| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|\
| |
| |
| |
| |
| |
| | |
Fix handling of malformed KeyUpdate messages
Closes #699
See merge request gnutls/gnutls!1005
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The limit was too small when testing the capability of handling
multiple KeyUpdate messages with tlsfuzzer.
This requires a change in the rate limit logic, as previously it
doesn't count the KeyUpdate messages despite the name of
KEY_UPDATES_PER_SEC.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
The function checks if a Handshake message is interleaved with an
Application Data, but the check was insuffient because it assumed that
a complete header is received in the buffer.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \
| | |
| | |
| | |
| | | |
priority: add new option to allow small records (>= 64)
See merge request gnutls/gnutls!1006
|
| | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There is a mismatch in the lower limit of record sizes in RFC
8449 (64) and our default (512). If the server advertises a smaller
limit than our default, the client has no way to keep communicating
with the server.
This patch adds a new priority string option %ALLOW_SMALL_RECORDS to
set the limit to 64.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
pubkey: remove deprecated OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA
Closes #754
See merge request gnutls/gnutls!1004
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The gnutls_certificate_verify_flags comparisons against
OLD_PUBKEY_VERIFY_FLAG_TLS1_RSA conflicts with
GNUTLS_VERIFY_DISABLE_CA_SIGN and no longer seems to be used in calls to
both gnutls_pubkey_verify_data2 and gnutls_pubkey_verify_hash2 as it
seems to have been fully replaced by GNUTLS_VERIFY_USE_TLS1_RSA.
Resolves: #754
Signed-off-by: Kenneth J. Miller <ken@miller.ec>
|
|\ \ \
| |_|/
|/| |
| | |
| | |
| | |
| | | |
server auth: disable TLS 1.3 if no signature algorithm is usable
Closes #731
See merge request gnutls/gnutls!987
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This implements the errata for RFC 7919 eliminating the requirement to
reply with an insufficient_security alert when we have negotiated an
FFDHE group, but cannot find common ciphersuite:
https://www.rfc-editor.org/errata/eid4908
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is a server side counterpart of
005a4d04145707daad9588acedfdb5f6cd97c80c.
Instead of signalling an error when no algorithm is usable in TLS 1.3,
it downgrades the session to TLS 1.2 with a warning.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \ \
| |_|/
|/| |
| | |
| | | |
Mark second argument of function gnutls_x509_crt_equals2 as const
See merge request gnutls/gnutls!1000
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This will allow using this function with certificates
returned by function gnutls_certificate_get_peers
without casts dropping const qualifier or
making temporary copies out of retrieved data.
Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\ \ \
| |_|/
|/| |
| | |
| | |
| | |
| | | |
Few minor bug fixes for the next release
Closes #770 and #767
See merge request gnutls/gnutls!1003
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change ensures that all certificates will contain the digital
signature key usage flag if that's specified in the template.
Resolves: #767
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It seems that the FUTURE security level parameter was added
without a corresponding verification profile. This patch address
the issue by introducing it.
Resolves: #770
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | | |
Apply STD3 ASCII rules in gnutls_idna_map()
Closes #720
See merge request gnutls/gnutls!1001
|
|/ /
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\ \
| |/
|/|
| |
| | |
Tmp fix gcc4.4
See merge request gnutls/gnutls!996
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|/
|
|
|
|
| |
Gcc 4.4 errors out on this.
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\
| |
| |
| |
| |
| |
| | |
Update gnulib for gcc-9 manywarnings
Closes #768
See merge request gnutls/gnutls!999
|
|/
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\
| |
| |
| |
| |
| |
| | |
Check all memory allocation in examples and certtool
Closes #739
See merge request gnutls/gnutls!998
|
| |
| |
| |
| |
| |
| | |
Resolves: #739
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\ \
| |/
|/|
| |
| | |
Fix endless looping GETPORT in tests/scripts/common.sh
See merge request gnutls/gnutls!997
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\ \
| | |
| | |
| | |
| | | |
ext/record_size_limit: distinguish sending and receiving limits
See merge request gnutls/gnutls!985
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The previous behavior was that both sending and receiving limits are
negotiated to be the same value. It was problematic when:
- client sends a record_size_limit with a large value in CH
- server sends a record_size_limit with a smaller value in EE
- client updates the limit for both sending and receiving, upon
receiving EE
- server sends a Certificate message larger than the limit
With this patch, each peer maintains the sending / receiving limits
separately so not to confuse with the contradicting settings.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \
| | |
| | |
| | |
| | | |
lib/nettle: fix carry flag in Streebog code
See merge request gnutls/gnutls!992
|
|/ /
| |
| |
| |
| |
| | |
Fix carry flag being calculated incorrectly in Streebog code.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | | |
tools: suppress ctime() error from lgtm warnings
See merge request gnutls/gnutls!994
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This function is not thread safe and can be easily misused
even in single threaded scenarios (one such minor bug fixed).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\ \ \
| |_|/
|/| |
| | |
| | |
| | |
| | | |
_gnutls_srp_entry_free: follow consistent behavior in freeing data
Closes #761
See merge request gnutls/gnutls!995
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
_gnutls_srp_entry_free would previously not free any parameters that
were known to gnutls to account for documented behavior of
gnutls_srp_set_server_credentials_function(). This was not updated
when the newly added 8192 parameter was added to the library.
This introduces a safety check for generator parameters, even though
in practice they are the same pointer.
Resolves: #761
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\ \
| |/
|/|
| |
| | |
guile: Properly format guile configure options
See merge request gnutls/gnutls!991
|
| |
| |
| |
| |
| |
| |
| | |
Without the square brackets autoconf turns hyphens into underscores,
which is not what we want or what the help says.
Signed-off-by: Daniel Schaefer <git@danielschaefer.me>
|
|\ \
| |/
|/|
| |
| |
| |
| | |
Add or clean header guards in lib/
Closes #728
See merge request gnutls/gnutls!954
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|