summaryrefslogtreecommitdiff
path: root/lib/priority.c
Commit message (Collapse)AuthorAgeFilesLines
* Use ASCII version of strcasecmp() in library codetmp-lib-c-strcaseTim Rühsen2018-09-271-17/+18
| | | | | | | | | | strcasecmp() has side effects in some locales. What we really need is c_strcasecmp() from Gnulib for comparing ASCII strings. Fixes #570 Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Enable the TLS1.3 protocol by defaultNikos Mavrogiannopoulos2018-09-241-2/+0
| | | | | | | As the protocol has been finalized, and the implementation is stable and interoperable, there is no need to enable it conditionally. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Fix issue introduced in 20886264feTim Rühsen2018-09-201-3/+3
| | | | | | | This makes _gnutls_resolve_priorities() return a string that is always allocated with the gnutls memory functions. Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* priority: be backwards compatible with priority strings starting with NONENikos Mavrogiannopoulos2018-09-121-11/+21
| | | | | | | | | | | That is, we allow priority strings which do not enable any groups to work, by disabling TLS1.3. For example 'NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-GCM:+SIGN-ALL:+COMP-NULL' is still operational, but no TLS1.3 is enabled when specified. Resolves: #549 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Use gnutls_strdup() instead of strdup() in library codetmp-strdupTim Rühsen2018-08-241-1/+1
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Implemented RFC7250 certificate type negotiation extensions.Tom Vrancken2018-08-201-8/+92
| | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* algorithms: add support for FFDHE6144Daiki Ueno2018-08-081-0/+3
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* gnutls_priority_init: fix err_pos on invalid stringsNikos Mavrogiannopoulos2018-07-191-5/+12
| | | | | | | | | | | | | | When the provided string would be resolved (e.g., due to a @ priority being used), to a different string, then do not attempt to detect the right location of the error. It will not be useful to the caller. This addresses the issue of test suite failure when --with-system-priority-file and --with-default-priority-string are provided. It also enhances the test suite with these options being active. Resolves #517 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_resolve_priorities: avoid gnu extension for ?: constructNikos Mavrogiannopoulos2018-07-141-1/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* priorities: ensure that SSL3.0 enablement fails early when disabledNikos Mavrogiannopoulos2018-07-131-8/+13
| | | | | | | That is, that a priority string with only SSL3.0 present is discarded as invalid. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_priority_init2,gnutls_set_default_priority_append: introducedNikos Mavrogiannopoulos2018-07-091-3/+135
| | | | | | | | This allows enhancing the default priority with additional options, allowing an application to introduce stricter (or weaker) settings without requiring it to override all settings. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* configure: added option --enable-tls13-supportNikos Mavrogiannopoulos2018-07-071-0/+3
| | | | | | | | | | The new option enables TLS1.3 draft-28 support unconditionally. Updated the test suite to run when TLS1.3 is enabled by default, and added a CI run with TLS1.3 enabled. Resolves #424 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priorities: introduced %FORCE_ETMtmp-measure-recordNikos Mavrogiannopoulos2018-06-121-0/+4
| | | | | | | | | This introduces a priority string option to force encrypt-then-mac during negotiation, to prevent negotiating the legacy CBC ciphersuites. Resolves #472 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* priorities: hmac-sha256 ciphersuites were removed from defaultsNikos Mavrogiannopoulos2018-06-121-4/+0
| | | | | | | | | | | | These ciphersuites are deprecated since the introduction of AEAD ciphersuites, and are only necessary for compatibility with older servers. Since older servers already support hmac-sha1 there is no reason to keep these ciphersuites enabled by default, as they increase our attack surface. Relates #456 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* session tickets: expose {encrypt,decrypt}_ticket as internal APIAnder Juaristi2018-05-261-1/+1
| | | | | | | | To reuse the same ticket construction in any TLS versions, expose the private functions in ext/session_ticket.c. Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priority: handle RSA-PSK ciphersuites similar to SRPNikos Mavrogiannopoulos2018-04-301-5/+11
| | | | | | That is, when specified disable TLS1.3. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priority: document the reasons for the order of supported groups [ci skip]Nikos Mavrogiannopoulos2018-04-161-0/+5
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ANON,SRP,NULL ciphersuites: when set do not negotiate TLS1.3 or laterNikos Mavrogiannopoulos2018-04-131-8/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | The reason is that these ciphersuites cannot be negotiated using TLS1.3. There is a different strategy followed for these. * NULL ciphersuites: they are not something normally enabled and used for debugging purposes mostly. When set both in client and server side only TLS1.2 can be used. * SRP ciphersuites: they are used on client side when the client is actually performing a username-password authentication with SRP. On server side we can have indeed a server support SRP and non-SRP. In that case we limit both on TLS1.2. That an unfortunate restriction, but is not a regression and IMHO these servers would most likely be phased out as very few would want to stick to TLS1.2 connections for SRP; or we may have an SRP update for TLS1.3 which could lift that limitation in the future. * ANON ciphersuites: they are used in certain client/server setups where very basic level of security is required, and in opportunistic encryption scenarios. There is a difference in the handling of these cases. In the case of Anon-only server/clients they provide the session with anonymous credentials structure; in the case of opportunistic encryption they provide both certificate and anonymous credentials. Thus we allow the protocol (TLS1.3) be in the priorities, but if we see no certificate or PSK credentials we disable TLS1.3 negotiation. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priority: added GROUP-DH-ALL and GROUP-EC-ALLNikos Mavrogiannopoulos2018-04-061-0/+28
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Added support for out-of-band Pre-shared keys under TLS1.3Ander Juaristi2018-04-061-2/+12
| | | | | | | | | | | That adds support for pre-shared keys with and without Diffie-Hellman key exchange. That's a modified version of initial Ander's patch. Resolves #414 Resolves #125 Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.org>
* priorities: disable any key exchange methods if there is no TLS1.2 or earlierNikos Mavrogiannopoulos2018-03-231-14/+35
| | | | | | | | | | | That is, because TLS1.2 has specific requirements in the ordering of curves/groups if certain ciphersuites (ECDHE/DHE) are present, and by being able to eliminate them early we simplify the negotiation for TLS1.3-only clients/servers. Relates #378 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* signatures: distinguish RSA-PSS signatures with RSA PKCS#1 1.5 certificates ↵Nikos Mavrogiannopoulos2018-03-091-0/+8
| | | | | | | | | | | | | | | | | from "pure" This change enhances signature algorithms to have a private key algorithm parameter. That is, to allow signature algorithms operating with a private key of type X while the public key is of type Y. That is useful for the RSA-PSS signatures which are of two types; one which is seen from servers having PKCS#1 1.5 certificates, the other with RSA-PSS certificates, while both utilize RSA-PSS private keys. This is a draft-ietf-tls-tls13-23 change. Resolves #400 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priorities: provide a more consistent "story" for default cipher settingsNikos Mavrogiannopoulos2018-02-191-37/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Current settings in NORMAL priorities which were affected: * Enabled ciphers: - AES-GCM - CHACHA20-POLY1305 - AES-CCM - AES-CBC * Enabled signature algorithms: - RSA-SHA256 - RSA-PSS-SHA256 - ECDSA-SHA256 / ECDSA-SECP256R1-SHA256 - EDDSA-ED25519 - RSA-SHA384 - RSA-PSS-SHA384 - ECDSA-SHA384 / ECDSA-SECP384R1-SHA384 - RSA-SHA512 - RSA-PSS-SHA512 - ECDSA-SHA512 / ECDSA-SECP521R1-SHA512 - RSA-SHA1 - ECDSA-SHA1 Removed: * Ciphersuites utilizing HMAC-SHA384. That MAC is only used on "legacy" type of ciphersuites, and doesn't provide any advantage over HMAC-SHA256. * Ciphersuites utilizing CAMELLIA were removed. TLS1.3 doesn't define any CAMELLIA ciphersuites, and thus provide consistent defaults across protocols. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib: simplify adding groups according to priorititesDmitry Eremin-Solenikov2018-02-191-21/+12
| | | | | | | | | There is little point, remembering if EC or DHE came first and then adding necessary groups checking that flag. Instead just add groups at the time first EC or DHE ciphersuite is met. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* extensions: renamed _gnutls_hello_ext_*sdata to _gnutls_hello_ext_*privNikos Mavrogiannopoulos2018-02-191-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priority: include groups into priority when having a TLS1.3-only sessionNikos Mavrogiannopoulos2018-02-191-2/+27
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priority: do include all the version's signature semanticsNikos Mavrogiannopoulos2018-02-191-4/+0
| | | | | | | | This resolves issue, which prevented handling certain types of TLS1.3-only signatures, depending on the order of enabled protocols. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* extensions: files renamed to hello_extNikos Mavrogiannopoulos2018-02-191-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* extensions: renamed hello extension handling functions appropriatelyNikos Mavrogiannopoulos2018-02-191-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ext/signature: improved TLS 1.3 signature algorithm negotiationNikos Mavrogiannopoulos2018-02-191-3/+5
| | | | | | | That is, we introduce a simpler way to handle multiple versions of a single signature algorithm. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: added the TLS 1.3 ciphersuitesNikos Mavrogiannopoulos2018-02-191-0/+13
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priorities: when no signature algorithms eliminate (D)TLS 1.2 or laterNikos Mavrogiannopoulos2018-02-191-6/+19
| | | | | | | | If an application intentionally disables all signature algorithms, ensure that we can operate by eliminating protocol options which require these signature algorithms to be set. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priority: do not include signature algorithms that apply to different TLS ↵Nikos Mavrogiannopoulos2018-02-191-5/+51
| | | | | | | | | | | | | version That is, when a signature algorithm that is only applicable to specific TLS protocol semantics (e.g., ECDSA-SECP256R1-SHA256) is enabled, under TLS 1.2, it will result to no code points being added. That prevents connection errors due to "wrong" code points being added that do not correspond to a usable signature algorithm under the protocol. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ext/signature: added TLS 1.3 signature algorithm negotiationNikos Mavrogiannopoulos2018-02-191-3/+12
| | | | | | | | | | | | | | | That patch adds the signature algorithms: - GNUTLS_SIGN_ECDSA_SECP256R1_SHA256 - GNUTLS_SIGN_ECDSA_SECP384R1_SHA384 - GNUTLS_SIGN_ECDSA_SECP521R1_SHA512 and enables them for the default TLS priority strings. In addition it allows negotiating signature algorithms sharing the same TLS IDs, but which have different semantics between TLS versions (e.g., 6,4 maps to GNUTLS_SIGN_ECDSA_SHA512 under TLS 1.2 but to GNUTLS_SIGN_ECDSA_SECP521R1_SHA512 under TLS 1.3). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: legacy version negotiation is not used for TLS 1.3Nikos Mavrogiannopoulos2018-02-191-0/+5
| | | | | | | | That is, ensure that the functions used for TLS 1.2 and earlier negotiation cannot be used with TLS 1.3. That is because TLS 1.3 is negotiated using a TLS extension. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Revert "priority: disable the enabled by default RSA-PSS signature algorithms"Nikos Mavrogiannopoulos2018-02-191-7/+7
| | | | | | This reverts commit ef44477127952c13e93d7ea88f7b549bf36602f5. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priority: disable the enabled by default RSA-PSS signature algorithmstmp-tests-include-ccmNikos Mavrogiannopoulos2018-02-121-7/+7
| | | | | | | | They have been modified in the latest (yet unsupported) TLS 1.3 drafts, so prevent causes interoperability failures by keeping them on. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls_priority_ecc_curve_list: avoid including groups into elliptic curves listNikos Mavrogiannopoulos2017-08-021-0/+13
| | | | | | | | | | | | This provides a mostly-compatible behavior of gnutls_priority_ecc_curve_list() in order to avoid keeping additional information for elliptic curves in the priority cache. This approach will always return the supported curves, if the set groups are prioritized with the elliptic curve variants set first. This is the default in the built-in priorities, and to most common setups. Items which are non-valid curves will not be returned. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* TLS: introduced support for RFC7919 groupsNikos Mavrogiannopoulos2017-08-011-44/+153
| | | | | | | | | | | That replaces the EC curve extension negotiation with the negotiated groups extensions, introduces handling for groups as priority strings, as well as using and checking of RFC7919 DH parameters once negotiated. Resolves: #37 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_priority_set: use reference countingNikos Mavrogiannopoulos2017-07-251-44/+24
| | | | | | | That eliminates the need for gnutls_priority_set2() which is now removed. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Revert "Documented use gnutls_priority_set2()."Nikos Mavrogiannopoulos2017-07-251-2/+0
| | | | This reverts commit b4aed16ee30f76211c13b075149bb87c012f9bf6.
* priority: enabled Ed25519 signature by defaultNikos Mavrogiannopoulos2017-07-171-0/+4
| | | | | | | As our implementation interoperates with boringssl's implementation of Ed25519, we can now enable it. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Documented use gnutls_priority_set2().Nikos Mavrogiannopoulos2017-07-101-0/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priorities: share priority structures across sessionsNikos Mavrogiannopoulos2017-07-101-10/+63
| | | | | | | | | | | | | As the contents of the priority cache grows, it makes sense to shared these structures across many sessions (in server side) rather than copying them to a session. All overrides of the priority contents were moved to session->internals. On client side where gnutls_priority_set_direct() is more commonly used, ensure that the set priority is deinitialized. That also introduces gnutls_priority_set2() which does not copy the priority contents by default. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: corrected typoNikos Mavrogiannopoulos2017-07-101-4/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: simplified signature algorithm list generationNikos Mavrogiannopoulos2017-07-101-8/+18
| | | | | | | | Similarly to ciphersuites, that also utilizes a cache of signature algorithms on the priority structure which is used to quickly generate the signature algorithm list. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Eliminated access to obsolete priority cache fieldsNikos Mavrogiannopoulos2017-07-101-27/+25
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: simplified the server-side ciphersuite negotiationNikos Mavrogiannopoulos2017-07-101-1/+2
| | | | | | | | | | | | | This eliminates all the back and forth loops in the previous code while keeping the same ciphersuite selection checks in place. The ciphersuite selection tests that were kept: * Check if key exchange supports the server public key and key usage flags * Check if DH or other parameters required for the ciphersuite are present * Find appropriate certificate for the credentials and ciphersuite * Check whether a curve is negotiated for the ECDH ciphersuites Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priority: include a cache of supported ciphersuitesNikos Mavrogiannopoulos2017-07-101-0/+27
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Removed support for compression mechanismsNikos Mavrogiannopoulos2017-06-221-45/+15
| | | | | | | | | | They are not required for TLS 1.3, and are deprecated for TLS 1.2. We eliminate them in order to reduce the complexity in the record packet handling. Resolves #212 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status