| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
There were few infinite loop constructions which were checking
for an always true condition. Make sure that this construction
is marked explicitly as while(1) to assist static analysers, or
reviewers.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
options
Resolves: #794
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows the system administrator or the distributor to use
the gnutls configuration file to mark hashes, signature algorithms,
TLS versions, curves, groups, ciphers KX, and MAC algorithms as
insecure (the last four only in the context of a TLS session).
It also allows to set a minimum profile which the applications
cannot fall below.
The options intentionally do not allow marking algorithms as
secure so that the configuration file cannot be used as an attack
vector. This change also makes sure that unsupported and disabled protocols
during compile time (e.g., SSL3.0), do not get listed by gnutls-cli.
The configuration file feature can be disabled at compile time
with an empty --with-system-priority-file.
This patch it introduces the function gnutls_get_system_config_file()
allowing applications to check whether a configuration file
was used.
Resolves: #587
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| | |
Mark second argument of function gnutls_x509_crt_equals2 as const
See merge request gnutls/gnutls!1000
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This will allow using this function with certificates
returned by function gnutls_certificate_get_peers
without casts dropping const qualifier or
making temporary copies out of retrieved data.
Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It seems that the FUTURE security level parameter was added
without a corresponding verification profile. This patch address
the issue by introducing it.
Resolves: #770
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|/
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|
|
|
| |
Signed-off-by: Elta Koepp <elta_koepp@gmail.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
We expand informational comments on limitations, but with removing
FIXME (keyword didn't help fixing these), and remove completely unhelpful
comments, obsolete ones, or comments about ideas.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\
| |
| |
| |
| | |
Automatically NULLify after gnutls_free()
See merge request gnutls/gnutls!923
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
| |
| |
| | |
Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 681330882da19099eea360fab141cab937c45677.
Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
This revert also contains the fix to the original commit (invalid
utf8->utf16 conversion) and a minor simplification of the _treaddir loop.
|
|/
|
|
| |
Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Each certificate has two fields to set the signature algorithm
and parameters used for the digital signature. One of the fields is
authenticated and the other is not. It is required from RFC5280 to
enforce the equality of these fields, but currently due to an issue
we wouldn't enforce the equality of the parameters fields. This
fix corrects the issue.
We also move an RSA-PSS certificate in chainverify that was relying
on invalid parameters, to this set of invalid certificates.
Resolves: #698
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
|
|
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|
|
|
|
|
|
|
|
| |
This was failing CI (x509cert-tl) but was not detected due to
a bug.
This reverts commit 362a0c30b79ccede7e5bc3a7747c3e7f1d30889a.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This removes the documented use of this macro. It was non-functional.
Given the nature of the definition of the non-well defined date for
certificates, it may be wise not to use a special macro at all. The
reason is that the no-well defined date is a real date (~year 9999),
and any approximation with seconds will be unstable due to irregular
leap seconds.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
| |
And especially when building for windows store, which only allows
unicode version of opendir & friends functions.
|
|
|
|
| |
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
|
|
|
|
|
|
|
| |
Fixed the documentation of the function to reflect reality.
This function did not accept the GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION
macro.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
Add support for yet another representation of GOST private keys:
LE-formatted number encoded into pkcs-8-PrivateKeyInfo.privateKey
without any additional encapsulation.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
| |
CMS specification explicitly allows BER encoding in CMS files. RFC 4134
example 4.5 uses BER indefinite encoding.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
| |
This was identified by clang analyzer's on _gnutls_x509_dn_to_string
and _gnutls_x509_decode_string.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Makes the comparisons of the URI scheme to use c_strcasecmp
from gnulib. It also replaces various straw strcasecmp with
the gnulib variant. This ensures that comparison will be
reliable irrespective of the locale.
Resolves #590
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| | |
manpage generation cleanup
See merge request gnutls/gnutls!760
|
| |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|/
|
|
|
|
| |
Resolves #573
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| |
| |
| | |
Provide a less restrictive PKCS#11 search of certificates
Closes #569
See merge request gnutls/gnutls!757
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This addresses the problem where the CA certificate doesn't
have a subject key identifier whereas the end certificates
have an authority key identifier.
Resolves #569
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|/
|
|
|
|
|
| |
This allows an application to be notified of the addition of invalid
CRLs in the trust list.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
| |
This clarifies the format that parameters in the EdDSA curves
will be returned, and also ensures that the import/export
functions fail on unsupported curves.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
OpenSSL and other libraries print MSB first, when printing GOST public
keys. Let's return to this convention.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
|
|
|
|
| |
GOST R 34.10 native format is little endian. It is better for the
application code to use native format data to interface library, rather
than convert buffers on their own.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
|
|
|
|
|
| |
If gnutls_x509_trust_list_add_cas returns less than clist_size, the additional
unaccounted certificates will never be freed.
Relates #552
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
When the flag GNUTLS_TL_USE_IN_TLS is used and add_new_ca_to_rdn_seq
the return value did not include the last certificate added to the
list. This corrects its return value.
Relates #552
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|