summaryrefslogtreecommitdiff
path: root/lib/algorithms.h
Commit message (Collapse)AuthorAgeFilesLines
* build: avoid -Wenum-conversion warnings with GCC 10Daiki Ueno2020-06-151-0/+13
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* algorithms: properly calculate hash strength for Ed448Daiki Ueno2020-03-161-0/+6
| | | | | | | | | | | | | The Ed448 signature scheme internally uses XOF (SHAKE256) as the hash function with 114-octet output. According to FIPS-202, the strength against collisions is calculated as: min(114*8/2, 256) = 256 Reported by Peter Dettman in: https://gitlab.com/gnutls/gnutls/-/issues/128#note_304892538 Signed-off-by: Daiki Ueno <dueno@redhat.com>
* algorithms: implement X448 key exchange and Ed448 signature schemeDaiki Ueno2020-01-231-2/+5
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* ext/signature: use GOST signatures for GOST ciphersiuitesDmitry Eremin-Solenikov2019-12-181-0/+10
| | | | | | | | draft-smyshlyaev-tls12-gost-suites limits SignatureAndHash algorithms in CertificateRequest message to GOST values if GOST cipher suite is selected. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* lib: fix group selection in case of GOST cipher suitesDmitry Eremin-Solenikov2019-12-181-0/+8
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* groups: add function to return group by curveDmitry Eremin-Solenikov2019-11-071-0/+1
| | | | | | | Two GOST groups will have two curves attached. Add function to retrieve group by curve, rather than by group id. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* ecc: define curve->group relationshipDmitry Eremin-Solenikov2019-11-071-0/+1
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* tls-sig: reverse bytes in TLS signatures for GOST signaturesDmitry Eremin-Solenikov2019-10-311-0/+1
| | | | | | | | | | GOST TLS suites have one peculiarity: CertificateVerify message uses byte order opposite to the rest of GOST signature usage (BE instead of LE). So, reverse byte order in signatures in TLS code. For now this applies only to TLS 1.2 code. GOST TLS 1.3 ciphersuites will also follow this approach. Legacy TLS 1.0 ciphersuites also had this peculiarity. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Merge branch 'tls-continuous-mac' into 'master'Dmitry Eremin-Solenikov2019-10-231-1/+1
|\ | | | | | | | | Support GOST cipher suite MAC calculation See merge request gnutls/gnutls!1098
| * mac: change preimage_insecure to be a flagDmitry Eremin-Solenikov2019-10-211-1/+1
| | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | sign: convert tls13_ok to flags fieldDmitry Eremin-Solenikov2019-10-211-2/+2
|/ | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* config: added ability to override and mark algorithms as disabledNikos Mavrogiannopoulos2019-06-201-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | This allows the system administrator or the distributor to use the gnutls configuration file to mark hashes, signature algorithms, TLS versions, curves, groups, ciphers KX, and MAC algorithms as insecure (the last four only in the context of a TLS session). It also allows to set a minimum profile which the applications cannot fall below. The options intentionally do not allow marking algorithms as secure so that the configuration file cannot be used as an attack vector. This change also makes sure that unsupported and disabled protocols during compile time (e.g., SSL3.0), do not get listed by gnutls-cli. The configuration file feature can be disabled at compile time with an empty --with-system-priority-file. This patch it introduces the function gnutls_get_system_config_file() allowing applications to check whether a configuration file was used. Resolves: #587 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* server auth: disable TLS 1.3 if no signature algorithm is usableDaiki Ueno2019-05-201-0/+3
| | | | | | | | | | This is a server side counterpart of 005a4d04145707daad9588acedfdb5f6cd97c80c. Instead of signalling an error when no algorithm is usable in TLS 1.3, it downgrades the session to TLS 1.2 with a warning. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Add or clean header guards in lib/Tim Rühsen2019-05-071-3/+3
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Use https:// for www.gnu.org and www.example.comTim Rühsen2019-03-131-1/+1
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* ECC export/import: updated documentation on EdDSA curvesNikos Mavrogiannopoulos2018-09-201-2/+1
| | | | | | | | This clarifies the format that parameters in the EdDSA curves will be returned, and also ensures that the import/export functions fail on unsupported curves. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: simplified protocol version checking functionsNikos Mavrogiannopoulos2018-08-201-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* sign_supports_cert_pk_algorithm: corrected check for RSAE-PSSNikos Mavrogiannopoulos2018-07-021-1/+1
| | | | | | | | | | | If the signature algorithm sets the `cert_pk` field, ignore the `pk` field completely. Not doing that would make the RSAE signature algorithms with RSA-PSS certificates which is against the intended use of `cert_pk`. Resolves #500 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Define GOST R 34.10 curvesDmitry Eremin-Solenikov2018-06-231-0/+1
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Add declarations to support GOST public keysDmitry Eremin-Solenikov2018-06-231-0/+4
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Added support for out-of-band Pre-shared keys under TLS1.3Ander Juaristi2018-04-061-0/+9
| | | | | | | | | | | That adds support for pre-shared keys with and without Diffie-Hellman key exchange. That's a modified version of initial Ander's patch. Resolves #414 Resolves #125 Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.org>
* signatures: distinguish RSA-PSS signatures with RSA PKCS#1 1.5 certificates ↵Nikos Mavrogiannopoulos2018-03-091-0/+34
| | | | | | | | | | | | | | | | | from "pure" This change enhances signature algorithms to have a private key algorithm parameter. That is, to allow signature algorithms operating with a private key of type X while the public key is of type Y. That is useful for the RSA-PSS signatures which are of two types; one which is seen from servers having PKCS#1 1.5 certificates, the other with RSA-PSS certificates, while both utilize RSA-PSS private keys. This is a draft-ietf-tls-tls13-23 change. Resolves #400 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: accept hello retry request in client sideNikos Mavrogiannopoulos2018-02-191-0/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: simplified version parsingNikos Mavrogiannopoulos2018-02-191-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* record: adjusted overhead calculation for TLS1.3Nikos Mavrogiannopoulos2018-02-191-0/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: added basic support for TLS 1.3 handshake in client sideNikos Mavrogiannopoulos2018-02-191-0/+3
| | | | | | | | | | | | | That does not include support for client certificates as it requires extension handling improvements in order for extensions to be context sensitive (now they cannot distinguish whether the parsing routine is called during client hello or certificate request reading) This does not include proper parsing of extensions present in the certificate message. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ext/signature: improved TLS 1.3 signature algorithm negotiationNikos Mavrogiannopoulos2018-02-191-0/+4
| | | | | | | That is, we introduce a simpler way to handle multiple versions of a single signature algorithm. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: added the TLS 1.3 ciphersuitesNikos Mavrogiannopoulos2018-02-191-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: optimizations and enhancements in session version handlingNikos Mavrogiannopoulos2018-02-191-1/+3
| | | | | | | | | | This introduces the following new functions: const version_entry_st *_gnutls_legacy_version_max(gnutls_session_t session); const version_entry_st *_gnutls_version_max(gnutls_session_t session); which replace their previous counterparts. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ext/signature: added TLS 1.3 signature algorithm negotiationNikos Mavrogiannopoulos2018-02-191-3/+9
| | | | | | | | | | | | | | | That patch adds the signature algorithms: - GNUTLS_SIGN_ECDSA_SECP256R1_SHA256 - GNUTLS_SIGN_ECDSA_SECP384R1_SHA384 - GNUTLS_SIGN_ECDSA_SECP521R1_SHA512 and enables them for the default TLS priority strings. In addition it allows negotiating signature algorithms sharing the same TLS IDs, but which have different semantics between TLS versions (e.g., 6,4 maps to GNUTLS_SIGN_ECDSA_SHA512 under TLS 1.2 but to GNUTLS_SIGN_ECDSA_SECP521R1_SHA512 under TLS 1.3). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: added support for negotiating version using extensionNikos Mavrogiannopoulos2018-02-191-0/+2
| | | | | | | That is, introduced the TLS 1.3 supported_versions extension. It is currently only being used if negotiating TLS 1.3 or later. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: legacy version negotiation is not used for TLS 1.3Nikos Mavrogiannopoulos2018-02-191-1/+1
| | | | | | | | That is, ensure that the functions used for TLS 1.2 and earlier negotiation cannot be used with TLS 1.3. That is because TLS 1.3 is negotiated using a TLS extension. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests: added unit test for _gnutls_record_overhead()Nikos Mavrogiannopoulos2018-01-161-1/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Corrected argument names of functions to correspond to declarationNikos Mavrogiannopoulos2017-08-181-3/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib: use casts and be explicit on intentional enumeration useNikos Mavrogiannopoulos2017-08-181-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* sign APIs: introduce RSA-RAW signing algorithmNikos Mavrogiannopoulos2017-08-171-0/+2
| | | | | | | | | This ensures that there is a signing algorithm for all the operations we support. Previously, we required GNUTLS_SIGN_UNKNOWN to be acceptable by signing functions to accomodate for raw RSA operations. Now we make that explicit and in the process clean-up the API. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* sign/digest: separate "brokenness" of signatures and hash algorithmsNikos Mavrogiannopoulos2017-08-041-11/+11
| | | | | | | That is, allow digital signatures to be marked as broken irrespective of their used hash, and restrict hash brokenness to preimage resistance. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* *set_spki(): return error on incompatible algorithmsNikos Mavrogiannopoulos2017-08-031-0/+2
| | | | | | | In addition update the public key algorithm field in the respective structure. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_x509_privkey_generate2: do not hardcode the RSA-PSS hash to SHA256Nikos Mavrogiannopoulos2017-08-031-0/+1
| | | | | | | | Instead use _gnutls_pk_bits_to_sha_hash() to set an appropriate hash for the number of bits of the key. This matches better the "intention" of RSA-PSS or tying the security parameter with the salt and hash. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Clarified the purpose of the spki params related functionsNikos Mavrogiannopoulos2017-08-031-0/+1
| | | | | | | | | | | | | | | | _gnutls_privkey_get_sign_params was renamed to _gnutls_privkey_get_spki_params, _gnutls_privkey_update_sign_params to _gnutls_privkey_update_spki_params, and the dig entry of gnutls_x509_spki_st was renamed to rsa_pss_dig. The reason is that there could be a confusion on the purpose of the 'dig' entry, as it could be assumed to be the signature's hash algorithm in the general case. That could not be because the SPKI parameters do not contain it for any other algorithm than RSA-PSS. As such, make a logical separation from SPKI reading functions with the signature reading functions and try to use the gnutls_sign_entry_st when signature information is required. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Pass the signature algorithm lower in the verification stackNikos Mavrogiannopoulos2017-08-031-0/+1
| | | | | | | This will allow enhancing the back-ends (PKCS#11 and ext) for signing with the new signature algorithms like RSA-PSS and Ed25519. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* security_parameters: ease access to group information by keeping pointer to itNikos Mavrogiannopoulos2017-08-021-9/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* TLS: introduced support for RFC7919 groupsNikos Mavrogiannopoulos2017-08-011-9/+27
| | | | | | | | | | | That replaces the EC curve extension negotiation with the negotiated groups extensions, introduces handling for groups as priority strings, as well as using and checking of RFC7919 DH parameters once negotiated. Resolves: #37 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_digest_is_secure_for_certs: introducedNikos Mavrogiannopoulos2017-07-211-1/+11
| | | | | | | This is a macro to allow checking the security of a hash algorithm with respect to signing certificates. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Renamed GNUTLS_PK_ECDHX to GNUTLS_PK_ECDH_X25519Nikos Mavrogiannopoulos2017-07-171-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Added support for EdDSA (Ed25519) curve keysNikos Mavrogiannopoulos2017-07-171-3/+25
| | | | | | | | This adds support for draft-ietf-curdle-pkix-04. Resolves #25 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Renamed fields of sign_algorithm_stNikos Mavrogiannopoulos2017-07-101-2/+2
| | | | | | | The new names better reflect the reality with signature algorithms in TLS 1.3, and correct the initial naming error. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: simplified signature algorithm list generationNikos Mavrogiannopoulos2017-07-101-0/+3
| | | | | | | | Similarly to ciphersuites, that also utilizes a cache of signature algorithms on the priority structure which is used to quickly generate the signature algorithm list. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Eliminated access to obsolete priority cache fieldsNikos Mavrogiannopoulos2017-07-101-7/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: simplified the client-side ciphersuite negotiationNikos Mavrogiannopoulos2017-07-101-6/+4
| | | | | | | | | | | | This takes advantage of the ciphersuite cache in priorities structure while keeping the same ciphersuite selection checks in place. The previous ciphersuite selection checks kept: * Removing SRP ciphersuites when no SRP credentials are set * Removing ciphersuites when no corresponding to KX credentials were set * SCSV addition in SSL 3.0 and fallback SCSV Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status