of the addition of invalid CRLs in the trust list. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ECC export/import: updated documentation on EdDSA curvesNikos Mavrogiannopoulos2018-09-201-3/+6
| | | | | | | | This clarifies the format that parameters in the EdDSA curves will be returned, and also ensures that the import/export functions fail on unsupported curves. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509: print_pubkey: print GOST public key with MSB firstDmitry Eremin-Solenikov2018-09-181-0/+14
| | | | | | | OpenSSL and other libraries print MSB first, when printing GOST public keys. Let's return to this convention. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* lib: use little endian when importing/exporting GOST keysDmitry Eremin-Solenikov2018-09-181-3/+9
| | | | | | | | GOST R 34.10 native format is little endian. It is better for the application code to use native format data to interface library, rather than convert buffers on their own. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* gnutls_x509_trust_list_add_trust_mem: fix behavior with unaccounted certsNikos Mavrogiannopoulos2018-09-171-1/+7
| | | | | | | | | If gnutls_x509_trust_list_add_cas returns less than clist_size, the additional unaccounted certificates will never be freed. Relates #552 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_trust_list_add_cas: corrected return valueNikos Mavrogiannopoulos2018-09-171-1/+1
| | | | | | | | | | When the flag GNUTLS_TL_USE_IN_TLS is used and add_new_ca_to_rdn_seq the return value did not include the last certificate added to the list. This corrects its return value. Relates #552 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status