| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
That is use _gnutls_utf8_to_ucs2() to convert the provided
password to UCS2.
|
| | |
|
| |
|
|
| |
This function allows to convert between UTF8 to UCS2 big-endian.
|
| | |
|
| |
|
|
|
|
|
| |
- Modified IPv4/IPv6 interaction in name constraints -- IPv4 and IPv6 no have empty intersection (previously: were treated independently).
- Current behavior is more conservative -- in case of IPv4 constraint cert, subcerts will not be able to have IPv6 addresses.
- Tests updated accordingly.
- Behavior now matches NSS.
|
| | |
|
| |
|
|
| |
That is, use a single allocation for temporary data.
|
| | |
|
| |
|
|
|
|
|
| |
This addresses issue when encoding values obtained via
PKCS#11 which may not be necessarily padded.
Resolves #122
|
| |
|
|
|
|
|
|
|
|
|
| |
In this implementation, the end of the sliding window is always advanced
to the latest received packet, and we accept up to 64 packets before
that one. We no longer refuse to accept packets because they are
*too* far ahead of what we've already seen.
Some of the test cases are fixed up accordingly.
This matches the code in OpenConnect esp-seqno.c at commit 314ac65.
|
| | |
|
| |
|
|
|
| |
That is ensure that it is forwarded at least one place if more than 16
packets have been received since the first one.
|
| | |
|
| |
|
|
|
|
| |
Simplified and optimized the function operation, by removing
unecessary memory allocations, as well as eliminate memory leaks
on certain error cases.
|
| |
|
|
|
|
|
| |
Previously the OCSP certificate check wouldn't verify the serial length
and could succeed in cases it shouldn't.
Reported by Stefan Buehler.
|
| | |
|
| |
|
|
|
|
|
| |
While this is a legacy (and insecure) cipher combination it is the
default output of openssl up until the 1.0.2 version. We introduce
this option to allow decrypting private keys from these versions of
openssl.
|
| | |
|
| |
|
|
| |
This improves compatibility with new openssl versions.
|
| |
|
|
| |
Patch by David Woodhouse
|
| |
|
|
| |
Signed-off-by: Philippe Proulx <eeppeliteloop@gmail.com>
|
| |
|
|
|
| |
This allows to compile the getrandom() code in old Linux systems
which do not have the system call defined.
|
| |
|
|
| |
Suggested by Stephan Mueller.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- IP constraints are now checked against the subject alternative
name field.
- Implemented IP name constraints merging.
- Added IP constraints validity checking during loading and getting
the name constraints object from the user.
- Add a convenience function name_constraints_node_new that allocates
a name constraints node and sets its fields. Use this new function
where applicable.
- Add documentation for is_nc_empty, _gnutls_name_constraints_node_free,
_gnutls_name_constraints_intersect.
- Small improvements elsewhere (polishing).
Signed-off-by: Martin Ukrop <mukrop@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Moved IP/CIDR to string conversion functions into separate
header and export privately for the use in tests.
- Placed ip_in_cidr() into separate header for easy testing
- Add publicly available function to convert text CIDR to RFC5280
format for the use in name constraints extension.
- certtool: Use GnuTLS exported CIDR functions instead of local ones.
- Export mask_to_prefix, mask_ip for internal GnuTLS use.
- Introduce new error value (malformed cidr) and add to description
functions in errors.c.
Signed-off-by: Martin Ukrop <mukrop@redhat.com>
|
| |
|
|
|
| |
This will allow minor modifications to the semantics of the function
in the future, without introducing a new API.
|
| |
|
|
|
|
|
|
|
| |
gnutls_pkcs12_simple_parse was only collecting extra certificates that was
possible elements of the certificate chain when the extra_certs argument was
not NULL. Fix by allways collecting all the certificates, any unneeded
certificates are released before returning if extra_certs is NULL anyway.
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
|
| |
|
|
|
|
|
|
| |
The access to the allocated crt_list variable was missing a pointer
dereference, leading to memory corruption for any certificate list with more
than one element.
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
|
| |
|
|
|
| |
That way we can better report errors which relate to illegal
parameters being detected.
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously we calculated the size of the key directly, but
by using the rsa_*_key_prepare we benefit from any checks that
may be introduced in the future. Specifically any checks for invalid
public keys (e.g., keys that may crash the underlying gmp functions).
This patch avoids calling rsa_private_key_prepare every time we construct
a nettle private key struct, because this function requires a bigint
multiplication. We call that function once on private key import.
|
| |
|
|
| |
This reverts commit c801a15bca9ea8f3f7abd4be48bebd36c54eeba2.
|
| | |
|
| |
|
|
| |
Renamed function for clarity.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Previously we calculated the size of the key directly, but
by using the rsa_*_key_prepare we benefit from any checks that
may be introduced in the future. Specifically any checks for invalid
public keys (e.g., keys that may crash the underlying gmp functions).
|
| | |
|
| |
|
|
|
| |
These are identical definitions, but according to syscall()
SYS_getrandom is the expected value.
|
| |
|
|
|
|
|
|
| |
- In _gnutls_name_constraints_intersect, if *_nc had a node of some type not present in _nc2, this was preserved. However, if it was vice versa (_nc2 having a type not present in *_nc), this node was discarded.
- This is now fixed.
- Removed redundant return value check that was accidentally left when refactoring from set_datum to explicit NULL setting.
Signed-off-by: Martin Ukrop <mukrop@redhat.com>
|
| |
|
|
| |
the list fit within the initially allocated memory.
|
| | |
|
| |
|
|
| |
certificates in the list fit within the initially allocated memory.
|
