Commit 63786c80 authored by Sébastien Blin's avatar Sébastien Blin Committed by Kateryna Kostiuk

tlssession: supports TLS 1.3

Bump GNUTls to 3.6.5 and nettle to 3.4.1

Change-Id: I666f5137ad2c495b4c49b838b8ecf281ed523766
parent 30862d5a
60fc3409ee81932bc2672c68eb65748b88da4b9307764fb395dbadc06120e1011207a04d5f540e77a4d07649ffaed0789c04d57692eeca6ab24ac79d72418906 gnutls-3.5.10.tar.xz
1f2bd3203ea96844c531be700b44623b79f46743143edf97011aab07895ca18d62f1659c7fafc5e1c4b0686fde490836f00358bdd60d6ac0b842526db002da23 gnutls-3.6.1.tar.xz
6a574d355226bdff6198ab3f70633ff2a3cff4b5d06793bdaf19d007063bd4dd515d1bd3f331a9eb1a9ad01f83007801cfa55e5fd16c1cd3461ac33d1813fb06 gnutls-3.6.2.tar.xz
4ff34f38d7dc543bc5750d8fdfe9be84af60c66e8d41da45f6cffc11d6c6c726784fd2d471b3416604ca1f3f9efb22ff7a290d5c92c96deda38df6ae3e794cc1 gnutls-3.6.6.tar.xz
# GnuTLS
GNUTLS_VERSION := 3.6.2
GNUTLS_VERSION := 3.6.6
GNUTLS_URL := https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-$(GNUTLS_VERSION).tar.xz
PKGS += gnutls
......
3bea3aabd2c99cc42d084a94fd6b0b5dbdb24cd6c7020271a6ee87a81a904b21b21756f590cb1afdf2e85fd1cb59e5c3651c5c4032e30204e7ea6f8801d1ea3b nettle-3.4.tar.gz
26aefbbe9927e90e28f271e56d2ba876611831222d0e1e1a58bdb75bbd50934fcd84418a4fe47b845f557e60a9786a72a4de2676c930447b104f2256aca7a54f nettle-3.4.1.tar.gz
# Nettle
NETTLE_VERSION := 3.4
NETTLE_VERSION := 3.4.1
NETTLE_URL := $(GNU)/nettle/nettle-$(NETTLE_VERSION).tar.gz
PKGS += nettle
......
......@@ -855,10 +855,20 @@ TlsSession::TlsSessionImpl::handleStateHandshake(TlsSessionState state)
}
// Safe-Renegotiation status shall always be true to prevent MiM attack
if (!gnutls_safe_renegotiation_status(session_)) {
RING_ERR("[TLS] server identity changed! MiM attack?");
return TlsSessionState::SHUTDOWN;
// Following https://www.gnutls.org/manual/html_node/Safe-renegotiation.html
// "Unlike TLS 1.2, the server is not allowed to change identities"
// So, we don't have to check the status if we are the client
#ifndef _WIN32 // For now, windows use GNUTLS < 3.6.5
bool isTLS1_3 = gnutls_protocol_get_version(session_) == GNUTLS_TLS1_3;
if (!isTLS1_3 || (isTLS1_3 && isServer_)) {
#endif
if (!gnutls_safe_renegotiation_status(session_)) {
RING_ERR("[TLS] server identity changed! MiM attack?");
return TlsSessionState::SHUTDOWN;
}
#ifndef _WIN32
}
#endif
auto desc = gnutls_session_get_desc(session_);
RING_DBG("[TLS] session established: %s", desc);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment