diff options
-rw-r--r-- | CONTRIBUTING.md | 12 | ||||
-rw-r--r-- | cfg.mk | 19 | ||||
-rw-r--r-- | lib/alert.c | 1 | ||||
-rw-r--r-- | lib/errors.c | 6 | ||||
-rw-r--r-- | lib/ext/server_name.c | 8 | ||||
-rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 1 | ||||
-rw-r--r-- | lib/nettle/gost/nettle-write.h | 2 | ||||
-rw-r--r-- | tests/cert_verify_inv_utf8.c | 2 | ||||
-rw-r--r-- | tests/mini-server-name.c | 6 | ||||
-rw-r--r-- | tests/set_key_utf8.c | 2 | ||||
-rw-r--r-- | tests/set_x509_key_utf8.c | 2 |
11 files changed, 29 insertions, 32 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 482dded5d7..201efd133b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -278,18 +278,16 @@ are always active. # Gnulib -The files at `gl/`, `src/gl/` and `lib/unistring` directories are part of -gnulib project and are included mainly for systems which may miss functionality -available in glibc and unistring libraries. These files are updated when new -functionality is needed or bug fixes affecting gnutls are required. +The directories `gl/`, `src/gl/` and `lib/unistring` contain gnulib files +copied/created by `./bootstrap`. Gnulib is a portability source code library +to handle API or behavior incompatibilities between target systems. -They can be updated by the following make rule. +To take advantage of the latest gnulib files, we have to update the +`gnulib/` submodule from time to time: ``` $ make glimport ``` -That rule assumes that an updated gnulib is present at `../gnulib/`. - Note that the gnulib library in `gl/` is used by the GnuTLS library and is kept separate from the gnulib used by the GnuTLS tools because of license issues, and also to prevent any gnulib networking modules @@ -23,7 +23,7 @@ ADDFLAGS ?= CFGFLAGS ?= --enable-gtk-doc --enable-gtk-doc-pdf --enable-gtk-doc-html $(ADDFLAGS) $(WFLAGS) PACKAGE ?= gnutls -.PHONY: config +.PHONY: config glimport INDENT_SOURCES = `find . -name \*.[ch] -o -name gnutls.h.in | grep -v -e ^./build-aux/ -e ^./lib/minitasn1/ -e ^./lib/build-aux/ -e ^./gl/ -e ^./src/libopts/ -e -args.[ch] -e asn1_tab.c -e ^./tests/suite/` @@ -72,19 +72,10 @@ config: bootstrap: autoreconf .submodule.stamp -UNISTRING_MODULES = "unistr/u8-check unistr/u8-to-u16 unistr/u8-to-u32 unistr/u32-to-u8 \ - unistr/u16-to-u8 uninorm/nfc uninorm/nfkc uninorm/u8-normalize uninorm/u16-normalize \ - uninorm/u32-normalize unictype/category-all unictype/property-not-a-character \ - unictype/property-default-ignorable-code-point unictype/property-join-control" - -unistringimport: - ../gnulib/gnulib-tool --without-tests --libtool --macro-prefix=unistring --lgpl=3orGPLv2 --dir=. --local-dir=lib/unistring/override --lib=libunistring --without-tests --source-base=lib/unistring --m4-base=lib/unistring/m4 --doc-base=doc --aux-dir=build-aux --import $(UNISTRING_MODULES) - -# The only non-lgpl modules used are: gettime progname timespec. Those -# are not used (and must not be used) in the library) -glimport: unistringimport - ../gnulib/gnulib-tool --dir=. --local-dir=gl/override --lib=libgnu --source-base=gl --m4-base=gl/m4 --doc-base=doc --tests-base=gl/tests --aux-dir=build-aux --lgpl=2 --add-import - ../gnulib/gnulib-tool --dir=. --local-dir=src/gl/override --lib=libgnu_gpl --source-base=src/gl --m4-base=src/gl/m4 --doc-base=doc --tests-base=tests --aux-dir=build-aux --add-import +glimport: + pushd gnulib && git checkout master && git pull && popd + echo "If everything looks well, commit the gnulib update with:" + echo " git commit -m "Update gnulib submodule" gnulib" # Code Coverage diff --git a/lib/alert.c b/lib/alert.c index 15f5183430..a2d1725e6b 100644 --- a/lib/alert.c +++ b/lib/alert.c @@ -224,6 +224,7 @@ int gnutls_error_to_alert(int err, int *level) case GNUTLS_E_ILLEGAL_SRP_USERNAME: case GNUTLS_E_PK_INVALID_PUBKEY: case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM: + case GNUTLS_E_RECEIVED_DISALLOWED_NAME: ret = GNUTLS_A_ILLEGAL_PARAMETER; _level = GNUTLS_AL_FATAL; break; diff --git a/lib/errors.c b/lib/errors.c index a1bdf9b873..520958b70c 100644 --- a/lib/errors.c +++ b/lib/errors.c @@ -206,6 +206,8 @@ static const gnutls_error_entry error_entries[] = { ERROR_ENTRY(N_("An illegal parameter was found."), GNUTLS_E_ILLEGAL_PARAMETER), ERROR_ENTRY(N_("Error while reading file."), GNUTLS_E_FILE_ERROR), + ERROR_ENTRY(N_("A disallowed SNI server name has been received."), + GNUTLS_E_RECEIVED_DISALLOWED_NAME), ERROR_ENTRY(N_("ASN1 parser: Element was not found."), GNUTLS_E_ASN1_ELEMENT_NOT_FOUND), @@ -462,14 +464,14 @@ static const gnutls_error_entry non_fatal_error_entries[] = { * * If a GnuTLS function returns a negative error code you may feed that * value to this function to see if the error condition is fatal to - * a TLS session (i.e., must be terminated). + * a TLS session (i.e., must be terminated). * * Note that you may also want to check the error code manually, since some * non-fatal errors to the protocol (such as a warning alert or * a rehandshake request) may be fatal for your program. * * This function is only useful if you are dealing with errors from - * functions that relate to a TLS session (e.g., record layer or handshake + * functions that relate to a TLS session (e.g., record layer or handshake * layer handling functions). * * Returns: Non-zero value on fatal errors or zero on non-fatal. diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c index 1f9f3814f1..9c8c533490 100644 --- a/lib/ext/server_name.c +++ b/lib/ext/server_name.c @@ -105,8 +105,12 @@ _gnutls_server_name_recv_params(gnutls_session_t session, DECR_LEN(data_size, len); if (type == 0) { /* NAME_DNS */ - if (!_gnutls_dnsname_is_valid((char*)p, len)) - return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + if (!_gnutls_dnsname_is_valid((char*)p, len)) { + _gnutls_handshake_log + ("HSK[%p]: Server name is not acceptable: '%.*s'\n", + session, (int) len, p); + return gnutls_assert_val(GNUTLS_E_RECEIVED_DISALLOWED_NAME); + } name.data = (void*)p; name.size = len; diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 7e6a592447..8359fe2ea5 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -3141,6 +3141,7 @@ void gnutls_fips140_set_mode(gnutls_fips_mode_t mode, unsigned flags); #define GNUTLS_E_TOO_MANY_EMPTY_PACKETS -78 #define GNUTLS_E_UNKNOWN_PK_ALGORITHM -80 #define GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS -81 +#define GNUTLS_E_RECEIVED_DISALLOWED_NAME -82 /* GNUTLS_A_ILLEGAL_PARAMETER */ /* returned if you need to generate temporary RSA * parameters. These are needed for export cipher suites. diff --git a/lib/nettle/gost/nettle-write.h b/lib/nettle/gost/nettle-write.h index c50c427200..ad645ef2ee 100644 --- a/lib/nettle/gost/nettle-write.h +++ b/lib/nettle/gost/nettle-write.h @@ -37,7 +37,7 @@ /* For size_t */ #include <stddef.h> -#include <nettle/nettle-stdint.h> +#include <stdint.h> /* Write the word array at SRC to the byte array at DST, using little endian (le) or big endian (be) byte order, and truncating the diff --git a/tests/cert_verify_inv_utf8.c b/tests/cert_verify_inv_utf8.c index 4afd52311d..095a55f3df 100644 --- a/tests/cert_verify_inv_utf8.c +++ b/tests/cert_verify_inv_utf8.c @@ -137,7 +137,7 @@ static void auto_parse(void) test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", 0, 0); test_cli_serv_vf(x509_cred, clicred, "NORMAL", "www.νίκοσ.com"); test_cli_serv_vf(x509_cred, clicred, "NORMAL", "www.νίκος.com"); - test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:www.νίκος.com", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, GNUTLS_E_AGAIN); + test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:www.νίκος.com", GNUTLS_E_RECEIVED_DISALLOWED_NAME, GNUTLS_E_AGAIN); gnutls_certificate_free_credentials(x509_cred); gnutls_certificate_free_credentials(clicred); diff --git a/tests/mini-server-name.c b/tests/mini-server-name.c index 0da27cc3e1..e18dcfc150 100644 --- a/tests/mini-server-name.c +++ b/tests/mini-server-name.c @@ -310,21 +310,21 @@ void doit(void) start("tls1.2 test.example.com", PRIO_TLS12, 0, "test.example.com", strlen("test.example.com"), "test.example.com", strlen("test.example.com"), 0); start("tls1.2 longtest.example.com", PRIO_TLS12, 0, "longtest.example.com.", strlen("longtest.example.com"), "longtest.example.com.", strlen("longtest.example.com"), 0); /* test embedded NULL */ - start("tls1.2 embedded-NULL", PRIO_TLS12, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + start("tls1.2 embedded-NULL", PRIO_TLS12, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_DISALLOWED_NAME); start("tls1.3 NULL", PRIO_TLS13, 0, NULL, 0, NULL, 0, 0); start("tls1.3 empty", PRIO_TLS13, 0, "", 0, "", 0, 0); start("tls1.3 test.example.com", PRIO_TLS13, 0, "test.example.com", strlen("test.example.com"), "test.example.com", strlen("test.example.com"), 0); start("tls1.3 longtest.example.com", PRIO_TLS13, 0, "longtest.example.com.", strlen("longtest.example.com"), "longtest.example.com.", strlen("longtest.example.com"), 0); /* test embedded NULL */ - start("tls1.3 embedded-NULL", PRIO_TLS13, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + start("tls1.3 embedded-NULL", PRIO_TLS13, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_DISALLOWED_NAME); start("NULL", PRIO_NORMAL, 0, NULL, 0, NULL, 0, 0); start("empty", PRIO_NORMAL, 0, "", 0, "", 0, 0); start("test.example.com", PRIO_NORMAL, 0, "test.example.com", strlen("test.example.com"), "test.example.com", strlen("test.example.com"), 0); start("longtest.example.com", PRIO_NORMAL, 0, "longtest.example.com.", strlen("longtest.example.com"), "longtest.example.com.", strlen("longtest.example.com"), 0); /* test embedded NULL */ - start("embedded-NULL", PRIO_NORMAL, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + start("embedded-NULL", PRIO_NORMAL, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_DISALLOWED_NAME); } #endif /* _WIN32 */ diff --git a/tests/set_key_utf8.c b/tests/set_key_utf8.c index 7a02e45618..81d5ef2c05 100644 --- a/tests/set_key_utf8.c +++ b/tests/set_key_utf8.c @@ -140,7 +140,7 @@ static void auto_parse(void) /* the raw DNS should result to verification failure as the advertized name should * not be considered and the first cert should be provided */ - test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, GNUTLS_E_AGAIN); + test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_DISALLOWED_NAME, GNUTLS_E_AGAIN); gnutls_certificate_free_credentials(x509_cred); gnutls_certificate_free_credentials(clicred); diff --git a/tests/set_x509_key_utf8.c b/tests/set_x509_key_utf8.c index 7cc5b99ea8..7753c7f4c9 100644 --- a/tests/set_x509_key_utf8.c +++ b/tests/set_x509_key_utf8.c @@ -177,7 +177,7 @@ void doit(void) test_cli_serv(x509_cred, clicred, "NORMAL", "简体中文.εξτρα.com", NULL, NULL, NULL); /* the second DNS name of cert */ test_cli_serv(x509_cred, clicred, "NORMAL", "xn--fiqu1az03c18t.xn--mxah1amo.com", NULL, NULL, NULL); /* its IDNA equivalent */ - test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, GNUTLS_E_AGAIN); + test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_DISALLOWED_NAME, GNUTLS_E_AGAIN); gnutls_certificate_free_credentials(x509_cred); gnutls_certificate_free_credentials(clicred); |