4 files changed, 28 insertions, 14 deletions

diff --git a/configure.ac b/configure.ac
index e81ff89709..c21660c3f3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -365,17 +365,17 @@ AC_ARG_WITH(included-unistring, AS_HELP_STRING([--with-included-unistring],
 if test "$included_unistring" = yes;then
   ac_have_unistring=no
 else
-  AC_LIB_HAVE_LINKFLAGS(unistring,, [#include <uninorm.h>], [u8_normalize(0, 0, 0, 0, 0);])
-
-  if test "$HAVE_LIBUNISTRING" = "yes";then
+  AC_SEARCH_LIBS(u8_normalize, unistring, [
     included_unistring=no
     ac_have_unistring=yes
-  else
-      AC_MSG_ERROR([[
+    AC_SUBST([LIBUNISTRING], [$ac_cv_search_u8_normalize])
+  ], [
+    ac_cv_libunistring=no
+    AC_MSG_ERROR([[
   ***
   *** Libunistring was not found. To use the included one, use --with-included-unistring
-  ]])
-  fi
+    ]])
+  ])
 fi
 
 AM_CONDITIONAL(HAVE_LIBUNISTRING, test "$ac_have_unistring" = "yes")
diff --git a/gnulib b/gnulib
-Subproject 4652c7bafa60332145f1e05a7de5f48e1bc5622
+Subproject 6c0f109fb98501fc8d65ea2c83501b45a80b00a
diff --git a/lib/alert.c b/lib/alert.c
index a7770da676..15f5183430 100644
--- a/lib/alert.c
+++ b/lib/alert.c
@@ -184,7 +184,7 @@ gnutls_alert_send(gnutls_session_t session, gnutls_alert_level_t level,
  * renegotiation will be performed.
  *
  * If there is no mapping to a valid alert the alert to indicate
- * internal error is returned.
+ * internal error (%GNUTLS_A_INTERNAL_ERROR) is returned.
  *
  * Returns: the alert code to use for a particular error code.
  **/
@@ -257,6 +257,8 @@ int gnutls_error_to_alert(int err, int *level)
 	case GNUTLS_E_UNKNOWN_PK_ALGORITHM:
 	case GNUTLS_E_UNWANTED_ALGORITHM:
 	case GNUTLS_E_NO_COMMON_KEY_SHARE:
+	case GNUTLS_E_ECC_NO_SUPPORTED_CURVES:
+	case GNUTLS_E_ECC_UNSUPPORTED_CURVE:
 		ret = GNUTLS_A_HANDSHAKE_FAILURE;
 		_level = GNUTLS_AL_FATAL;
 		break;
@@ -338,7 +340,7 @@ int gnutls_error_to_alert(int err, int *level)
 /**
  * gnutls_alert_send_appropriate:
  * @session: is a #gnutls_session_t type.
- * @err: is an integer
+ * @err: is an error code returned by another GnuTLS function
  *
  * Sends an alert to the peer depending on the error code returned by
  * a gnutls function. This function will call gnutls_error_to_alert()
@@ -347,8 +349,11 @@ int gnutls_error_to_alert(int err, int *level)
  * This function may also return %GNUTLS_E_AGAIN, or
  * %GNUTLS_E_INTERRUPTED.
  *
- * If the return value is %GNUTLS_E_INVALID_REQUEST, then no alert has
- * been sent to the peer.
+ * This function historically was always sending an alert to the
+ * peer, even if @err was inappropriate to respond with an alert
+ * (e.g., %GNUTLS_E_SUCCESS). Since 3.6.6 this function returns
+ * success without transmitting any data on error codes that
+ * should not result to an alert.
  *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
  *   an error code is returned.
@@ -358,10 +363,11 @@ int gnutls_alert_send_appropriate(gnutls_session_t session, int err)
 	int alert;
 	int level;
 
+	if (err != GNUTLS_E_REHANDSHAKE && (!gnutls_error_is_fatal(err) ||
+	    err == GNUTLS_E_FATAL_ALERT_RECEIVED))
+		return gnutls_assert_val(0);
+
 	alert = gnutls_error_to_alert(err, &level);
-	if (alert < 0) {
-		return alert;
-	}
 
 	return gnutls_alert_send(session, (gnutls_alert_level_t)level, alert);
 }
diff --git a/lib/str-idna.c b/lib/str-idna.c
index 30a09407c0..4f275aebfb 100644
--- a/lib/str-idna.c
+++ b/lib/str-idna.c
@@ -81,6 +81,14 @@ int gnutls_idna_map(const char *input, unsigned ilen, gnutls_datum_t *out, unsig
 	idn2_tflags |= IDN2_TRANSITIONAL;
 #endif
 
+	/* This avoids excessive CPU usage with libidn2 < 2.1.1 */
+	if (ilen > 2048) {
+		gnutls_assert();
+		_gnutls_debug_log("unable to convert name '%.*s' to IDNA format: %s\n",
+			(int) ilen, input, idn2_strerror(IDN2_TOO_BIG_DOMAIN));
+		return GNUTLS_E_INVALID_UTF8_STRING;
+	}
+
 	if (ilen == 0) {
 		out->data = (uint8_t*)gnutls_strdup("");
 		out->size = 0;