Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Fix build of system/keys-win.c with older mingw | Nikos Mavrogiannopoulos | 2016-10-04 | 1 | -1/+28 |
| | | | | Patch by Eli Zaretskii <eliz@gnu> | ||||
* | aarch64: added optimized AES-CCM mode | Nikos Mavrogiannopoulos | 2016-10-03 | 4 | -2/+171 |
| | |||||
* | Imported Andy Polyakov's implementation of AES-GCM in aarch64 | Nikos Mavrogiannopoulos | 2016-10-03 | 4 | -67/+459 |
| | |||||
* | Imported Andy Polyakov's implementation of AES in aarch64 | Nikos Mavrogiannopoulos | 2016-10-03 | 6 | -2/+1166 |
| | |||||
* | Added HMAC-SHA* optimizations for aarch64 | Nikos Mavrogiannopoulos | 2016-10-03 | 4 | -1/+332 |
| | |||||
* | Imported Andy Polyakov's implementations for SHA* in aarch64 | Nikos Mavrogiannopoulos | 2016-10-03 | 11 | -2/+4187 |
| | |||||
* | fix zero-termination in _gnutls_server_name_set_raw() for large server names | Nikos Mavrogiannopoulos | 2016-10-03 | 2 | -4/+7 |
| | |||||
* | _gnutls_check_id_for_change: added check for NULL username | Nikos Mavrogiannopoulos | 2016-10-03 | 1 | -1/+4 |
| | | | | | This is not required, but may prevent from issues if code-reorganizations which may set a NULL username, occur. | ||||
* | gnutls_*_crt_print: better error checking | Nikos Mavrogiannopoulos | 2016-10-03 | 2 | -2/+10 |
| | |||||
* | pkcs11: improved debugging output in pkcs11_login | Nikos Mavrogiannopoulos | 2016-10-03 | 1 | -1/+1 |
| | |||||
* | name constraints: removed unused variable | Nikos Mavrogiannopoulos | 2016-10-03 | 1 | -2/+0 |
| | |||||
* | Removed C99 constructions in for-loops | Nikos Mavrogiannopoulos | 2016-09-27 | 3 | -5/+13 |
| | | | | | These constructions although valid for C99 they are being rejected by various compilers. Get rid of them. | ||||
* | pkcs11: forbid PKCS#11 extensions to be used in other than trust modules | Nikos Mavrogiannopoulos | 2016-09-27 | 4 | -30/+50 |
| | | | | | | That is, only use the CKA_X_DISTRUSTED and the extension override in p11-kit trust modules, to avoid conflicts with potentially other PKCS#11 extensions. | ||||
* | pkcs11: introduced flag GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED | Nikos Mavrogiannopoulos | 2016-09-26 | 3 | -2/+30 |
| | | | | | This allows to mark objects as distrusted, as well as to be able to list distrusted objects. | ||||
* | pkcs11: only staple extensions from a trust module when they are from a ↵ | Nikos Mavrogiannopoulos | 2016-09-26 | 2 | -5/+14 |
| | | | | | | | | | | non-distrusted certificate That is, make sure that the API for stapling extensions is only used for non-distrusted (blacklisted) certificates. The reason is to avoid duplicate extension entries from the p11-kit trust database. These come from blacklisted certificates, and we have no reason to support stapled extensions with blacklisted certificates. | ||||
* | gnutls_oid_to_ecc_curve: fix null pointer dereference | Nikos Mavrogiannopoulos | 2016-09-26 | 1 | -1/+1 |
| | | | | | | This addresses issue where an unknown curve would cause a null pointer dereference. This was introduced with the addition of X25519. Reported by Theofilos Petsios. | ||||
* | Only send the status request extension on cert authentication | Nikos Mavrogiannopoulos | 2016-09-23 | 1 | -0/+5 |
| | | | | | That is, do not both asking for it, or replying to it, if we are not using any certificates. | ||||
* | doc: gnutls_priority_init: fixed %COMPAT [ci skip] | Nikos Mavrogiannopoulos | 2016-09-22 | 1 | -2/+2 |
| | |||||
* | On client side allow signing with the signature algorithm of our cert | Nikos Mavrogiannopoulos | 2016-09-22 | 3 | -6/+12 |
| | | | | | | | That allows to sign for example with DSA-SHA1 as client even if we do not allow DSA-SHA1 as signature algorithm for server's certificate. This allows to use a deprecated certificate without enabling deprecated algorithms globally. | ||||
* | _gnutls_session_get_sign_algo: always return GNUTLS_SIGN_UNKNOWN on failure | Nikos Mavrogiannopoulos | 2016-09-22 | 1 | -1/+1 |
| | |||||
* | added debugging message when session fails due to handshake hash buffer | Nikos Mavrogiannopoulos | 2016-09-19 | 1 | -2/+4 |
| | |||||
* | Do not allow sending overflowed extensions field | Nikos Mavrogiannopoulos | 2016-09-19 | 1 | -0/+3 |
| | | | | That is, restrict the extensions to a 2^16 total size. | ||||
* | Increased the maximum size allowed for handshake messages to 128kb | Nikos Mavrogiannopoulos | 2016-09-19 | 2 | -2/+5 |
| | | | | | This would allow the library to cope with larger packets, as well as TLS 1.3 hellos. Suggested by Hubert Kario. | ||||
* | Introduced separate error codes for invalid private and public keys | Nikos Mavrogiannopoulos | 2016-09-17 | 3 | -16/+16 |
| | | | | | | This allows functions like decryption and verification to report the specific issue they encountered on public key error. The new codes are GNUTLS_E_PK_INVALID_PUBKEY and GNUTLS_E_PK_INVALID_PRIVKEY | ||||
* | gnutls_certificate_set_ocsp_status_request_file: mention version it was enhanced | Nikos Mavrogiannopoulos | 2016-09-13 | 1 | -0/+3 |
| | |||||
* | openssl asm: reverted to AESNI-x86 code to gnutls 3.4.x code | Nikos Mavrogiannopoulos | 2016-09-13 | 3 | -2193/+1283 |
| | | | | The newer code was creating position dependent code. | ||||
* | Added IDNA support in server side | Nikos Mavrogiannopoulos | 2016-09-12 | 1 | -4/+24 |
| | | | | | | Any server names provided to server side by the gnutls_certificate_set_* functions, are converted to IDNA format for comparison with client provided values. | ||||
* | gnutls_certificate_set_*key: ensure proper cleanup on key mismatch failures | Nikos Mavrogiannopoulos | 2016-09-12 | 1 | -2/+11 |
| | | | | | That is, ensure that we keep no local references that are shared with the caller, and that we properly free all initialized values. | ||||
* | Added gnutls_certificate_set_ocsp_status_request_function2 | Nikos Mavrogiannopoulos | 2016-09-12 | 8 | -77/+156 |
| | | | | | | | | | | | That introduces a new function to allow setting an OCSP status request handling function per certificate. Furthermore it repurposes the flag parameters to an index option on gnutls_certificate_set_ocsp_status_request_file. The changes above allow setting a different OCSP status response file per certificate, and a different function. The indexes they rely on to associate with existing certs are the indexes returned by the gnutls_certificate_set_key() and friends functions. | ||||
* | All the key and chain set functions return an index | Nikos Mavrogiannopoulos | 2016-09-12 | 2 | -20/+29 |
| | | | | | | | When setting key and certificate material to a gnutls_certificate_credentials_t structure, the corresponding set functions will return an index. That index could be used later either on the get functions, or when setting corresponding data (e.g., an OCSP response). | ||||
* | doc: clarifications in gnutls_certificate_set_ocsp_status_request_function() | Nikos Mavrogiannopoulos | 2016-09-12 | 1 | -4/+3 |
| | |||||
* | Typo fixes found by lintian. | Andreas Metzler | 2016-09-12 | 1 | -1/+1 |
| | | | | incosistent, ommited | ||||
* | several spacing fixes to keep syntax-check happy | Nikos Mavrogiannopoulos | 2016-09-11 | 96 | -1381/+1546 |
| | |||||
* | avoid the usage of strncpy | Nikos Mavrogiannopoulos | 2016-09-11 | 1 | -1/+1 |
| | |||||
* | gnutls_x509_cidr_to_rfc5280: removed double semi-colon | Nikos Mavrogiannopoulos | 2016-09-11 | 1 | -1/+1 |
| | |||||
* | removed c-ctype.h from files that wasn't used at | Nikos Mavrogiannopoulos | 2016-09-11 | 9 | -9/+0 |
| | |||||
* | removed assert.h from files that wasn't used at | Nikos Mavrogiannopoulos | 2016-09-11 | 3 | -3/+0 |
| | |||||
* | inet_ntop4: casted signed/unsigned comparisonminor-cleanups | Nikos Mavrogiannopoulos | 2016-09-10 | 1 | -1/+1 |
| | |||||
* | system.h: undefine macros before defining them | Nikos Mavrogiannopoulos | 2016-09-10 | 1 | -0/+3 |
| | |||||
* | _gnutls_fbase64_decode: use memsub macro instead of casts | Nikos Mavrogiannopoulos | 2016-09-10 | 1 | -3/+3 |
| | |||||
* | doc update | Nikos Mavrogiannopoulos | 2016-09-07 | 1 | -2/+2 |
| | |||||
* | _gnutls_ucs2_to_utf8: corrected use of WideCharToMultiByte in windows | Nikos Mavrogiannopoulos | 2016-09-07 | 1 | -2/+3 |
| | |||||
* | libgnutls.map: export _gnutls_utf8_to_ucs2 and _gnutls_ucs2_to_utf8 for testing | Nikos Mavrogiannopoulos | 2016-09-06 | 1 | -0/+3 |
| | |||||
* | pkcs12: enhanced to allow encrypting using UCS2 passwords | Nikos Mavrogiannopoulos | 2016-09-06 | 1 | -40/+42 |
| | | | | | That is use _gnutls_utf8_to_ucs2() to convert the provided password to UCS2. | ||||
* | _gnutls_ucs2_to_utf8: fixed null termination check in windows code | Nikos Mavrogiannopoulos | 2016-09-06 | 1 | -1/+1 |
| | |||||
* | Added _gnutls_utf8_to_ucs2() | Nikos Mavrogiannopoulos | 2016-09-06 | 2 | -1/+153 |
| | | | | This function allows to convert between UTF8 to UCS2 big-endian. | ||||
* | pkcs7 encryption: corrected memory leaks | Nikos Mavrogiannopoulos | 2016-09-06 | 1 | -2/+2 |
| | |||||
* | x509: Adjust IP name constraints behavior | Martin Ukrop | 2016-09-06 | 1 | -40/+18 |
| | | | | | | | - Modified IPv4/IPv6 interaction in name constraints -- IPv4 and IPv6 no have empty intersection (previously: were treated independently). - Current behavior is more conservative -- in case of IPv4 constraint cert, subcerts will not be able to have IPv6 addresses. - Tests updated accordingly. - Behavior now matches NSS. | ||||
* | minitasn1: updated to latest git version | Nikos Mavrogiannopoulos | 2016-09-05 | 2 | -8/+8 |
| | |||||
* | _gnutls_encode_ber_rs_raw: simplified | Nikos Mavrogiannopoulos | 2016-09-05 | 1 | -15/+10 |
| | | | | That is, use a single allocation for temporary data. |