| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
| |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
| |
TLS 1.3 Early Secret and the derived keys are calculated upon a PSK
being selected, thus the code fits better in ext/pre_shared_key.c.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\
| |
| |
| |
| | |
Use libabigail for tracking ABI changes
See merge request gnutls/gnutls!972
|
| |
| |
| |
| |
| |
| |
| | |
This was available before 3.6.4, and was incorrectly removed.
It was found using libabigail tools.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|/
|
|
| |
Signed-off-by: Andreas Metzler <ametzler@bebt.de>
|
|
|
|
|
|
|
|
| |
gnutls_cipher_suite_get_name and gnutls_session_get_master_secret
are marked as TLS1.2 or earlier-only as they cannot be used with
TLS 1.3.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
| |
They served no purpose.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\
| |
| |
| |
| |
| |
| | |
cert auth: reject auth if no signature algorithm is usable in TLS 1.3
Closes #730
See merge request gnutls/gnutls!967
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, when there is no overlap between usable signature
algorithms and the "signature_algorithms" extension in Certificate
Request, the client failed in sending Certificate Verify, followed by
a connection close. In TLS 1.3, it is possible to keep the connection
but reject the authentication by not sending Certificate Verify.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| |
| | |
Previously, while the flag HSK_CRT_SENT was checked in
_gnutls13_send_certificate_verify, the flag was never set anywhere.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This makes sure that we don't include the internal backport
if compiled with a version of nettle that includes that code.
We also exclude nettle/backport from the static analyzer's list
as it contains files outside our control (from nettle project).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\ \
| | |
| | |
| | |
| | | |
[OSCP] Fix : null pointer resp
See merge request gnutls/gnutls!969
|
| |/
| |
| |
| | |
Signed-off-by: Elta Koepp <elta_koepp@gmail.com>
|
|/
|
|
|
|
|
| |
If we use explicit_bzero() to zero-fill a buffer in gnutls_memset() we
don't need to zero it again via a volatile trick later in this function.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
|
|
|
|
|
|
|
|
| |
If nettle's XTS is not available, use a vendored in version from master.
This is necessary as long as we need to link against 3.4 for ABI
compatibility reasons.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Resolves: #704
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\
| |
| |
| |
| | |
fips140: Perform SHA-3 self tests
See merge request gnutls/gnutls!958
|
| |
| |
| |
| |
| |
| |
| | |
It is required to perform the self tests to validate SHA-3
implementation.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
|\ \
| |/
|/|
| |
| |
| |
| | |
handshake: increase the default number of tickets we send to 2
Closes #596
See merge request gnutls/gnutls!942
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This makes it easier for clients which perform multiple connections
to the server to use the tickets sent by a default server. That's
because 2 tickets allow for 2 new connections (if one is using each
ticket once as recommended), which in turn lead to 4 new and so on.
Resolves: #596
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
Improved estimation of wait in gnutls_session_get_data2
Closes #706
See merge request gnutls/gnutls!936
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously we would wait an arbitrary value of 50ms for the
server to send session tickets. This change makes the client
wait for the estimated single trip time + 60 ms for the server
to calculate the session tickets. This improves the chance
to obtain tickets from internet servers during the call of
gnutls_session_get_data2().
Resolves: #706
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |/
|/|
| |
| | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\ \
| |/
|/|
| |
| |
| |
| | |
pkcs11: security officer login implies writable session
Closes #721
See merge request gnutls/gnutls!953
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
According to the PKCS#11 v2.30, 6.7.1 there are no read-only Security Officer
sessions.
Resolves: #721
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|/
|
|
|
|
|
|
| |
We expand informational comments on limitations, but with removing
FIXME (keyword didn't help fixing these), and remove completely unhelpful
comments, obsolete ones, or comments about ideas.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\
| |
| |
| |
| | |
cleanup: _gnutls_recv_handshake: added explicit sanity checks
See merge request gnutls/gnutls!937
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Although, this function acts on the message provided as expected and thus
it should never call a message parsing function on unexpected
messages, we make a more explicit sanity check. This unifies the
sanity checks existing within the involved functions.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
TLS 1.3: utilize "certificate_required" alert
Closes #715
See merge request gnutls/gnutls!946
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This could make errors more distinguishable when the client sends no
certificates or a bad certificate.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | | |
This may be sent if the server received an empty Certificate message.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | | |
Improve documentation for gnutls_cipher_get_iv_size and AEAD ciphers
Closes #717
See merge request gnutls/gnutls!941
|
| | |
| | |
| | |
| | |
| | |
| | | |
Relates: #716
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This clarifies what is returned and what is to be expected on algorithms
with variable IV sizes.
Resolves: #717
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This makes the integrity check to ignore newlines appended after the
HMAC value.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The names of the libraries haven't been updated when the soname version
were bumped.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
|\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | | |
Fixed operation under multiple threads
Closes #713
See merge request gnutls/gnutls!935
|
| | |
| | |
| | |
| | | |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
early start
This adds a double check in the sanity check of gnutls_record_send2()
for the initial_negotiation_completed value, making sure that the
check will be successful even in parallel operation of send/recv.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
An application that is sending and receiving from different threads
after handshake is complete cannot take advantage of false start because
gnutls_record_send2() detects operations during the handshake process
as invalid.
Because in early start and false start the remaining handshake process needs
only to receive data, and the sending side is already set-up, this error
detection is bogus. With this patch we remove it.
Resolves: #713
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| | |
| | |
| | |
| | |
| | | |
Relates: #713
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|/ /
| |
| |
| |
| |
| | |
Resolves: #633
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\ \
| | |
| | |
| | |
| | | |
Automatically NULLify after gnutls_free()
See merge request gnutls/gnutls!923
|
| | |
| | |
| | |
| | | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This method prevents direct use-after-free and
double-free issues.
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\ \ \
| |_|/
|/| |
| | |
| | | |
Cleanup lib/auth/cert.c as suggested by cppcheck
See merge request gnutls/gnutls!924
|