summaryrefslogtreecommitdiff
path: root/lib/tls13
Commit message (Collapse)AuthorAgeFilesLines
* tls13: request OCSP responses as a serverNikos Mavrogiannopoulos2020-01-201-0/+16
| | | | | | | | | | | The TLS1.3 protocol requires the server to advertise an empty OCSP status request extension on its certificate verify message for an OCSP response to be sent by the client. We now always send this extension to allow clients attaching those responses. Resolves: #876 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tls13: do not send OCSP responses as client without server requestingNikos Mavrogiannopoulos2020-01-152-1/+11
| | | | | | | | | In client side ensure we see a request for OCSP from servers before sending one. Relates: #876 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'tmp-ocsp-check' into 'master'903-add-crl-and-crq-fuzzersNikos Mavrogiannopoulos2020-01-091-1/+1
|\ | | | | | | | | | | | | Provide flag to identify sessions that an OCSP response was requested Closes #829 See merge request gnutls/gnutls!1131
| * Provide flag to identify sessions that an OCSP response was requestedNikos Mavrogiannopoulos2019-12-151-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | That adds the flag GNUTLS_SFLAGS_CLI_REQUESTED_OCSP which can be checked by a server application to determine whether the client has requested stapled OCSP responses. This includes minor cleanups in the status request handling code. Resolves: #829 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | SignatureAlgorithms: force-enable GOST signatures for GOST KXDmitry Eremin-Solenikov2019-12-282-2/+2
|/ | | | | | | | SChannel-based clients can not send GOST identifiers as a part of SignatureAlgorithms extension. To mitigate this forcefully enable GOST signature algorithms if client sends GOST ciphersuite. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* lib/*: remove unnecessary cast to ssize_ttmp-decr-lenDaiki Ueno2019-09-124-16/+15
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Fixed alerts returned on TLS1.3 corner casesNikos Mavrogiannopoulos2019-07-151-1/+1
| | | | | | | | This enables the tls-fuzzer tests 'test-tls13-certificate-verify.py'. Resolves: #682 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tls13/key_update: ignore multiple key updates instead of errortmp-keyupdate-fixesDaiki Ueno2019-06-051-2/+0
| | | | | | | | This fixes the multiple KeyUpdate messages handling in commit 65e2aa80d114d4bef095d129c2eda475e473244a, where illegal_parameter is sent even if the limit doesn't exceed. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tls13/key_update: increase handling limit from 1 to 8Daiki Ueno2019-05-221-7/+18
| | | | | | | | | | | The limit was too small when testing the capability of handling multiple KeyUpdate messages with tlsfuzzer. This requires a change in the rate limit logic, as previously it doesn't count the KeyUpdate messages despite the name of KEY_UPDATES_PER_SEC. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Add or clean header guards in lib/tls13/Tim Rühsen2019-05-0711-3/+54
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* tls13/session_ticket: use the same ticket_age_add regardless of endiannessDaiki Ueno2019-04-191-1/+5
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tls13/session_ticket: avoid UB regarding 64-bit time encodingtmp-early-exporterDaiki Ueno2019-04-191-4/+4
| | | | | | | On 32-bit platform, struct timespec.tv_sec can be signed 32-bit and thus right shifting 32 could be an undefined behavior. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* cert auth: reject auth if no signature algorithm is usable in TLS 1.3Daiki Ueno2019-04-042-22/+41
| | | | | | | | | | Previously, when there is no overlap between usable signature algorithms and the "signature_algorithms" extension in Certificate Request, the client failed in sending Certificate Verify, followed by a connection close. In TLS 1.3, it is possible to keep the connection but reject the authentication by not sending Certificate Verify. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* handshake: remove unnecessary HSK_CRT_SENT flagDaiki Ueno2019-04-031-5/+5
| | | | | | | Previously, while the flag HSK_CRT_SENT was checked in _gnutls13_send_certificate_verify, the flag was never set anywhere. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Use https:// for www.gnu.org and www.example.comTim Rühsen2019-03-1323-23/+23
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Merge branch 'tmp-explicit-sanity-checks' into 'master'Nikos Mavrogiannopoulos2019-03-061-1/+1
|\ | | | | | | | | cleanup: _gnutls_recv_handshake: added explicit sanity checks See merge request gnutls/gnutls!937
| * _gnutls_recv_handshake: added explicit sanity checkstmp-explicit-sanity-checksNikos Mavrogiannopoulos2019-02-231-1/+1
| | | | | | | | | | | | | | | | | | Although, this function acts on the message provided as expected and thus it should never call a message parsing function on unexpected messages, we make a more explicit sanity check. This unifies the sanity checks existing within the involved functions. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | tls13/certificate: utilize "certificate_required" alerttmp-cert-reqDaiki Ueno2019-03-051-2/+7
| | | | | | | | | | | | | | This could make errors more distinguishable when the client sends no certificates or a bad certificate. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Remove redundant resets of variables after free()Tim Rühsen2019-02-221-2/+0
|/ | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* When sending no extensions do not include a zero lengthNikos Mavrogiannopoulos2019-01-093-3/+3
| | | | | | | | | | | | | | According to RFC5246: The presence of extensions can be detected by determining whether there are bytes following the compression_method field at the end of the ServerHello. and as such we correct our behavior to not send the zero length bytes. This was our behavior in 3.5.x and 3.3.x branch, and thus this corrects a regression of gnutls with these branches. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
* Implemented support for raw public-key functionality (RFC7250).Tom Vrancken2018-12-151-1/+1
| | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* tls13/session_ticket: fix "max_early_data_size" extension handlingDaiki Ueno2018-11-181-4/+2
| | | | | | session->security_parameters.max_early_data_size is initially set to 0. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* anti_replay: moved new add function into anti_replay structureNikos Mavrogiannopoulos2018-11-152-8/+53
| | | | | | | | | | The new function was not sharing anything with the existing gnutls_db_* backend, and moving it to anti_replay structure is more clean and allows for deviations from the old API conventions (e.g., now we can pass pointers for efficiency and pass the expiration time as part of the call). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* TLS 1.3: implement anti-replay measure using ClientHello recordingDaiki Ueno2018-11-122-0/+247
| | | | | | | This implements ClientHello recording outlined in section 8.2 of RFC 8446. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tls13/session_ticket: record timestamp in ticketDaiki Ueno2018-11-121-4/+25
| | | | | | | This is needed for implementing freshness checks outlined in 8.3 of RFC 8446. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* handshake: handle early dataDaiki Ueno2018-11-113-3/+164
| | | | | | | | | | | This plumbers early data handling in the handshake processes, which consists of: - traffic key updates taking into account of client_early_traffic_secret - early data buffering in both server and client - the EndOfEarlyData message handling - making use of max_early_data_size extension in NewSessionTicket Signed-off-by: Daiki Ueno <dueno@redhat.com>
* constate: add epoch_rel argument to _gnutls_epoch_dupDaiki Ueno2018-11-111-1/+1
| | | | | | | | | | This is necessary for handling early data. Previously, _gnutls_epoch_dup() copied the parameters from EPOCH_READ_CURRENT, while the client only sets EPOCH_WRITE_CURRENT when sending early data. This allows caller to specify from which epoch the parameters are copied. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tls13/session_ticket: calculate ticket_age in millisecondsDaiki Ueno2018-10-261-2/+2
| | | | | | | | Previously we calculated ticket age from the current wall clock in seconds, multiplying by 1000. This is conceptually wrong, because ticket age is designed to be in milliseconds. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tls13/session_ticket: rename tls13_ticket_t type to tls13_ticket_stDaiki Ueno2018-10-252-12/+12
| | | | | | This is consistent with the coding guideline. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Renamed _gnutls_auth_info_set() to _gnutls_auth_info_init().Tom Vrancken2018-10-181-1/+1
| | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* gnutls_init: added flag for automatic re-authenticationNikos Mavrogiannopoulos2018-10-161-1/+3
| | | | | | | | | This introduces the GNUTLS_AUTO_REAUTH gnutls_init() flag and makes re-authentication under TLS simpler to enable and use. Resolves #571 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* session tickets: check timestamp for validitytmp-session-ticket-key-rotation-ajuaristiNikos Mavrogiannopoulos2018-09-201-2/+6
| | | | | | | | | We were previously only relying on the client's view of the ticket lifetime for TLS1.3 tickets. This makes sure that we only resume tickets that the server considers valid and consolidates the expiration time checks to _gnutls_check_resumed_params(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tls13/psk_ext_parser: simplify the iterator interfaceDaiki Ueno2018-08-232-99/+63
| | | | | | | | Previously it was unclear whether psk_ext_parser_st is stateful or not. This change introduces the simpler API to iterate over the immutable data (psk_ext_parser_st), following the iterator pattern. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Implemented RFC7250 certificate type negotiation extensions.Tom Vrancken2018-08-201-3/+8
| | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* use a consistent method to mark fall-through in switch casesNikos Mavrogiannopoulos2018-08-081-9/+9
| | | | | | | | Also document that method in contribution guide. Resolves #306 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* TLS 1.3: ignore "early_data" extensionDaiki Ueno2018-08-061-2/+10
| | | | | | | | | | As 0-RTT is still not implemented in GnuTLS, the server responds with 1-RTT, by skipping decryption failure up to max_early_data_size, as suggested in 4.2.10 Early Data Detection. Resolves #512 Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tls1.3: server returns early on handshake when no cert is provided by clientNikos Mavrogiannopoulos2018-08-032-9/+29
| | | | | | | | | | | | Under TLS1.3 the server knows the negotiated keys early, if no client certificate is sent. In that case, the server is not only able to transmit the session ticket immediately after its finished message, but is also able to transmit data, similarly to false start. Resolves #481 Resolves #457 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_session_ticket_send: allow sending multiple tickets in one goNikos Mavrogiannopoulos2018-07-122-48/+58
| | | | | | | This allows combining the tickets in a single record message when possible. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* generate_session_ticket: tickets cannot extend the original session timeNikos Mavrogiannopoulos2018-07-111-5/+22
| | | | | | | | | That is, on a resumed session the server would not issue new tickets that would have extended the lifetime of the originally issued ticket. Resolves #476 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* generate_session_ticket: use a 4-byte nonce by defaultNikos Mavrogiannopoulos2018-07-111-2/+2
| | | | | | It is not necessary to use large nonces. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* generate_session_ticket: fixed commentNikos Mavrogiannopoulos2018-07-111-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* post-handshake: return GNUTLS_E_GOT_APPLICATION_DATA as documented toNikos Mavrogiannopoulos2018-07-021-1/+2
| | | | | | Relates #490 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tls13 handshake: allow certificate messages after handshakeNikos Mavrogiannopoulos2018-07-024-6/+19
| | | | | | | | | This allows post-handshake authentication even when PSK is negotiated. Resolves #489 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_session_get_flags: introduced GNUTLS_SFLAGS_POST_HANDSHAKE_AUTHNikos Mavrogiannopoulos2018-07-021-1/+3
| | | | | | | | This allows a server application to detect whether the client would support post handshake authentication or not without initiating via gnutls_reauth(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Fix variable overflow in TLS1.3 session ticket codeTim Rühsen2018-06-061-2/+5
|
* tls13/session_ticket: don't send ticket when no common KE modesDaiki Ueno2018-06-051-0/+6
| | | | | | | | When the server had received psk_key_exchange_modes extension which doesn't have any overlap with the server configuration, omit to send NewSessionTicket. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* ext/pre_shared_key: make PSK identity parsing robustertmp-session-ticket-key-nameDaiki Ueno2018-06-011-2/+2
| | | | | | | | | | | | Previously, to determine whether a PSK identity is a ticket or a PSK username, it relied on PskIdentity.obfuscated_ticket_age, which "SHOULD" be 0 if the identity is a PSK username. This patch instead checks the key name of the ticket first and then check the constraints of the PSK username. That way, it can distinguish tickets and PSK usernames in a more realible manner. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* handshake: store session parameters in TLS1.3 ticketNikos Mavrogiannopoulos2018-05-261-17/+50
| | | | | | | This allows a TLS1.3 server to obtain certificate or other information from the client on a resumed session. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* TLS 1.3: Introduced TLS 1.3 session resumptionAnder Juaristi2018-05-267-46/+348
| | | | | | | | | | | | | | | | | This introduces session resumption under TLS 1.3. For that, it enables the psk_ke_modes extension when we enable session tickets. It enables sending session tickets in addition to PSK usernames. The detection of resumption vs pure PSK is done by comparing the indexes sent with the index received by the server. TLS 1.3 session tickets are always sent to the peer unless the GNUTLS_NO_TICKETS is specified. Resolves #290 Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> Signed-off-by: Daiki Ueno <dueno@redhat.com>
* ext/pre_shared_key: fix binder calculation when HRR is sentDaiki Ueno2018-05-261-0/+3
| | | | | | | In that case, ClientHello1 and HelloRetryRequest are included in the PSK binder computation, not only the truncated ClientHello2. Signed-off-by: Daiki Ueno <dueno@redhat.com>
View Lorry Controller Status