summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* pkcs11_get_attribute_avalue: correctly handle a -1 value length from ↵Nikos Mavrogiannopoulos2016-06-301-0/+6
| | | | | | | | | C_GetAttributeValue That is, work-around modules which do not return an error on sensitive objects. Relates #108
* pkcs11_get_attribute_avalue: do not assign values on failureNikos Mavrogiannopoulos2016-06-291-0/+1
| | | | | | | When C_GetAttributeValue() returns size but does not return data then pkcs11_get_attribute_avalue() would set the return data pointer to a free'd value. This is against the convention expected by callers, i.e, set data to NULL. Reported by Anthony Alba in #108.
* gnutls_pkcs11_crt_is_known: always assume GNUTLS_PKCS11_OBJ_FLAG_COMPARE ↵Nikos Mavrogiannopoulos2016-06-281-3/+3
| | | | unless GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is given
* find_cert_cb: minor cleanups in find_cert_cbNikos Mavrogiannopoulos2016-06-281-28/+28
|
* pkcs11: correctly encode the serial number when searching for certificateNikos Mavrogiannopoulos2016-06-221-16/+9
| | | | | | In gnutls_pkcs11_crt_is_known() corrected the encoding of the serial number to TLV DER from LV DER. This is the encoding we use when storing that number.
* pkcs11: correctly account check_found_cert()Nikos Mavrogiannopoulos2016-06-221-0/+1
|
* dtls: corrected reconstruction of handshake packets received out of orderNikos Mavrogiannopoulos2016-06-161-4/+4
| | | | | | That is, when the handshake packet is split into multiple different chunks and received out of order, make sure that reconstruction occurs properly. Reported by Guillaume Roguez.
* Corrected the writing of serial number in PKCS#11 modulesNikos Mavrogiannopoulos2016-06-161-4/+9
| | | | | | That is previously the serial number was written in raw format, but in PKCS#11 the serial number must be set encoded as integer. Report and fix by Stanislav Zidek.
* keylogfile: only consider the SSLKEYLOGFILE variableNikos Mavrogiannopoulos2016-06-063-9/+9
| | | | | | | In addition do not check the environment in the constructor but instead use static variables to save the key file name. The GNUTLS_KEYLOGFILE environment variable is no longer used since there is no reason to have a separate one.
* doc update [ci skip]Nikos Mavrogiannopoulos2016-05-312-6/+5
|
* Rely on gnulib's secure_getenv()Nikos Mavrogiannopoulos2016-05-281-4/+0
|
* x86-common: use secure_getenv()Nikos Mavrogiannopoulos2016-05-281-1/+1
|
* env: use secure_getenv when reading environment variablesNikos Mavrogiannopoulos2016-05-274-8/+14
|
* Append keys on keylogfileNikos Mavrogiannopoulos2016-05-273-24/+13
| | | | | Also consider the SSLKEYLOGFILE variable, since the format is identical and we are always appending keys.
* pkcs11: added sanity check to find_obj_url_cb() for object validityNikos Mavrogiannopoulos2016-05-231-6/+6
| | | | Also avoid unnecessary recursion.
* CHACHA20_POLY1305 was added to the default priority stringsNikos Mavrogiannopoulos2016-05-191-5/+10
| | | | | That is the NORMAL and PERFORMANCE priority strings now will enable CHACHA20-POLY1305 by default.
* Write session keys into a file when GNUTLS_KEYLOGFILE is exportedNikos Mavrogiannopoulos2016-05-181-0/+43
| | | | | | | | | | | | | That is the file pointed from the variable is written to, and contain the session parameters in the following format (identical to NSS key log format): CLIENT_RANDOM <space> <64 bytes of hex encoded client_random> <space> <96 bytes of hex encoded master secret> and for the old RSA ciphersuites also in the format: RSA <space> <16 bytes of hex encoded encrypted pre master secret> <space> <96 bytes of hex encoded master secret> Resolves #64
* errors: include GNUTLS_E_IDNA_ERROR to the listNikos Mavrogiannopoulos2016-05-121-0/+2
|
* server_name: only save the supported server names in the sessionNikos Mavrogiannopoulos2016-05-121-11/+14
| | | | | Invalid server names with embedded nulls and unsupported types are not saved.
* gnutls_pubkey_verify_data2: simplified return logicNikos Mavrogiannopoulos2016-05-101-3/+1
|
* gnutls_pkcs7_print: corrected type of unsigned count variableNikos Mavrogiannopoulos2016-05-101-2/+2
|
* cert cred: add the CN to the list of known hostnames only if no dns_namesNikos Mavrogiannopoulos2016-05-101-9/+14
| | | | That is, follow rfc6125 and support CN as a fallback only.
* gnutls_certificate_set_key: import the DNS names of the certificatesNikos Mavrogiannopoulos2016-05-101-1/+25
| | | | That is, only when no (NULL) names are provided.
* reset the global time func on init/deinitNikos Mavrogiannopoulos2016-05-101-1/+3
|
* gnutls_certificate_set_key: duplicate the provided memoryNikos Mavrogiannopoulos2016-05-031-2/+11
| | | | That is, do not assume that a heap allocated value is provided.
* pkcs11: find_cert_cb: do not use C_FindObjectsInit() when another is already ↵Nikos Mavrogiannopoulos2016-05-031-35/+37
| | | | | | | running While some modules implicitly terminated the previous run, this is not something that PKCS#11 modules are expected to typically do.
* pkcs11: the flag GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT will be ↵Nikos Mavrogiannopoulos2016-05-031-0/+18
| | | | | | | | | respected by imported certificates That is, certificates imported with gnutls_pkcs11_obj_import_url() or gnutls_x509_crt_import_url() will be able to be extracted with their extensions overriden. Previously that was available only on gnutls_pkcs11_get_raw_issuer() and friends.
* pkcs11: find_ext_cb: eliminated memory leakNikos Mavrogiannopoulos2016-05-031-0/+1
|
* gnutls_pkcs11_obj_get_exts: updated documentationNikos Mavrogiannopoulos2016-05-021-3/+6
|
* gnutls_x509_crt_import_url: updated documentation for new function nameNikos Mavrogiannopoulos2016-05-021-7/+5
|
* doc: mention the version after which gnutls_pem_base64_en/decode2() are ↵Nikos Mavrogiannopoulos2016-04-301-0/+12
| | | | available
* corrected import issue in gnutls_privkey_import_ecc_rawNikos Mavrogiannopoulos2016-04-291-1/+1
|
* x509/privkey: in raw import functions set the parameter's algorithm typeNikos Mavrogiannopoulos2016-04-291-0/+3
|
* doc: improved documentation on certificate and DANE verification functionsNikos Mavrogiannopoulos2016-04-261-4/+4
|
* _wrap_nettle_pk_derive: reject values of public key that are over the primeNikos Mavrogiannopoulos2016-04-181-10/+4
| | | | | | | | | That is do not canonicalise the value we get from the network, but rather check it for validity. This saves a modular reduction on handshake and performs a sanity check on the peer's (client) parameters. Reported by Hubert Kario. Resolves #84
* handshake: do not overwrite the server's signature algorithmNikos Mavrogiannopoulos2016-04-131-1/+2
| | | | | | That is, correct a bug under which a client sending a certificate would overwrite the server's idea about the used signature algorithm. Reported by Hubert Kario.
* gnutls_packet_get: avoid null pointer dereference on NULL inputNikos Mavrogiannopoulos2016-04-121-0/+1
| | | | | That is, still allow the function to handle a NULL packet input but reset the data contents.
* gnutls_ocsp_resp_get_single: fail if thisUpdate is not available or unparsableNikos Mavrogiannopoulos2016-04-121-2/+3
| | | | | That is because this field is not optional, and a failure on its parsing is always fatal. Reported by Yuan Jochen Kang.
* x509 output: don't warn about insecure algorithm when unknownNikos Mavrogiannopoulos2016-04-092-3/+3
|
* dtls: added missing dtls.h to state.cNikos Mavrogiannopoulos2016-04-091-0/+1
|
* minitasn1: updated to latest git versionNikos Mavrogiannopoulos2016-04-099-356/+409
|
* gnutls_record_get_direction: doc update [ci skip]Nikos Mavrogiannopoulos2016-04-081-11/+7
|
* pkix.asn: corrected byKey definitionNikos Mavrogiannopoulos2016-04-082-2/+2
| | | | | OCSP is defined in an EXPLICIT tags module, and as such we must tag explicitly all of its tags.
* name constraints: enforce the rules for IP constraints when addingNikos Mavrogiannopoulos2016-04-051-2/+13
| | | | This will prevent gnutls from generating badly formed certificates.
* _gnutls_parse_general_name2: allow parsing empty namesNikos Mavrogiannopoulos2016-04-053-17/+39
| | | | | This allows parsing empty general names such as an empty DNSname used in name constraints.
* x509/output: simplified cidr_to_string()Nikos Mavrogiannopoulos2016-03-311-33/+4
|
* x509/output: print RFC5280 CIDRs in name constraintsNikos Mavrogiannopoulos2016-03-311-9/+98
|
* dtls: reset the record number sliding window on gnutls_record_set_state()Nikos Mavrogiannopoulos2016-03-313-4/+38
| | | | | | | | This addresses issue where gnutls_record_set_state() was called with a new state but the sliding window information was not updated, thus blocking any incoming packets. Resolves #82
* DTLS: save last valid record sequence numberNikos Mavrogiannopoulos2016-03-301-17/+24
| | | | | This will allow to report a valid number to gnutls_record_get_state() callers in case of DTLS. Reported by Fridolin Pokorny.
* gnutls_record_get_state: Allow for NULL parametersNikos Mavrogiannopoulos2016-03-291-4/+8
|
View Lorry Controller Status