| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a minimal, callback-based API to import external PSK,
following RFC 9258. The client and the server importing external PSK
are supposed to set a callback to retrieve PSK, which returns flags
that may indicate the PSK is imported, along with the key:
typedef int gnutls_psk_client_credentials_function3(
gnutls_session_t session,
gnutls_datum_t *username, gnutls_datum_t *key,
gnutls_psk_key_flags *flags);
typedef int gnutls_psk_server_credentials_function3(
gnutls_session_t session,
const gnutls_datum_t *username, gnutls_datum_t *key,
gnutls_psk_key_flags *flags);
Those callbacks are responsible to call
gnutls_psk_format_imported_identity() for external PSKs to build a
serialized PSK identity, and set GNUTLS_PSK_KEY_EXT in flags if the
identity is an imported one.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
|
|
|
| |
This reduces the number of calls to gnutls_rnd(GNUTLS_RND_RANDOM)
based on the assumption that extension indices fit in uint8_t.
This also renames the priority string modifier from %NO_EXTS_SHUFFLE
to %NO_SHUFFLE_EXTENSIONS.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| | |
fips: add additional pbkdf limit checks as defined in SP 800-132
See merge request gnutls/gnutls!1736
|
| | |
| |
| |
| | |
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
|
| |/
|
|
|
|
|
|
|
| |
This adds a mechanism to randomize the order of TLS extensions in the
ClientHello to make fingerprinting harder. The mechanism is enabled by
default and a new priority keyword %NO_EXTS_SHUFFLE has been added to
turn it off.
Signed-off-by: peonix <ajeetsinghchahar2@gmail.com>
|
| |\
| |
| |
| |
| | |
src: print_info: prefer gnutls_psk_server_get_username2
See merge request gnutls/gnutls!1730
|
| | |
| |
| |
| |
| |
| |
| | |
This happens when gnutls_psk_server_get_username is called from a
client. Also simplify the embedded NUL-byte check with memchr.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| | |
Signed-off-by: peonix <ajeetsinghchahar2@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: peonix <ajeetsinghchahar2@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: peonix <ajeetsinghchahar2@gmail.com>
|
| |/
|
|
| |
Signed-off-by: xuraoqing <xuraoqing@huawei.com>
|
| |
|
|
|
|
|
|
|
| |
This implements the basic logic needed to support time-based distrust
of CA, according to [1].
1. https://wiki.mozilla.org/CA/Additional_Trust_Changes#Distrust_After
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If sendmsg returns a short write, we end up going around the loop with
data_to_send being smaller. However if sendmsg then returns -EAGAIN
or -EINTR then we return an error. But we have "forgotten" that we
already sent some data.
This causes the caller to retry gnutls_record_send with the full
buffer (ie. with a buffer that has already been partially sent),
causing desynchronization.
Instead check if we sent some data in this case and return the number
of bytes sent.
Fixes: https://gitlab.com/gnutls/gnutls/-/issues/1470
Thanks: Dan Berrange for suggesting a fix
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
|
| |\
| |
| |
| |
| |
| |
| | |
priority: add %FORCE_SESSION_HASH modifier
Closes #1445
See merge request gnutls/gnutls!1711
|
| | |
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This adds a new priority string modifier %FORCE_SESSION_HASH, which
requires to negotiate extended master secret and aborts the connection
if the peer does not send the extension in hello messages.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance of Pair-wise
Consistency check, even if we only support ephemeral DH, as it is
required by FIPS 140-3 IG 10.3.A.
Signed-off-by: Pedro Monreal <pmgdeb@gmail.com>
Co-authored-by: Daiki Ueno <ueno@gnu.org>
|
| |/
|
|
|
|
|
|
| |
This implements full public key validation required in
SP800-56A rev3, section 5.6.2.3.3.
Co-authored-by: Daiki Ueno <ueno@gnu.org>
Signed-off-by: Pedro Monreal <pmgdeb@gmail.com>
|
| |
|
|
|
|
|
| |
since the `ok` variable isn't used any more, we can remove all code
used to calculate it
Signed-off-by: Hubert Kario <hkario@redhat.com>
|
| |
|
|
|
|
|
|
| |
Remove branching that depends on secret data.
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
Signed-off-by: Hubert Kario <hkario@redhat.com>
Tested-by: Hubert Kario <hkario@redhat.com>
|
| |
|
|
| |
Signed-off-by: xuraoqing <609179072@qq.com>
|
| |
|
|
| |
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| |
|
|
|
|
|
| |
The compiler will not produce a shared library from a header, so a
source file is necessary when producing the gnutlsxx shared library.
Signed-off-by: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the old gnutlsxx library and instead moves all the
definitions of the source file `gnutlsxx.c` to the header file
`gnutlsxx.h`. However, both the C and the C++ library are built. (as
before.)
The user of the C++ interface has two options to choose from:
1. include `gnutlsxx.h` in their application and link against the C
library. (the default.)
2. include `gnutlsxx.h` in their application, compile with the
GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link against the C++
library.
Addresses Ref #1381
Signed-off-by: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
|
| |
|
|
|
| |
Co-authored-by: Simon Josefsson <simon@josefsson.org>
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| |
|
|
|
| |
Co-authored-by: Simon Josefsson <simon@josefsson.org>
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
To handle pathnames longer than the fixed length (previously 256),
this adds a set of internal API functions around the gnutls_pathbuf_st
struct, which enables to safely and efficiently construct pathnames.
The new API initially uses the statically allocated buffer and starts
allocating memory on heap only after the limit has reached.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| |
| |
| | |
Forbid uncolicited CompressedCertificate messages
Closes #1440
See merge request gnutls/gnutls!1678
|
| | |
| |
| |
| | |
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | | |
srtp: support AES-GCM profiles
Closes #1266
See merge request gnutls/gnutls!1685
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This adds support for SRTP_AEAD_AES_128_GCM and SRTP_AEAD_AES_256_GCM
profiles defined in RFC 7714.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \ \
| |_|/
|/| |
| | |
| | |
| | |
| | | |
build: remove MAX_RECORD_SEND_SIZE in favor of max_record_send_size
Closes #815
See merge request gnutls/gnutls!1684
|
| | |/
| |
| |
| | |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\ \
| | |
| | |
| | |
| | | |
Prefer HTTPS to HTTP in URLs
See merge request gnutls/gnutls!1687
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is the latest recommendation, as described here:
https://www.gnu.org/licenses/gpl-howto.html
Signed-off-by: Stefan Kangas <stefankangas@gmail.com>
|
| | |/
| |
| |
| |
| |
| |
| | |
This mostly updates NEWS and license links. All links have been
manually tested and confirmed working.
Signed-off-by: Stefan Kangas <stefankangas@gmail.com>
|
| |/
|
|
| |
Signed-off-by: Stefan Kangas <stefankangas@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This generilizes the value check of Change Cipher Spec for all TLS
protocol versions including TLS 1.2 or earlier. It also fixes the
logic of the check so the value is decrypted before being examined,
according to the RFC.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
| |\
| |
| |
| |
| | |
fix obtain credential type based on the key exchange type fail;fix log print key mac size error
See merge request gnutls/gnutls!1670
|
| | |
| |
| |
| | |
Signed-off-by: xuraoqing <xuraoqing@huawei.com>
|
| | |
| |
| |
| | |
Signed-off-by: xuraoqing <xuraoqing@huawei.com>
|
| | |
| |
| |
| | |
Signed-off-by: xuraoqing <xuraoqing@huawei.com>
|
| | |
| |
| |
| | |
Signed-off-by: xuraoqing <xuraoqing@huawei.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
... instead of pointer. Otherwise GCC analyzer treats it as
-Wanalyzer-null-dereference in the caller side. While that shouldn't
happen, it would be nice to make the code handle it robustly.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
