summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* po: lib/x509/ocsp.c added to translatable filesNikos Mavrogiannopoulos2018-02-191-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: corrected various typosNikos Mavrogiannopoulos2018-02-194-4/+7
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: use 3.6.xx to be consistent with other version referencesNikos Mavrogiannopoulos2018-02-191-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc updateNikos Mavrogiannopoulos2018-02-193-5/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: getfuncs.pl: distinguish between different typedef typesNikos Mavrogiannopoulos2018-02-191-3/+12
| | | | | | | That allows to properly distinguish a struct from a one liner typedef. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* check_ocsp_response: print OCSP response actual error on debug logNikos Mavrogiannopoulos2018-02-194-0/+68
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* x509/cert: reorganizedNikos Mavrogiannopoulos2018-02-194-635/+631
| | | | | | | Split functionality related to certificate credentials and session certificate handling in cert-cred.c and cert-session.c Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added unit test for gnutls_ocsp_resp_list_import2Nikos Mavrogiannopoulos2018-02-192-1/+262
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: updatedNikos Mavrogiannopoulos2018-02-192-12/+43
| | | | | | | * document the new behavior of gnutls_certificate_set_ocsp_status_request_file * updated text on OCSP stapled responses Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added ocsptool sanity check programNikos Mavrogiannopoulos2018-02-194-1/+183
| | | | | | | This checks its functionality in loading and exporting PEM and DER structures. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: enhanced OCSP testsNikos Mavrogiannopoulos2018-02-1914-37/+1990
| | | | | | | | | | | | | | | * Run tests under TLS1.2 and TLS1.3 * Verify whether multiple OCSP responses are received in client side, under TLS1.3. * Verify that OCSP status responses can be sent by client under TLS1.3 * Verify operation of gnutls_certificate_retrieve_function3 * Verify operation when multiple OCSP responses by file are set Resolves #307 Resolves #291 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* cert auth: use a single callback to call for OCSPNikos Mavrogiannopoulos2018-02-193-30/+25
| | | | | | | | That is, when selecting the certificate to use, point to the callback to use as well (whether it being the global or a specific) one, for OCSP. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ocsp: introduced gnutls_certificate_get_ocsp_expiration()Nikos Mavrogiannopoulos2018-02-194-6/+92
| | | | | | | This is a function to allow obtaining the validity of the OCSP responses already set in the credential structures. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ocsp: enhanced the OCSP response loading APIsNikos Mavrogiannopoulos2018-02-1914-77/+405
| | | | | | | | | | | | | Introduced gnutls_certificate_set_ocsp_status_request_file2() and gnutls_certificate_set_ocsp_status_request_mem(). These functions behave as the equivalent certificate loading functions and pre-load the OCSP response provided as a file, either in DER or in PEM form. In addition, ensure that if the server is provided a problematic OCSP response, or the OCSP response is not renewed before it is invalid, we will not provide it to the clients. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls-serv: allow loading multiple OCSP responsesNikos Mavrogiannopoulos2018-02-192-10/+25
| | | | | | | | | That is, allow specifying multiple 'ocsp-response' options on command line. In addition introduce the option 'ignore-ocsp-response-errors' which will set the GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK flag prior to importing the response. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* cert: introduced flag GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECKNikos Mavrogiannopoulos2018-02-192-1/+18
| | | | | | | | | | | This allows reverting the new semantics of checking the loaded OCSP response against the certificates present and return to the 3.5.x semantics. That option is also useful for debugging as it allows setting an arbitrary response and checking gnutls' client behavior with that. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_certificate_set_ocsp_status_request_file: match input response to ↵Nikos Mavrogiannopoulos2018-02-196-22/+112
| | | | | | | | | | | certificates That is, iterate through the certificate chain to figure to which certificate the response corresponds to, and assign it to it. That allows for applications to re-use this function to set multiple responses when available. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ocsp: moved non-extension related functions to ocsp-api.cNikos Mavrogiannopoulos2018-02-193-250/+287
| | | | | | | That keeps ext/status_response.c clear of items that are not related with the extension handling. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_ocsp_status_request_get2: allow operation under TLS1.3 for server sideNikos Mavrogiannopoulos2018-02-191-2/+3
| | | | | | | Under TLS1.3 it is possible for both client and server to send the status request extension in certificate message. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* select_sign_algorithm: check KX type only on pre-TLS1.3Nikos Mavrogiannopoulos2018-02-191-1/+1
| | | | | | | | That, when selecting a certificate under TLS1.3, considers the negotiated signature algorithms for compatibility with the certificate to be selected. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* rename _gnutls_selected_certs_set -> selected_certs_setNikos Mavrogiannopoulos2018-02-191-33/+33
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ocsp: send all the OCSP responses under TLS1.3Nikos Mavrogiannopoulos2018-02-194-11/+117
| | | | | | | That is, any responses set by the caller application (directly or via a callback), will be sent to the peer. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* introduced gnutls_certificate_retrieve_function3Nikos Mavrogiannopoulos2018-02-197-223/+366
| | | | | | | | | | | | That allows a certificate callback to provide OCSP responses in addition to certificates. That also introduces a flags option which currently accepts GNUTLS_CERT_RETR_DEINIT_ALL which allows the callback to specify whether the provided data should be deinitialized. To simplify the certificate callback code, all previous (now legacy) callbacks are implemented as wrappers over the new callback function. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_ocsp_resp_list_import2: introducedNikos Mavrogiannopoulos2018-02-194-2/+145
| | | | | | | That is, introduced function to to import multiple OCSP PEM responses into a list. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ocsptool: import and export OCSP responses in PEM formatNikos Mavrogiannopoulos2018-02-192-33/+114
| | | | | | | | | That also modifies the 'request-info' and 'response-info' commands to check the 'outfile' parameter and if set, to store the corresponding structure into that file. Currently for OCSP requests there is no printing of PEM data. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ocsp: introduced gnutls_ocsp_resp_import2 and gnutls_ocsp_resp_export2Nikos Mavrogiannopoulos2018-02-193-11/+99
| | | | | | | These allow importing and exporting an OCSP response to PEM format, in addition to DER. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_x509_cert_verify_peers: verify all received OCSP responsesNikos Mavrogiannopoulos2018-02-191-22/+29
| | | | | | | That is, when verifying the server's certificate, take into account all present OCSP responses. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_ocsp_status_request_get2: added functionNikos Mavrogiannopoulos2018-02-193-3/+39
| | | | | | | The function extends gnutls_ocsp_status_request_get() to retrieve more than a single responses. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tls13/certificate: parse OCSP status response and save responses in auth ↵Nikos Mavrogiannopoulos2018-02-193-45/+90
| | | | | | | | info struct That provides support of OCSP status response under TLS 1.3. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ext/status_request: allow more than a single OCSP response to be receivedNikos Mavrogiannopoulos2018-02-195-99/+136
| | | | | | | | | | That change allows for arbitrary number of OCSP responses which is required in TLS1.3. The received list is now stored in auth structure, and thus packed with it on resumption data. The status response extension data, are now only used on server side, when temporarily storing the OCSP response to send. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_copy_certificate_auth_info: simplified and avoid multiple allocationsNikos Mavrogiannopoulos2018-02-193-33/+17
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: updated to account for HMAC-SHA384 and CAMELLIA removalNikos Mavrogiannopoulos2018-02-196-34/+14
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priorities: provide a more consistent "story" for default cipher settingsNikos Mavrogiannopoulos2018-02-191-37/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Current settings in NORMAL priorities which were affected: * Enabled ciphers: - AES-GCM - CHACHA20-POLY1305 - AES-CCM - AES-CBC * Enabled signature algorithms: - RSA-SHA256 - RSA-PSS-SHA256 - ECDSA-SHA256 / ECDSA-SECP256R1-SHA256 - EDDSA-ED25519 - RSA-SHA384 - RSA-PSS-SHA384 - ECDSA-SHA384 / ECDSA-SECP384R1-SHA384 - RSA-SHA512 - RSA-PSS-SHA512 - ECDSA-SHA512 / ECDSA-SECP521R1-SHA512 - RSA-SHA1 - ECDSA-SHA1 Removed: * Ciphersuites utilizing HMAC-SHA384. That MAC is only used on "legacy" type of ciphersuites, and doesn't provide any advantage over HMAC-SHA256. * Ciphersuites utilizing CAMELLIA were removed. TLS1.3 doesn't define any CAMELLIA ciphersuites, and thus provide consistent defaults across protocols. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certificate request: corrected parsing of signature algorithmsNikos Mavrogiannopoulos2018-02-191-0/+10
| | | | | | That fixes an issue in TLS 1.3 certificate request message parsing. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tlsfuzzer: updated to latest masterNikos Mavrogiannopoulos2018-02-193-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* doc: documented hsk_flags "lifetime" and its resetNikos Mavrogiannopoulos2018-02-191-0/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* session state: TLS1.2 and TLS1.3 state is stored as unionNikos Mavrogiannopoulos2018-02-1910-119/+136
| | | | | | | | | That is, to reduce memory usage as these protocol cannot be used in parallel. Relates: #281 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* session state: organized key exchange keys into structuresNikos Mavrogiannopoulos2018-02-1914-244/+257
| | | | | | | That is, with the view of separating the data needed for TLS1.2 and earlier and TLS1.3. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* record state: avoid memory allocations for stored keysNikos Mavrogiannopoulos2018-02-194-123/+128
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: ffdhe flags merged with handshake flagsNikos Mavrogiannopoulos2018-02-196-16/+12
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: false start flag merged with hsk_flagsNikos Mavrogiannopoulos2018-02-193-6/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: use hsk_flags in TLS1.2 and TLS1.3Nikos Mavrogiannopoulos2018-02-198-19/+13
| | | | | | | The flags provide a more transparent view of the received and expected messages. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: added text on TLS1.3 rekey and reauthenticationNikos Mavrogiannopoulos2018-02-191-6/+33
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* updated auto-generated filesNikos Mavrogiannopoulos2018-02-193-0/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests: re-enabled post-handshake auth testsNikos Mavrogiannopoulos2018-02-192-14/+56
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: added support for post-handshake authenticationNikos Mavrogiannopoulos2018-02-1914-51/+448
| | | | | | | | | | | | That is: * introduced a gnutls_init() flag for clients to enable post-handshake authentication * introduced gnutls_reauth() function, to be called by servers to request authentication, and by clients to perform authentication Resolves #562 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_record_set_state: use const for seq_numberNikos Mavrogiannopoulos2018-02-192-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added test suite on key limitsNikos Mavrogiannopoulos2018-02-192-0/+342
| | | | | | This checks whether key update occurs for the expected ciphersuites. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_record_get_state: doc updateNikos Mavrogiannopoulos2018-02-191-2/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Introduce key usage limits under TLS1.3Nikos Mavrogiannopoulos2018-02-194-1/+18
| | | | | | | | | That introduces a transparent key update for sending key after the safety limit is reached. Resolves #130 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status