| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
|
|
|
|
|
| |
This could make errors more distinguishable when the client sends no
certificates or a bad certificate.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
An illegal/disallowed SNI server name previously generated
the misleading message "An illegal parameter has been received.".
This commit changes it to
"A disallowed SNI server name has been received.".
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
|
|
|
|
| |
Relates #653
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
This implements ClientHello recording outlined in section 8.2 of RFC
8446.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
| |
This adds a way to store an entry if it is not found in the database,
so that the implementation can provide atomic test-and-set.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
| |
When a key share extension is not seen under TLS1.3, send
the missing extension alert.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
This allows an application to be notified of the addition of invalid
CRLs in the trust list.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This allows an application to open a PKCS#11 token using a URI,
and use it directly, bypassing gnutls. That is useful to take
advantage of PKCS#11 functionality not wrapped by gnutls but
still use PKCS#11 URIs to identify the token.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
That adds support for pre-shared keys with and without Diffie-Hellman
key exchange. That's a modified version of initial Ander's patch.
Resolves #414
Resolves #125
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
certificates
That is, iterate through the certificate chain to figure to which
certificate the response corresponds to, and assign it to it.
That allows for applications to re-use this function to set
multiple responses when available.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
That is:
* introduced a gnutls_init() flag for clients to enable post-handshake
authentication
* introduced gnutls_reauth() function, to be called by servers to request
authentication, and by clients to perform authentication
Resolves #562
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
| |
This enables TLS 1.3 key exchange based on the key share extension.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
| |
This is being use to indicate errors in the public key parameters
such as the RSA-PSS salt size or digest algorithm.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
That is, do not check the flag GNUTLS_VERIFY_USE_RSA_PSS, as we
already have enough information to determine whether an RSA-PSS
signature is used (the sign algorithm). Also return the code
GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY when a signature algorithm
incompatible with the public key is encountered.
In addition, fixed few misplacements of GNUTLS_PK_RSA_PSS in switch
cases.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
This corresponds to libtasn1 ASN1_TIME_ENCODING_ERROR and
indicates an error in the DER or BER encoding of time field.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
This is an alias to GNUTLS_E_UNEXPECTED_PACKET_LENGTH. That
allows distinguishing the alert from GNUTLS_E_RECORD_OVERFLOW.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
| |
Introduced GNUTLS_E_RECORD_OVERFLOW.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
| |
This error code indicates an issue in the time fields of certificate.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
That prevents buggy applications from transmitting sensitive data during
handshake.
Resolves #158
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
| |
That is, ensure that the input characters are in the valid class of characters
for the PRECIS FreeformClass.
|
| | |
|
| |
|
|
| |
In addition introduce a new error code to warn about no embedded data.
|
| | |
|
| |
|
|
|
|
| |
certificate
That is check the provided certificate for validity in time and key usage.
|
| |
|
|
|
|
| |
This allows functions like decryption and verification to report
the specific issue they encountered on public key error.
The new codes are GNUTLS_E_PK_INVALID_PUBKEY and GNUTLS_E_PK_INVALID_PRIVKEY
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Moved IP/CIDR to string conversion functions into separate
header and export privately for the use in tests.
- Placed ip_in_cidr() into separate header for easy testing
- Add publicly available function to convert text CIDR to RFC5280
format for the use in name constraints extension.
- certtool: Use GnuTLS exported CIDR functions instead of local ones.
- Export mask_to_prefix, mask_ip for internal GnuTLS use.
- Introduce new error value (malformed cidr) and add to description
functions in errors.c.
Signed-off-by: Martin Ukrop <mukrop@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This error code is returned when the session resumption parameters
are requested during a handshake. That is, to increase the clarity
when requesting these parameters while false start is active and
the handshake is not complete even if gnutls_handshake() has returned.
Relates #114
|
| | |
|
| |
|
|
|
|
| |
To better test support for server_name extension in TLS, it's
necessary to be able to differentiate between name being rejected
because it is unknown to the server and it being malformed.
|
| |
|
|
|
|
| |
That is, unless GNUTLS_ALLOW_ID_CHANGE is specified, during a rehandshake
clients will not be allowed to present another certificate than the original,
or change their username for PSK or SRP ciphersuites.
|
| |
|
|
|
|
|
| |
That is, an additional flag GNUTLS_ENABLE_FALSE_START is introduced
for gnutls_init(), and that enables support for false start. At
this point false start will be performed by the handshake if possible,
and gnutls_record_recv() will handle handshake completion.
|
| |
|
|
|
| |
This error code is returned when an embedded NULL is detected in
a string.
|
| |
|
|
|
|
| |
That is require that the certificate of the peer remains the same
and return GNUTLS_E_SESSION_CERTIFICATE_CHANGED otherwise. To revert
to the previous behavior the GNUTLS_ALLOW_CERT_CHANGE flag was introduced.
|
| |
|
|
|
|
| |
That is, move from a parsing error tolerance to a more strict
decoding approach.
Relates #40
|
| | |
|
| |
|
|
| |
auto-verification functions
|
| |
|
