| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\
| |
| |
| |
| | |
tls13/psk_ext_parser: simplify the iterator interface
See merge request gnutls/gnutls!736
|
| |
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously we used a pattern like this:
uint32_t obfuscated_ticket_age, ticket_age_add;
time_t ticket_age;
ticket_age = obfuscated_ticket_age - ticket_age_add;
if (ticket_age < 0) {
...
}
This always evaluates to false, because subtraction between unsigned
integers yields an unsigned integer. Let's do the comparison before
subtraction and also use correct types for representing time: uint32_t
for protocol time and time_t for system time.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|/
|
|
|
|
|
|
| |
Previously it was unclear whether psk_ext_parser_st is stateful or
not. This change introduces the simpler API to iterate over the
immutable data (psk_ext_parser_st), following the iterator pattern.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| | |
Remove --no-git from ./bootstrap
See merge request gnutls/gnutls!739
|
|/
|
|
|
|
|
|
| |
This removes the --no-git option as bootstrap itself does not use
the remote repository for cloning. At least as long $GNULIB_SRCDIR
points to a recent enough local gnulib git repo.
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\
| |
| |
| |
| |
| |
| | |
Update library to use the final RFC8446 version numbers
Closes #542 and #359
See merge request gnutls/gnutls!730
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously we could end-up with a TLS1.3 connection if the TLS1.3
ID was seen on the wire. We now explicitly fallback to TLS1.2
when we see a protocol with TLS1.3 semantics in an SSL2.0 or
in the legacy version of the client hello.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
| |
| |
| |
| |
| | |
Relates #542
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
| |
| |
| |
| |
| | |
Resolves #359
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|/
|
|
|
|
|
|
| |
This adds support of the final RFC numbers.
Resolves #542
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\
| |
| |
| |
| | |
RFC7250 certificate type negotiation
See merge request gnutls/gnutls!498
|
|/
|
|
| |
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
|\
| |
| |
| |
| |
| |
| | |
record_size_limit extension
Closes #524
See merge request gnutls/gnutls!733
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This implements the record_size_limit extension as defined in RFC 8449.
Although it obsoletes the max_record_size extension, for compatibility
reasons GnuTLS still sends it on certain occasions. For example, when
the new size is representable as the codepoint defined for
max_record_size.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|/
|
|
|
|
|
|
| |
As the extension data is always stored in
session->security_parameters.max_record_send_size, it shouldn't be
necessary to track it with the private data.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\
| |
| |
| |
| |
| |
| | |
Fix gnutls_session_resumption_requested
Closes #546
See merge request gnutls/gnutls!735
|
|/
|
|
|
|
|
|
|
| |
This makes gnutls_session_resumption_requested() functional under
TLS1.3 and introduces a unit test of the function.
Resolves #546
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| |
| |
| | |
.gitlab-ci.yml: use --no-git to bootstrap
Closes #547
See merge request gnutls/gnutls!737
|
|/
|
|
|
|
|
|
|
| |
That is, to reduce CI time, and avoid failures due to
non-availability of the gnulib git repo.
Resolves #547
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This mirror is updated hourly and is hosted on gitlab, meaning
less dependency on external sites downtime.
Resolves: #547
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| | |
Fix two typos (overriden/guarranteed)
See merge request gnutls/gnutls!734
|
|/
|
|
| |
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
|\
| |
| |
| |
| | |
doc: document the non-portability of NONE priority string
See merge request gnutls/gnutls!731
|
|/
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\
| |
| |
| |
| |
| |
| | |
Fixes for issues identified by static analyzers
Closes #518
See merge request gnutls/gnutls!729
|
| |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|/
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
This addresses issue with travis compilation on MacOSX.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\
| |
| |
| |
| |
| |
| | |
gnutls_memset: use explicit_bzero
Closes #230
See merge request gnutls/gnutls!728
|
|/
|
|
|
|
|
|
|
| |
That is, use the glibc function when available and the second
parameter is zero.
Resolves #230
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| |
| |
| | |
use a consistent method to mark fall-through in switch cases
Closes #306
See merge request gnutls/gnutls!726
|
|/
|
|
|
|
|
|
| |
Also document that method in contribution guide.
Resolves #306
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\
| |
| |
| |
| |
| |
| | |
tlsfuzzer: update to the latest version to enable more TLS 1.3 tests
Closes #537
See merge request gnutls/gnutls!727
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, if server is configured without PSK credentials and the
client authenticated with PSK, the server crashed with:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b190ba in server_recv_params (session=0x636fc0, data=0x634e6e "",
len=46, pskcred=0x0) at pre_shared_key.c:523
523 prf = pskcred->binder_algo;
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Also enable test-tls13-ffdhe-sanity.py,
test-tls13-session-resumption.py, and
test-tls13-unrecognised-groups.py.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, when server received a ClientHello that does include only
groups from unassigned ranges in supported_groups, it aborted the
connection with an illegal_parameter.
Resolves #537
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|/
|
|
| |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\
| |
| |
| |
| |
| |
| | |
Corrected the importing of ECDSA public keys
Closes #538
See merge request gnutls/gnutls!725
|
|/
|
|
|
|
|
|
|
|
|
|
| |
This seems to be a regression since EdDSA support. The call to
_gnutls_x509_get_pk_algorithm() in public key import was unnecessary
and in fact it was overriding the available curve with a curve associated
with the OID. As the ECDSA OID doesn't include the curve, that had the
result of deleting the already read curve.
Resolves #538
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
That is, when we respond to a Hello Retry Request as client, we put
the TLS1.2 version on the second client hello to send a hello that is
as close as possible to the original hello. That effectively separates
the handling of TLS1.2 rehandshake and TLS1.3 hello retry request
when sending a client hello.
Resolves #535
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|