| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|
|
|
|
|
|
|
| |
Fixes two issues with gnutls-cli --starttls-proto=xmpp:
1. Print 'Timeout' on timeout instead of random errno message
2. Do not wait for linefeed when using XMPP (XML)
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\
| |
| |
| |
| | |
Fix issues in record_size_limit extension handling
See merge request gnutls/gnutls!879
|
| |
| |
| |
| |
| |
| |
| |
| | |
The record_size_limit extension can also be specified by the server to
indicate the maximum plaintext. Also add test cases for asymmetric
settings between server and client.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In TLS 1.3, the protocol maximum of plaintext size is 2^14+1, while
it is 2^14 in TLS 1.2. To accommodate that, this introduces the
following invariant:
- when the maximum is set by the user with
gnutls_record_set_max_size(), store it as is. The value range is
[511, 16834].
- when the maximum is negotiated through record_size_limit extension,
it can be [512, 16385]. In TLS 1.3, subtract by 1 to fit in [511,
16384].
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| |
| | |
There is check in _gnutls_recv_in_buffers already, but for TLS 1.3 we
need to take account of the padding.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
As documented in gnutls_int.h, max_record_send_size is for tracking
the user-supplied maximum, while max_record_recv_size for the
protocol negotiated maximum.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Otherwise, the connection will be disconnected by the client, as
suggested in RFC: A client MUST treat receipt of both
"max_fragment_length" and "record_size_limit" as a fatal error, and it
SHOULD generate an "illegal_parameter" alert.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| | |
The extension is assigned the internal ID 0.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
tests: wrap ADD_SYSCALL for getrandom in test for SYS_getrandom
Closes #703
See merge request gnutls/gnutls!926
|
| |/
| |
| |
| | |
Signed-off-by: R. Andrew Bailey <bailey@akamai.com>
|
|\ \
| |/
|/|
| |
| | |
bootstrap.conf: do not override GNULIB_SRCDIR
See merge request gnutls/gnutls!925
|
|/
|
|
|
|
|
| |
This was not set in all of our CI platforms, and was causing
issues in MacOSX.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| |
| |
| | |
x509: corrected issue in the algorithm parameters comparison
Closes #698
See merge request gnutls/gnutls!921
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Each certificate has two fields to set the signature algorithm
and parameters used for the digital signature. One of the fields is
authenticated and the other is not. It is required from RFC5280 to
enforce the equality of these fields, but currently due to an issue
we wouldn't enforce the equality of the parameters fields. This
fix corrects the issue.
We also move an RSA-PSS certificate in chainverify that was relying
on invalid parameters, to this set of invalid certificates.
Resolves: #698
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\ \
| | |
| | |
| | |
| | | |
Fix uninitialized warning in pkcs11.c
See merge request gnutls/gnutls!906
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|/ /
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
Fix 32bit overflow issue in src/serv-args.def
Closes #700
See merge request gnutls/gnutls!922
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixing this warning seen on 32bit architectures:
serv-args.c: In function 'doOptMaxearlydata':
serv-args.c:1431:14: warning: overflow in conversion from 'long long int' to 'long int' changes value from '4294967296' to '0' [-Woverflow]
{ 1, 4294967296 } };
^~~~~~~~~~
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\ \
| |/
|/|
| |
| |
| |
| | |
Remove typedef'ing ssize_t in gnutls.h
Closes #688
See merge request gnutls/gnutls!916
|
|/
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\
| |
| |
| |
| | |
Use inet_pton() from gnulib
See merge request gnutls/gnutls!913
|
| |
| |
| |
| | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\ \
| | |
| | |
| | |
| | | |
.triage-policies.yml: added [ci skip]
See merge request gnutls/gnutls!908
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This adds a set of policies regarding issues and merge requests
to be enforced by the gitlab-triage bot. That is:
- Issues without any label for more than a month are marked
with needs attention label
- Issues with needinfo label are closed if they are not updated
within a month
- Merge requests marked as WIP with no update within 5 months
are closed.
These rules are not enforced automatically; we have to schedule
a run of the gitlab-triage bot.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
bootstrap: refuse to bootstrap if any new dependencies bring gnulib's network stack
See merge request gnutls/gnutls!919
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If gnulib's network stack is brought (due to a dependency) in the library
it will make the library unusable to non-gnulib using applications. This
prevents windows applications for example to use gnutls, and so on. Even
more it is quite hard to catch that issue because our testsuite uses
gnulib as well. Instead we try to catch the these modules at import time.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\ \ \
| |_|/
|/| |
| | |
| | |
| | |
| | | |
When negotiating TLS1.3 enforce certificate key usage
Closes #690
See merge request gnutls/gnutls!902
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The API could return 0 or 1 matching certificates. The case of zero
can only happen in client side.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
That is, we require a signing certificate when negotiating
TLS1.3, or when sending a client certificate (on all cases).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This only takes into account certificates in the credentials structure.
If certificates are provided in a callback, these must be checked by
the provider. For that we assume that the credentials structure is
filled when associated with a session; if not then the fallback mechanism
will not work and the handshake will fail.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
That is, we require a signing certificate when negotiating
TLS1.3, or when sending a client certificate (on all cases).
Before we would not perform any checks under TLS1.3 or when client
certificates are sent, assuming that the certificates used will always
be signing ones. However if the user sets up incorrectly a decryption
certificate we would use it for signing. This fix makes sure that an
error is returned early when these scenarios are detected.
Resolves: #690
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\ \
| |/
|/|
| |
| | |
Use inet_ntop() from gnulib
See merge request gnutls/gnutls!912
|
|/
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\
| |
| |
| |
| | |
build: pass NETTLE_LIBS together with HOGWEED_LIBS
See merge request gnutls/gnutls!903
|
| |
| |
| |
| |
| |
| |
| | |
libhogweed might depend on exact non-system-wide nettle, so let's pass
NETTLE_LIBS flags together when using HOGWEED_LIBS.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | | |
build: do not generate mech-list.h if p11-kit is not available
See merge request gnutls/gnutls!904
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
Compiling GnuTLS with no p11-kit installed will result in a serie of
warnings during build time because mech-list.h will be generated even if
pkcs11 tool compilation is disabled. Move mech-list.h generation to
happen only if pkcs11 is enabled, thus removing these warnings.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
Amend error code when SNI name is not accepted
Closes #683
See merge request gnutls/gnutls!891
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
An illegal/disallowed SNI server name previously generated
the misleading message "An illegal parameter has been received.".
This commit changes it to
"A disallowed SNI server name has been received.".
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\ \
| | |
| | |
| | |
| | | |
lib/nettle: replace nettle-stdint.h with just stdint.h
See merge request gnutls/gnutls!901
|
| |/
| |
| |
| |
| |
| |
| | |
Nettle library is going to drop nettle-stdint.h. Replace this include
with with just <stdint.h>.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\ \
| |/
|/|
| |
| | |
Fix 'make glimport' and update CONTRIBUTING.md
See merge request gnutls/gnutls!900
|
|/
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|