summaryrefslogtreecommitdiff
path: root/lib/alert.c
Commit message (Collapse)AuthorAgeFilesLines
* lib: use casts and be explicit on intentional enumeration useNikos Mavrogiannopoulos2017-08-181-4/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* TLS: introduced support for RFC7919 groupsNikos Mavrogiannopoulos2017-08-011-0/+1
| | | | | | | | | | | That replaces the EC curve extension negotiation with the negotiated groups extensions, introduces handling for groups as priority strings, as well as using and checking of RFC7919 DH parameters once negotiated. Resolves: #37 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: return better error code on unwanted algorithmNikos Mavrogiannopoulos2017-07-171-0/+1
| | | | | | | | That is, when a signature algorithm is available which was not asked by the peer, then return GNUTLS_E_UNWANTED_ALGORITHM instead of the UNKNOWN_ALGORITHM. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* alert: map GNUTLS_E_PK_SIG_VERIFY_FAILED to GNUTLS_A_DECRYPT_ERRORNikos Mavrogiannopoulos2017-05-291-1/+4
| | | | | | | This makes server respond with GNUTLS_A_DECRYPT_ERROR on malformed signatures, which is the expected behavior. Hinted by Hubert Kario. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* alert: return GNUTLS_A_BAD_CERTIFICATE on GNUTLS_E_PK_SIG_VERIFY_FAILEDNikos Mavrogiannopoulos2017-03-281-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* alert: GNUTLS_E_NO_CERTIFICATE_FOUND maps to GNUTLS_A_DECODE_ERRORNikos Mavrogiannopoulos2017-03-071-1/+1
| | | | | | | | This is the closest to use alert when no certificate is found; at least it is closer according to tlsfuzzer and rfc5246 text on insuficient_security alert. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* alert: GNUTLS_E_PK_INVALID_PUBKEY maps to GNUTLS_A_ILLEGAL_PARAMETERNikos Mavrogiannopoulos2017-03-071-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* alerts: separated record overflow from decode error alertsNikos Mavrogiannopoulos2017-03-071-1/+2
| | | | | | Introduced GNUTLS_E_RECORD_OVERFLOW. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Terminate handshake if only unknown or disabled signatures are advertized by ↵Nikos Mavrogiannopoulos2016-10-261-0/+1
| | | | | | the peer That is, do not attempt to proceed assuming that the peer supports SHA-1.
* Add support for sending unrecognized name alertsHubert Kario2016-05-061-0/+4
| | | | | | To better test support for server_name extension in TLS, it's necessary to be able to differentiate between name being rejected because it is unknown to the server and it being malformed.
* handshake: enhance same certificate checks to apply to PSK/SRP usernameNikos Mavrogiannopoulos2016-04-291-0/+1
| | | | | | That is, unless GNUTLS_ALLOW_ID_CHANGE is specified, during a rehandshake clients will not be allowed to present another certificate than the original, or change their username for PSK or SRP ciphersuites.
* When decoding extensions do not ignore decoding errorsNikos Mavrogiannopoulos2015-11-291-0/+4
| | | | | | That is, move from a parsing error tolerance to a more strict decoding approach. Relates #40
* Introduced GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR to be returned by the ↵Nikos Mavrogiannopoulos2015-08-271-0/+1
| | | | auto-verification functions
* Removed the 'gnutls_' prefix from files to simplify file namingNikos Mavrogiannopoulos2015-08-231-0/+356
View Lorry Controller Status