| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
handshake-timeout.c now tests for <1000ms timeout and for >=1000ms
timeout. The test duration decreased from 45s to 1.2s.
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch tries to make the code have the same time and memory access
aptterns across all branches of the decryption function so that timining
or cache side channels are minimized or neutralized.
To do so it uses a new nettle rsa decryption function that is
side-channel silent.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The new function was not sharing anything with the existing
gnutls_db_* backend, and moving it to anti_replay structure
is more clean and allows for deviations from the old API
conventions (e.g., now we can pass pointers for efficiency
and pass the expiration time as part of the call).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
This implements ClientHello recording outlined in section 8.2 of RFC
8446.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
| |
This adds a way to store an entry if it is not found in the database,
so that the implementation can provide atomic test-and-set.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
| |
This is needed for implementing freshness checks outlined in 8.3 of
RFC 8446.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This plumbers early data handling in the handshake processes, which
consists of:
- traffic key updates taking into account of client_early_traffic_secret
- early data buffering in both server and client
- the EndOfEarlyData message handling
- making use of max_early_data_size extension in NewSessionTicket
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
| |
This is necessary to compute client_early_traffic_secret and
early_exporter_master_secret in TLS 1.3.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
|
|
|
|
|
|
| |
Previously we calculated ticket age from the current wall clock in
seconds, multiplying by 1000. This is conceptually wrong, because
ticket age is designed to be in milliseconds.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
| |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
| |
This is consistent with the coding guideline.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |\
| |
| |
| |
| |
| |
| | |
Cleanup and fixes
Closes #453
See merge request gnutls/gnutls!779
|
| | |
| |
| |
| | |
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
| |/
|
|
|
|
|
| |
When a key share extension is not seen under TLS1.3, send
the missing extension alert.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This introduces the GNUTLS_AUTO_REAUTH gnutls_init() flag and makes
re-authentication under TLS simpler to enable and use.
Resolves #571
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This introduces session ticket key rotation on server side. The
key set with gnutls_session_ticket_enable_server() is used as a
master key to generate time-based keys for tickets. The rotation
relates to the gnutls_db_set_cache_expiration() period.
Resolves #184
Signed-off-by: Ander Juaristi <a@juaristi.eus>
|
| |
|
|
|
|
|
| |
The 'issue' should be fixed already. Even if not, it has to
addressed in gnulib.
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| |
|
|
| |
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
| |
|
|
|
|
|
|
|
|
|
| |
This implements the record_size_limit extension as defined in RFC 8449.
Although it obsoletes the max_record_size extension, for compatibility
reasons GnuTLS still sends it on certain occasions. For example, when
the new size is representable as the codepoint defined for
max_record_size.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This makes gnutls_session_resumption_requested() functional under
TLS1.3 and introduces a unit test of the function.
Resolves #546
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
With the introduction of session ticket support (TLS1.2) and
TLS1.3, session identifiers have no persistency on server or
client side. Improve the situation by introducing persistent
session identifiers on server side in a backwards compatible
way.
Resolves #484
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the received record doesn't even complete the handshake
header (i.e., the record size < 4), keep it in a temporary buffer and
let the caller receive more records. Once enough amount of data is
received, move the already received records back to record_buffer and
proceed to the normal processing.
Fixes: #272
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
As 0-RTT is still not implemented in GnuTLS, the server responds with
1-RTT, by skipping decryption failure up to max_early_data_size, as
suggested in 4.2.10 Early Data Detection.
Resolves #512
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Under TLS1.3 the server knows the negotiated keys early, if no client
certificate is sent. In that case, the server is not only able to
transmit the session ticket immediately after its finished message,
but is also able to transmit data, similarly to false start.
Resolves #481
Resolves #457
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is permitted to concatenate multiple async handshake messages in a single
record message as well as split large messages (NST) into multiple records.
Modified _gnutls13_recv_async_handshake() to process them correctly, instead
of assuming that they are formatted as one message per record.
Resolves #510
Resolves #504
Relates #511
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
| |
Resolves #485
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The pre-shared-key MUST always be last under TLS1.3 while the
dumbfw extension should be last in order to do proper evaluation
of extension size (gnutls requirement). As such the protocol
requirement takes precedence.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This allows using the registered supplemental data handlers, since
these are not used under TLS 1.3.
Resolves #479
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This allows using the registered supplemental data handlers, since
these are not used under TLS 1.3.
Resolves #479
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
In the TLS 1.3 middlebox compatibility mode, CCS follows the first
handshake message sent from the server, that is either SH or HRR.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
|
| |
This was not necessary since that value was only used by block
(in TLS sense) ciphers, but that definition could also be used
for the CHACHA20.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
| |
This introduces a priority string option to force encrypt-then-mac
during negotiation, to prevent negotiating the legacy CBC ciphersuites.
Resolves #472
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
| |
Split combined ECC extensions into different files.
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
| |
|
|
|
|
|
| |
Introduced in order for a server to be able to send an arbitrary
amount of tickets, at any time.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces session resumption under TLS 1.3. For that,
it enables the psk_ke_modes extension when we enable session
tickets. It enables sending session tickets in addition to
PSK usernames. The detection of resumption vs pure PSK is done by
comparing the indexes sent with the index received by the server.
TLS 1.3 session tickets are always sent to the peer unless the
GNUTLS_NO_TICKETS is specified.
Resolves #290
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
|
| |
To reuse the same ticket construction in any TLS versions, expose the
private functions in ext/session_ticket.c.
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
This is for deriving resumption_master_secret, whose value is
calculated over ClientHello...client Finished.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Made the check local when parsing a certificate request, as we may
receive multiple requests when post-handshake authentication is
in place. Furthermore check whether this extension has been received
as this is a mandatory one. In addition handle a memory leak when
multiple peer certificates are set.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
That adds support for pre-shared keys with and without Diffie-Hellman
key exchange. That's a modified version of initial Ander's patch.
Resolves #414
Resolves #125
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
That is, when %SERVER_PRECEDENCE is given in the priority string make
sure that the negotiated curve of DH group respects the server's priorities.
That's very relevant under TLS1.3 as ciphersuite negotiation itself, where
%SERVER_PRECEDENCE applied, does contain only the cipher algorithm and MAC
unlike TLS1.2 which included key exchange as well.
Resolves #378
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
That also distinguishes between them by using the special random value,
and implements the version check as in draft-ietf-tls-tls13-24.
Resolves #391 #390 #392
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Also send ChangeCipherSpec messages under TLS1.3 handshake.
This is a draft-ietf-tls-tls13-22 change.
Resolves #395
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Introduced gnutls_certificate_set_ocsp_status_request_file2() and
gnutls_certificate_set_ocsp_status_request_mem(). These functions
behave as the equivalent certificate loading functions and pre-load
the OCSP response provided as a file, either in DER or in PEM form.
In addition, ensure that if the server is provided a problematic OCSP
response, or the OCSP response is not renewed before it is invalid, we
will not provide it to the clients.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
That is, any responses set by the caller application (directly
or via a callback), will be sent to the peer.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
That allows a certificate callback to provide OCSP responses in addition
to certificates. That also introduces a flags option which currently
accepts GNUTLS_CERT_RETR_DEINIT_ALL which allows the callback to
specify whether the provided data should be deinitialized.
To simplify the certificate callback code, all previous (now legacy)
callbacks are implemented as wrappers over the new callback function.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
|
| |
That is, to reduce memory usage as these protocol cannot be used
in parallel.
Relates: #281
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
| |
That is, with the view of separating the data needed for
TLS1.2 and earlier and TLS1.3.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
