diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-07-03 08:31:13 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-07-07 08:26:47 +0200 |
| commit | 96627928cdf5311fc3fae5c01fccdfbf6140d45f (patch) | |
| tree | 5179c0983689b7e4bf2fb6dd763758e5aed13302 | |
| parent | efa1c03822cd90cf29fed8059409fe120d229bb4 (diff) | |
| download | gnutls-96627928cdf5311fc3fae5c01fccdfbf6140d45f.tar.gz | |
protocols: bumped TLS1.3 protocol to draft-28
Resolves #506
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | NEWS | 10 | ||||
| -rw-r--r-- | lib/algorithms/protocols.c | 2 | ||||
| -rw-r--r-- | tests/tls13/prf.c | 10 | ||||
| -rw-r--r-- | tests/tls13/supported_versions.c | 2 |
4 files changed, 13 insertions, 11 deletions
@@ -7,17 +7,17 @@ See the end for copying conditions. * Version 3.6.3 (unreleased) -** libgnutls: Introduced function to switch the current FIPS140-2 operational - mode, i.e., strict vs a more lax mode which will allow certain non FIPS140-2 - operations. - -** libgnutls: Introduced support for draft-ietf-tls-tls13-26. It includes version +** libgnutls: Introduced support for draft-ietf-tls-tls13-28. It includes version negotiation, post handshake authentication, length hiding, multiple OCSP support, consistent ciphersuite support across protocols, hello retry requests, ability to adjust key shares via gnutls_init() flags, certificate authorities extension, and key usage limits. TLS1.3 support needs to be explicitly enabled via a priority string. +** libgnutls: Introduced function to switch the current FIPS140-2 operational + mode, i.e., strict vs a more lax mode which will allow certain non FIPS140-2 + operations. + ** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836. This adds support for using GOST keys for digital signatures and under PKCS#7, PKCS#12, and PKCS#8 standards. In particular added elliptic curves GOST R 34.10-2001 CryptoProA diff --git a/lib/algorithms/protocols.c b/lib/algorithms/protocols.c index 8c085b7d34..86c7a6027f 100644 --- a/lib/algorithms/protocols.c +++ b/lib/algorithms/protocols.c @@ -116,7 +116,7 @@ static const version_entry_st sup_versions[] = { .id = GNUTLS_TLS1_3, .age = 5, .major = 0x7f, - .minor = 26, + .minor = 28, .transport = GNUTLS_STREAM, .supported = 1, .explicit_iv = 0, diff --git a/tests/tls13/prf.c b/tests/tls13/prf.c index da27332d42..61b96b246b 100644 --- a/tests/tls13/prf.c +++ b/tests/tls13/prf.c @@ -126,8 +126,10 @@ static void dump(const char *name, const uint8_t *data, unsigned data_size) } \ } -#define KEY_EXP_VALUE "\x81\x7a\x37\xc6\xa3\x2b\x83\x47\x3b\xad\x03\xa6\xd4\x6d\xac\xe3\x1c\x9d\xa4\xdc\x8e\x0c\x77\xf8\x1c\x5e\x5d\xe5\xca\x1c\xbc\x89\x4c\x37" -#define HELLO_VALUE "\x10\x3e\xef\x5e\x62\x1d\x03\x95\xfc\x8f\x59\xc7\x7d\xdc\x14\x7e\xcf\x46\x86\x2f\xfb\x1c\x5a\x16\x6a\xf5\x38\x69\xa8\x3c\x85" +#define KEY_EXP_VALUE "\x2b\x6f\x94\xc8\xbc\xa0\x59\x4b\x61\xc8\x23\x12\x01\x8e\xb2\x3a\xdf\x48\x06\x98\x96\xaf\xf9\xe7\xcf\xd5\xa4\x56\x29\x6b\x84\xd3\xfc\x81" +#define HELLO_VALUE "\x93\x78\x2d\x00\x88\x02\xd8\xd1\x75\xfe\x1d\xae\x99\x13\xf4\x36\xe0\x10\xc9\xfc\xae\xb8\xc0\x72\xd2\x99\x6e\xc3\x71\xf5\x1b" +#define CONTEXT_VALUE "\x1e\x95\x2e\xa5\xb9\xff\xe4\xb0\xbe\xa3\x8b\x1f\x6c\x31\x74\x62\x4f\x9d\x0b\xf8\x1d\x5f\x3d\xa5\xa7\x45\x07\x99\xea\xfc\xa2" +#define NULL_CONTEXT_VALUE "\x2f\x7e\x07\x52\xd4\x23\x0b\x7a\xa0\x7e\x2f\xad\xb5\xcc\xcf\x63\x8f\x6c\x27\x7e\xbb\x9e\xb8\xd3\xa0\x92\x3d\xd0\xaa\xe4\xb0" static void check_prfs(gnutls_session_t session) { unsigned char key_material[512]; @@ -138,8 +140,8 @@ static void check_prfs(gnutls_session_t session) TRY(13, "key expansion", 0, NULL, 34, (uint8_t*)KEY_EXP_VALUE); TRY(6, "hello", 0, NULL, 31, (uint8_t*)HELLO_VALUE); - TRY(7, "context", 5, "abcd\xfa", 31, (uint8_t*)"\xbc\x23\xe3\xf4\x29\xdb\x48\x20\x48\x8c\x37\xd9\xd4\xe0\xcf\x88\xc3\x3d\x7b\x12\x59\xfb\xad\x8e\x4d\x8c\x53\x58\xf4\xe6\xef"); - TRY(12, "null-context", 0, "", 31, (uint8_t*)"\x89\x89\x1f\x2f\x6c\x35\x26\x0b\xe9\x1c\x7b\xb7\x27\x5e\x7c\x41\xfb\xa0\x11\x9c\xd7\xe6\xd5\xdc\x2a\xcc\x54\x23\x3f\x52\x9f"); + TRY(7, "context", 5, "abcd\xfa", 31, (uint8_t*)CONTEXT_VALUE); + TRY(12, "null-context", 0, "", 31, (uint8_t*)NULL_CONTEXT_VALUE); /* Try whether calling gnutls_prf() with non-null context or server-first * param, will fail */ diff --git a/tests/tls13/supported_versions.c b/tests/tls13/supported_versions.c index 50ea986ca1..49ba87212a 100644 --- a/tests/tls13/supported_versions.c +++ b/tests/tls13/supported_versions.c @@ -224,7 +224,7 @@ static int client_hello_callback(gnutls_session_t session, unsigned int htype, #ifdef TLS13_FINAL_VERSION if (msg->data[pos] != 0x03 || msg->data[pos+1] != 0x04) { #else - if (msg->data[pos] != 0x7f || msg->data[pos+1] != 26) { + if (msg->data[pos] != 0x7f || msg->data[pos+1] != 28) { #endif fail("fail expected TLS 1.3, got %d.%d\n", (int)msg->data[pos], (int)msg->data[pos+1]); } |