summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* Fix build of system/keys-win.c with older mingwNikos Mavrogiannopoulos2016-10-041-1/+28
| | | | Patch by Eli Zaretskii <eliz@gnu>
* aarch64: added optimized AES-CCM modeNikos Mavrogiannopoulos2016-10-034-2/+171
|
* Imported Andy Polyakov's implementation of AES-GCM in aarch64Nikos Mavrogiannopoulos2016-10-034-67/+459
|
* Imported Andy Polyakov's implementation of AES in aarch64Nikos Mavrogiannopoulos2016-10-036-2/+1166
|
* Added HMAC-SHA* optimizations for aarch64Nikos Mavrogiannopoulos2016-10-034-1/+332
|
* Imported Andy Polyakov's implementations for SHA* in aarch64Nikos Mavrogiannopoulos2016-10-0311-2/+4187
|
* fix zero-termination in _gnutls_server_name_set_raw() for large server namesNikos Mavrogiannopoulos2016-10-032-4/+7
|
* _gnutls_check_id_for_change: added check for NULL usernameNikos Mavrogiannopoulos2016-10-031-1/+4
| | | | | This is not required, but may prevent from issues if code-reorganizations which may set a NULL username, occur.
* gnutls_*_crt_print: better error checkingNikos Mavrogiannopoulos2016-10-032-2/+10
|
* pkcs11: improved debugging output in pkcs11_loginNikos Mavrogiannopoulos2016-10-031-1/+1
|
* name constraints: removed unused variableNikos Mavrogiannopoulos2016-10-031-2/+0
|
* Removed C99 constructions in for-loopsNikos Mavrogiannopoulos2016-09-273-5/+13
| | | | | These constructions although valid for C99 they are being rejected by various compilers. Get rid of them.
* pkcs11: forbid PKCS#11 extensions to be used in other than trust modulesNikos Mavrogiannopoulos2016-09-274-30/+50
| | | | | | That is, only use the CKA_X_DISTRUSTED and the extension override in p11-kit trust modules, to avoid conflicts with potentially other PKCS#11 extensions.
* pkcs11: introduced flag GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTEDNikos Mavrogiannopoulos2016-09-263-2/+30
| | | | | This allows to mark objects as distrusted, as well as to be able to list distrusted objects.
* pkcs11: only staple extensions from a trust module when they are from a ↵Nikos Mavrogiannopoulos2016-09-262-5/+14
| | | | | | | | | | non-distrusted certificate That is, make sure that the API for stapling extensions is only used for non-distrusted (blacklisted) certificates. The reason is to avoid duplicate extension entries from the p11-kit trust database. These come from blacklisted certificates, and we have no reason to support stapled extensions with blacklisted certificates.
* gnutls_oid_to_ecc_curve: fix null pointer dereferenceNikos Mavrogiannopoulos2016-09-261-1/+1
| | | | | | This addresses issue where an unknown curve would cause a null pointer dereference. This was introduced with the addition of X25519. Reported by Theofilos Petsios.
* Only send the status request extension on cert authenticationNikos Mavrogiannopoulos2016-09-231-0/+5
| | | | | That is, do not both asking for it, or replying to it, if we are not using any certificates.
* doc: gnutls_priority_init: fixed %COMPAT [ci skip]Nikos Mavrogiannopoulos2016-09-221-2/+2
|
* On client side allow signing with the signature algorithm of our certNikos Mavrogiannopoulos2016-09-223-6/+12
| | | | | | | That allows to sign for example with DSA-SHA1 as client even if we do not allow DSA-SHA1 as signature algorithm for server's certificate. This allows to use a deprecated certificate without enabling deprecated algorithms globally.
* _gnutls_session_get_sign_algo: always return GNUTLS_SIGN_UNKNOWN on failureNikos Mavrogiannopoulos2016-09-221-1/+1
|
* added debugging message when session fails due to handshake hash bufferNikos Mavrogiannopoulos2016-09-191-2/+4
|
* Do not allow sending overflowed extensions fieldNikos Mavrogiannopoulos2016-09-191-0/+3
| | | | That is, restrict the extensions to a 2^16 total size.
* Increased the maximum size allowed for handshake messages to 128kbNikos Mavrogiannopoulos2016-09-192-2/+5
| | | | | This would allow the library to cope with larger packets, as well as TLS 1.3 hellos. Suggested by Hubert Kario.
* Introduced separate error codes for invalid private and public keysNikos Mavrogiannopoulos2016-09-173-16/+16
| | | | | | This allows functions like decryption and verification to report the specific issue they encountered on public key error. The new codes are GNUTLS_E_PK_INVALID_PUBKEY and GNUTLS_E_PK_INVALID_PRIVKEY
* gnutls_certificate_set_ocsp_status_request_file: mention version it was enhancedNikos Mavrogiannopoulos2016-09-131-0/+3
|
* openssl asm: reverted to AESNI-x86 code to gnutls 3.4.x codeNikos Mavrogiannopoulos2016-09-133-2193/+1283
| | | | The newer code was creating position dependent code.
* Added IDNA support in server sideNikos Mavrogiannopoulos2016-09-121-4/+24
| | | | | | Any server names provided to server side by the gnutls_certificate_set_* functions, are converted to IDNA format for comparison with client provided values.
* gnutls_certificate_set_*key: ensure proper cleanup on key mismatch failuresNikos Mavrogiannopoulos2016-09-121-2/+11
| | | | | That is, ensure that we keep no local references that are shared with the caller, and that we properly free all initialized values.
* Added gnutls_certificate_set_ocsp_status_request_function2Nikos Mavrogiannopoulos2016-09-128-77/+156
| | | | | | | | | | | That introduces a new function to allow setting an OCSP status request handling function per certificate. Furthermore it repurposes the flag parameters to an index option on gnutls_certificate_set_ocsp_status_request_file. The changes above allow setting a different OCSP status response file per certificate, and a different function. The indexes they rely on to associate with existing certs are the indexes returned by the gnutls_certificate_set_key() and friends functions.
* All the key and chain set functions return an indexNikos Mavrogiannopoulos2016-09-122-20/+29
| | | | | | | When setting key and certificate material to a gnutls_certificate_credentials_t structure, the corresponding set functions will return an index. That index could be used later either on the get functions, or when setting corresponding data (e.g., an OCSP response).
* doc: clarifications in gnutls_certificate_set_ocsp_status_request_function()Nikos Mavrogiannopoulos2016-09-121-4/+3
|
* Typo fixes found by lintian.Andreas Metzler2016-09-121-1/+1
| | | | incosistent, ommited
* several spacing fixes to keep syntax-check happyNikos Mavrogiannopoulos2016-09-1196-1381/+1546
|
* avoid the usage of strncpyNikos Mavrogiannopoulos2016-09-111-1/+1
|
* gnutls_x509_cidr_to_rfc5280: removed double semi-colonNikos Mavrogiannopoulos2016-09-111-1/+1
|
* removed c-ctype.h from files that wasn't used atNikos Mavrogiannopoulos2016-09-119-9/+0
|
* removed assert.h from files that wasn't used atNikos Mavrogiannopoulos2016-09-113-3/+0
|
* inet_ntop4: casted signed/unsigned comparisonminor-cleanupsNikos Mavrogiannopoulos2016-09-101-1/+1
|
* system.h: undefine macros before defining themNikos Mavrogiannopoulos2016-09-101-0/+3
|
* _gnutls_fbase64_decode: use memsub macro instead of castsNikos Mavrogiannopoulos2016-09-101-3/+3
|
* doc updateNikos Mavrogiannopoulos2016-09-071-2/+2
|
* _gnutls_ucs2_to_utf8: corrected use of WideCharToMultiByte in windowsNikos Mavrogiannopoulos2016-09-071-2/+3
|
* libgnutls.map: export _gnutls_utf8_to_ucs2 and _gnutls_ucs2_to_utf8 for testingNikos Mavrogiannopoulos2016-09-061-0/+3
|
* pkcs12: enhanced to allow encrypting using UCS2 passwordsNikos Mavrogiannopoulos2016-09-061-40/+42
| | | | | That is use _gnutls_utf8_to_ucs2() to convert the provided password to UCS2.
* _gnutls_ucs2_to_utf8: fixed null termination check in windows codeNikos Mavrogiannopoulos2016-09-061-1/+1
|
* Added _gnutls_utf8_to_ucs2()Nikos Mavrogiannopoulos2016-09-062-1/+153
| | | | This function allows to convert between UTF8 to UCS2 big-endian.
* pkcs7 encryption: corrected memory leaksNikos Mavrogiannopoulos2016-09-061-2/+2
|
* x509: Adjust IP name constraints behaviorMartin Ukrop2016-09-061-40/+18
| | | | | | | - Modified IPv4/IPv6 interaction in name constraints -- IPv4 and IPv6 no have empty intersection (previously: were treated independently). - Current behavior is more conservative -- in case of IPv4 constraint cert, subcerts will not be able to have IPv6 addresses. - Tests updated accordingly. - Behavior now matches NSS.
* minitasn1: updated to latest git versionNikos Mavrogiannopoulos2016-09-052-8/+8
|
* _gnutls_encode_ber_rs_raw: simplifiedNikos Mavrogiannopoulos2016-09-051-15/+10
| | | | That is, use a single allocation for temporary data.
View Lorry Controller Status