Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | pkcs11_get_attribute_avalue: correctly handle a -1 value length from ↵ | Nikos Mavrogiannopoulos | 2016-06-30 | 1 | -0/+6 |
| | | | | | | | | | C_GetAttributeValue That is, work-around modules which do not return an error on sensitive objects. Relates #108 | ||||
* | pkcs11_get_attribute_avalue: do not assign values on failure | Nikos Mavrogiannopoulos | 2016-06-29 | 1 | -0/+1 |
| | | | | | | | When C_GetAttributeValue() returns size but does not return data then pkcs11_get_attribute_avalue() would set the return data pointer to a free'd value. This is against the convention expected by callers, i.e, set data to NULL. Reported by Anthony Alba in #108. | ||||
* | gnutls_pkcs11_crt_is_known: always assume GNUTLS_PKCS11_OBJ_FLAG_COMPARE ↵ | Nikos Mavrogiannopoulos | 2016-06-28 | 1 | -3/+3 |
| | | | | unless GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is given | ||||
* | find_cert_cb: minor cleanups in find_cert_cb | Nikos Mavrogiannopoulos | 2016-06-28 | 1 | -28/+28 |
| | |||||
* | pkcs11: correctly encode the serial number when searching for certificate | Nikos Mavrogiannopoulos | 2016-06-22 | 1 | -16/+9 |
| | | | | | | In gnutls_pkcs11_crt_is_known() corrected the encoding of the serial number to TLV DER from LV DER. This is the encoding we use when storing that number. | ||||
* | pkcs11: correctly account check_found_cert() | Nikos Mavrogiannopoulos | 2016-06-22 | 1 | -0/+1 |
| | |||||
* | dtls: corrected reconstruction of handshake packets received out of order | Nikos Mavrogiannopoulos | 2016-06-16 | 1 | -4/+4 |
| | | | | | | That is, when the handshake packet is split into multiple different chunks and received out of order, make sure that reconstruction occurs properly. Reported by Guillaume Roguez. | ||||
* | Corrected the writing of serial number in PKCS#11 modules | Nikos Mavrogiannopoulos | 2016-06-16 | 1 | -4/+9 |
| | | | | | | That is previously the serial number was written in raw format, but in PKCS#11 the serial number must be set encoded as integer. Report and fix by Stanislav Zidek. | ||||
* | keylogfile: only consider the SSLKEYLOGFILE variable | Nikos Mavrogiannopoulos | 2016-06-06 | 3 | -9/+9 |
| | | | | | | | In addition do not check the environment in the constructor but instead use static variables to save the key file name. The GNUTLS_KEYLOGFILE environment variable is no longer used since there is no reason to have a separate one. | ||||
* | doc update [ci skip] | Nikos Mavrogiannopoulos | 2016-05-31 | 2 | -6/+5 |
| | |||||
* | Rely on gnulib's secure_getenv() | Nikos Mavrogiannopoulos | 2016-05-28 | 1 | -4/+0 |
| | |||||
* | x86-common: use secure_getenv() | Nikos Mavrogiannopoulos | 2016-05-28 | 1 | -1/+1 |
| | |||||
* | env: use secure_getenv when reading environment variables | Nikos Mavrogiannopoulos | 2016-05-27 | 4 | -8/+14 |
| | |||||
* | Append keys on keylogfile | Nikos Mavrogiannopoulos | 2016-05-27 | 3 | -24/+13 |
| | | | | | Also consider the SSLKEYLOGFILE variable, since the format is identical and we are always appending keys. | ||||
* | pkcs11: added sanity check to find_obj_url_cb() for object validity | Nikos Mavrogiannopoulos | 2016-05-23 | 1 | -6/+6 |
| | | | | Also avoid unnecessary recursion. | ||||
* | CHACHA20_POLY1305 was added to the default priority strings | Nikos Mavrogiannopoulos | 2016-05-19 | 1 | -5/+10 |
| | | | | | That is the NORMAL and PERFORMANCE priority strings now will enable CHACHA20-POLY1305 by default. | ||||
* | Write session keys into a file when GNUTLS_KEYLOGFILE is exported | Nikos Mavrogiannopoulos | 2016-05-18 | 1 | -0/+43 |
| | | | | | | | | | | | | | That is the file pointed from the variable is written to, and contain the session parameters in the following format (identical to NSS key log format): CLIENT_RANDOM <space> <64 bytes of hex encoded client_random> <space> <96 bytes of hex encoded master secret> and for the old RSA ciphersuites also in the format: RSA <space> <16 bytes of hex encoded encrypted pre master secret> <space> <96 bytes of hex encoded master secret> Resolves #64 | ||||
* | errors: include GNUTLS_E_IDNA_ERROR to the list | Nikos Mavrogiannopoulos | 2016-05-12 | 1 | -0/+2 |
| | |||||
* | server_name: only save the supported server names in the session | Nikos Mavrogiannopoulos | 2016-05-12 | 1 | -11/+14 |
| | | | | | Invalid server names with embedded nulls and unsupported types are not saved. | ||||
* | gnutls_pubkey_verify_data2: simplified return logic | Nikos Mavrogiannopoulos | 2016-05-10 | 1 | -3/+1 |
| | |||||
* | gnutls_pkcs7_print: corrected type of unsigned count variable | Nikos Mavrogiannopoulos | 2016-05-10 | 1 | -2/+2 |
| | |||||
* | cert cred: add the CN to the list of known hostnames only if no dns_names | Nikos Mavrogiannopoulos | 2016-05-10 | 1 | -9/+14 |
| | | | | That is, follow rfc6125 and support CN as a fallback only. | ||||
* | gnutls_certificate_set_key: import the DNS names of the certificates | Nikos Mavrogiannopoulos | 2016-05-10 | 1 | -1/+25 |
| | | | | That is, only when no (NULL) names are provided. | ||||
* | reset the global time func on init/deinit | Nikos Mavrogiannopoulos | 2016-05-10 | 1 | -1/+3 |
| | |||||
* | gnutls_certificate_set_key: duplicate the provided memory | Nikos Mavrogiannopoulos | 2016-05-03 | 1 | -2/+11 |
| | | | | That is, do not assume that a heap allocated value is provided. | ||||
* | pkcs11: find_cert_cb: do not use C_FindObjectsInit() when another is already ↵ | Nikos Mavrogiannopoulos | 2016-05-03 | 1 | -35/+37 |
| | | | | | | | running While some modules implicitly terminated the previous run, this is not something that PKCS#11 modules are expected to typically do. | ||||
* | pkcs11: the flag GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT will be ↵ | Nikos Mavrogiannopoulos | 2016-05-03 | 1 | -0/+18 |
| | | | | | | | | | respected by imported certificates That is, certificates imported with gnutls_pkcs11_obj_import_url() or gnutls_x509_crt_import_url() will be able to be extracted with their extensions overriden. Previously that was available only on gnutls_pkcs11_get_raw_issuer() and friends. | ||||
* | pkcs11: find_ext_cb: eliminated memory leak | Nikos Mavrogiannopoulos | 2016-05-03 | 1 | -0/+1 |
| | |||||
* | gnutls_pkcs11_obj_get_exts: updated documentation | Nikos Mavrogiannopoulos | 2016-05-02 | 1 | -3/+6 |
| | |||||
* | gnutls_x509_crt_import_url: updated documentation for new function name | Nikos Mavrogiannopoulos | 2016-05-02 | 1 | -7/+5 |
| | |||||
* | doc: mention the version after which gnutls_pem_base64_en/decode2() are ↵ | Nikos Mavrogiannopoulos | 2016-04-30 | 1 | -0/+12 |
| | | | | available | ||||
* | corrected import issue in gnutls_privkey_import_ecc_raw | Nikos Mavrogiannopoulos | 2016-04-29 | 1 | -1/+1 |
| | |||||
* | x509/privkey: in raw import functions set the parameter's algorithm type | Nikos Mavrogiannopoulos | 2016-04-29 | 1 | -0/+3 |
| | |||||
* | doc: improved documentation on certificate and DANE verification functions | Nikos Mavrogiannopoulos | 2016-04-26 | 1 | -4/+4 |
| | |||||
* | _wrap_nettle_pk_derive: reject values of public key that are over the prime | Nikos Mavrogiannopoulos | 2016-04-18 | 1 | -10/+4 |
| | | | | | | | | | That is do not canonicalise the value we get from the network, but rather check it for validity. This saves a modular reduction on handshake and performs a sanity check on the peer's (client) parameters. Reported by Hubert Kario. Resolves #84 | ||||
* | handshake: do not overwrite the server's signature algorithm | Nikos Mavrogiannopoulos | 2016-04-13 | 1 | -1/+2 |
| | | | | | | That is, correct a bug under which a client sending a certificate would overwrite the server's idea about the used signature algorithm. Reported by Hubert Kario. | ||||
* | gnutls_packet_get: avoid null pointer dereference on NULL input | Nikos Mavrogiannopoulos | 2016-04-12 | 1 | -0/+1 |
| | | | | | That is, still allow the function to handle a NULL packet input but reset the data contents. | ||||
* | gnutls_ocsp_resp_get_single: fail if thisUpdate is not available or unparsable | Nikos Mavrogiannopoulos | 2016-04-12 | 1 | -2/+3 |
| | | | | | That is because this field is not optional, and a failure on its parsing is always fatal. Reported by Yuan Jochen Kang. | ||||
* | x509 output: don't warn about insecure algorithm when unknown | Nikos Mavrogiannopoulos | 2016-04-09 | 2 | -3/+3 |
| | |||||
* | dtls: added missing dtls.h to state.c | Nikos Mavrogiannopoulos | 2016-04-09 | 1 | -0/+1 |
| | |||||
* | minitasn1: updated to latest git version | Nikos Mavrogiannopoulos | 2016-04-09 | 9 | -356/+409 |
| | |||||
* | gnutls_record_get_direction: doc update [ci skip] | Nikos Mavrogiannopoulos | 2016-04-08 | 1 | -11/+7 |
| | |||||
* | pkix.asn: corrected byKey definition | Nikos Mavrogiannopoulos | 2016-04-08 | 2 | -2/+2 |
| | | | | | OCSP is defined in an EXPLICIT tags module, and as such we must tag explicitly all of its tags. | ||||
* | name constraints: enforce the rules for IP constraints when adding | Nikos Mavrogiannopoulos | 2016-04-05 | 1 | -2/+13 |
| | | | | This will prevent gnutls from generating badly formed certificates. | ||||
* | _gnutls_parse_general_name2: allow parsing empty names | Nikos Mavrogiannopoulos | 2016-04-05 | 3 | -17/+39 |
| | | | | | This allows parsing empty general names such as an empty DNSname used in name constraints. | ||||
* | x509/output: simplified cidr_to_string() | Nikos Mavrogiannopoulos | 2016-03-31 | 1 | -33/+4 |
| | |||||
* | x509/output: print RFC5280 CIDRs in name constraints | Nikos Mavrogiannopoulos | 2016-03-31 | 1 | -9/+98 |
| | |||||
* | dtls: reset the record number sliding window on gnutls_record_set_state() | Nikos Mavrogiannopoulos | 2016-03-31 | 3 | -4/+38 |
| | | | | | | | | This addresses issue where gnutls_record_set_state() was called with a new state but the sliding window information was not updated, thus blocking any incoming packets. Resolves #82 | ||||
* | DTLS: save last valid record sequence number | Nikos Mavrogiannopoulos | 2016-03-30 | 1 | -17/+24 |
| | | | | | This will allow to report a valid number to gnutls_record_get_state() callers in case of DTLS. Reported by Fridolin Pokorny. | ||||
* | gnutls_record_get_state: Allow for NULL parameters | Nikos Mavrogiannopoulos | 2016-03-29 | 1 | -4/+8 |
| |