summaryrefslogtreecommitdiff
path: root/lib/tls13
Commit message (Collapse)AuthorAgeFilesLines
* Use https:// for www.gnu.org and www.example.comTim Rühsen2019-03-1323-23/+23
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Merge branch 'tmp-explicit-sanity-checks' into 'master'Nikos Mavrogiannopoulos2019-03-061-1/+1
|\ | | | | | | | | cleanup: _gnutls_recv_handshake: added explicit sanity checks See merge request gnutls/gnutls!937
| * _gnutls_recv_handshake: added explicit sanity checkstmp-explicit-sanity-checksNikos Mavrogiannopoulos2019-02-231-1/+1
| | | | | | | | | | | | | | | | | | Although, this function acts on the message provided as expected and thus it should never call a message parsing function on unexpected messages, we make a more explicit sanity check. This unifies the sanity checks existing within the involved functions. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | tls13/certificate: utilize "certificate_required" alerttmp-cert-reqDaiki Ueno2019-03-051-2/+7
| | | | | | | | | | | | | | This could make errors more distinguishable when the client sends no certificates or a bad certificate. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Remove redundant resets of variables after free()Tim Rühsen2019-02-221-2/+0
|/ | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* When sending no extensions do not include a zero lengthNikos Mavrogiannopoulos2019-01-093-3/+3
| | | | | | | | | | | | | | According to RFC5246: The presence of extensions can be detected by determining whether there are bytes following the compression_method field at the end of the ServerHello. and as such we correct our behavior to not send the zero length bytes. This was our behavior in 3.5.x and 3.3.x branch, and thus this corrects a regression of gnutls with these branches. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
* Implemented support for raw public-key functionality (RFC7250).Tom Vrancken2018-12-151-1/+1
| | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* tls13/session_ticket: fix "max_early_data_size" extension handlingDaiki Ueno2018-11-181-4/+2
| | | | | | session->security_parameters.max_early_data_size is initially set to 0. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* anti_replay: moved new add function into anti_replay structureNikos Mavrogiannopoulos2018-11-152-8/+53
| | | | | | | | | | The new function was not sharing anything with the existing gnutls_db_* backend, and moving it to anti_replay structure is more clean and allows for deviations from the old API conventions (e.g., now we can pass pointers for efficiency and pass the expiration time as part of the call). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* TLS 1.3: implement anti-replay measure using ClientHello recordingDaiki Ueno2018-11-122-0/+247
| | | | | | | This implements ClientHello recording outlined in section 8.2 of RFC 8446. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tls13/session_ticket: record timestamp in ticketDaiki Ueno2018-11-121-4/+25
| | | | | | | This is needed for implementing freshness checks outlined in 8.3 of RFC 8446. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* handshake: handle early dataDaiki Ueno2018-11-113-3/+164
| | | | | | | | | | | This plumbers early data handling in the handshake processes, which consists of: - traffic key updates taking into account of client_early_traffic_secret - early data buffering in both server and client - the EndOfEarlyData message handling - making use of max_early_data_size extension in NewSessionTicket Signed-off-by: Daiki Ueno <dueno@redhat.com>
* constate: add epoch_rel argument to _gnutls_epoch_dupDaiki Ueno2018-11-111-1/+1
| | | | | | | | | | This is necessary for handling early data. Previously, _gnutls_epoch_dup() copied the parameters from EPOCH_READ_CURRENT, while the client only sets EPOCH_WRITE_CURRENT when sending early data. This allows caller to specify from which epoch the parameters are copied. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tls13/session_ticket: calculate ticket_age in millisecondsDaiki Ueno2018-10-261-2/+2
| | | | | | | | Previously we calculated ticket age from the current wall clock in seconds, multiplying by 1000. This is conceptually wrong, because ticket age is designed to be in milliseconds. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tls13/session_ticket: rename tls13_ticket_t type to tls13_ticket_stDaiki Ueno2018-10-252-12/+12
| | | | | | This is consistent with the coding guideline. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Renamed _gnutls_auth_info_set() to _gnutls_auth_info_init().Tom Vrancken2018-10-181-1/+1
| | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* gnutls_init: added flag for automatic re-authenticationNikos Mavrogiannopoulos2018-10-161-1/+3
| | | | | | | | | This introduces the GNUTLS_AUTO_REAUTH gnutls_init() flag and makes re-authentication under TLS simpler to enable and use. Resolves #571 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* session tickets: check timestamp for validitytmp-session-ticket-key-rotation-ajuaristiNikos Mavrogiannopoulos2018-09-201-2/+6
| | | | | | | | | We were previously only relying on the client's view of the ticket lifetime for TLS1.3 tickets. This makes sure that we only resume tickets that the server considers valid and consolidates the expiration time checks to _gnutls_check_resumed_params(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tls13/psk_ext_parser: simplify the iterator interfaceDaiki Ueno2018-08-232-99/+63
| | | | | | | | Previously it was unclear whether psk_ext_parser_st is stateful or not. This change introduces the simpler API to iterate over the immutable data (psk_ext_parser_st), following the iterator pattern. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Implemented RFC7250 certificate type negotiation extensions.Tom Vrancken2018-08-201-3/+8
| | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* use a consistent method to mark fall-through in switch casesNikos Mavrogiannopoulos2018-08-081-9/+9
| | | | | | | | Also document that method in contribution guide. Resolves #306 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* TLS 1.3: ignore "early_data" extensionDaiki Ueno2018-08-061-2/+10
| | | | | | | | | | As 0-RTT is still not implemented in GnuTLS, the server responds with 1-RTT, by skipping decryption failure up to max_early_data_size, as suggested in 4.2.10 Early Data Detection. Resolves #512 Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tls1.3: server returns early on handshake when no cert is provided by clientNikos Mavrogiannopoulos2018-08-032-9/+29
| | | | | | | | | | | | Under TLS1.3 the server knows the negotiated keys early, if no client certificate is sent. In that case, the server is not only able to transmit the session ticket immediately after its finished message, but is also able to transmit data, similarly to false start. Resolves #481 Resolves #457 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_session_ticket_send: allow sending multiple tickets in one goNikos Mavrogiannopoulos2018-07-122-48/+58
| | | | | | | This allows combining the tickets in a single record message when possible. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* generate_session_ticket: tickets cannot extend the original session timeNikos Mavrogiannopoulos2018-07-111-5/+22
| | | | | | | | | That is, on a resumed session the server would not issue new tickets that would have extended the lifetime of the originally issued ticket. Resolves #476 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* generate_session_ticket: use a 4-byte nonce by defaultNikos Mavrogiannopoulos2018-07-111-2/+2
| | | | | | It is not necessary to use large nonces. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* generate_session_ticket: fixed commentNikos Mavrogiannopoulos2018-07-111-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* post-handshake: return GNUTLS_E_GOT_APPLICATION_DATA as documented toNikos Mavrogiannopoulos2018-07-021-1/+2
| | | | | | Relates #490 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tls13 handshake: allow certificate messages after handshakeNikos Mavrogiannopoulos2018-07-024-6/+19
| | | | | | | | | This allows post-handshake authentication even when PSK is negotiated. Resolves #489 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_session_get_flags: introduced GNUTLS_SFLAGS_POST_HANDSHAKE_AUTHNikos Mavrogiannopoulos2018-07-021-1/+3
| | | | | | | | This allows a server application to detect whether the client would support post handshake authentication or not without initiating via gnutls_reauth(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Fix variable overflow in TLS1.3 session ticket codeTim Rühsen2018-06-061-2/+5
|
* tls13/session_ticket: don't send ticket when no common KE modesDaiki Ueno2018-06-051-0/+6
| | | | | | | | When the server had received psk_key_exchange_modes extension which doesn't have any overlap with the server configuration, omit to send NewSessionTicket. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* ext/pre_shared_key: make PSK identity parsing robustertmp-session-ticket-key-nameDaiki Ueno2018-06-011-2/+2
| | | | | | | | | | | | Previously, to determine whether a PSK identity is a ticket or a PSK username, it relied on PskIdentity.obfuscated_ticket_age, which "SHOULD" be 0 if the identity is a PSK username. This patch instead checks the key name of the ticket first and then check the constraints of the PSK username. That way, it can distinguish tickets and PSK usernames in a more realible manner. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* handshake: store session parameters in TLS1.3 ticketNikos Mavrogiannopoulos2018-05-261-17/+50
| | | | | | | This allows a TLS1.3 server to obtain certificate or other information from the client on a resumed session. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* TLS 1.3: Introduced TLS 1.3 session resumptionAnder Juaristi2018-05-267-46/+348
| | | | | | | | | | | | | | | | | This introduces session resumption under TLS 1.3. For that, it enables the psk_ke_modes extension when we enable session tickets. It enables sending session tickets in addition to PSK usernames. The detection of resumption vs pure PSK is done by comparing the indexes sent with the index received by the server. TLS 1.3 session tickets are always sent to the peer unless the GNUTLS_NO_TICKETS is specified. Resolves #290 Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> Signed-off-by: Daiki Ueno <dueno@redhat.com>
* ext/pre_shared_key: fix binder calculation when HRR is sentDaiki Ueno2018-05-261-0/+3
| | | | | | | In that case, ClientHello1 and HelloRetryRequest are included in the PSK binder computation, not only the truncated ClientHello2. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tls13/certificate_request: corrected check of duplicate signature algorithmsNikos Mavrogiannopoulos2018-05-042-2/+16
| | | | | | | | | | Made the check local when parsing a certificate request, as we may receive multiple requests when post-handshake authentication is in place. Furthermore check whether this extension has been received as this is a mandatory one. In addition handle a memory leak when multiple peer certificates are set. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_reauth: doc updateNikos Mavrogiannopoulos2018-05-041-1/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tls13/certificate: send empty certificate instead of skippingNikos Mavrogiannopoulos2018-05-041-25/+24
| | | | | | | | | | According to TLS1.3 spec: The server's certificate_list MUST always be non-empty. A client will send an empty certificate_list if it does not have an appropriate certificate to send in response to the server's authentication request. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tls13/certificate_verify: corrected context in signatures in client sideNikos Mavrogiannopoulos2018-05-041-7/+24
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tls13/finished: addressed memory leak in receiving finished packetNikos Mavrogiannopoulos2018-04-171-3/+7
| | | | | | | Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7518 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Simplified the _gnutls13_psk_ext_parser interface and added unit testsNikos Mavrogiannopoulos2018-04-062-64/+59
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Added support for out-of-band Pre-shared keys under TLS1.3Ander Juaristi2018-04-067-42/+281
| | | | | | | | | | | That adds support for pre-shared keys with and without Diffie-Hellman key exchange. That's a modified version of initial Ander's patch. Resolves #414 Resolves #125 Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.org>
* Hello retry request matches server helloNikos Mavrogiannopoulos2018-03-091-10/+52
| | | | | | | | | That also distinguishes between them by using the special random value, and implements the version check as in draft-ietf-tls-tls13-24. Resolves #391 #390 #392 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_ext_raw_parse: introduced functionNikos Mavrogiannopoulos2018-02-263-10/+11
| | | | | | | | | | That function can be combined with callbacks like gnutls_handshake_set_hook_function() for applications to be able to process messages when necessary. Resolves #382 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* updated Since version in new function entries as well as map file versionsNikos Mavrogiannopoulos2018-02-191-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* cert auth: use a single callback to call for OCSPNikos Mavrogiannopoulos2018-02-191-10/+2
| | | | | | | | That is, when selecting the certificate to use, point to the callback to use as well (whether it being the global or a specific) one, for OCSP. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ocsp: enhanced the OCSP response loading APIsNikos Mavrogiannopoulos2018-02-191-9/+27
| | | | | | | | | | | | | Introduced gnutls_certificate_set_ocsp_status_request_file2() and gnutls_certificate_set_ocsp_status_request_mem(). These functions behave as the equivalent certificate loading functions and pre-load the OCSP response provided as a file, either in DER or in PEM form. In addition, ensure that if the server is provided a problematic OCSP response, or the OCSP response is not renewed before it is invalid, we will not provide it to the clients. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ocsp: send all the OCSP responses under TLS1.3Nikos Mavrogiannopoulos2018-02-191-6/+110
| | | | | | | That is, any responses set by the caller application (directly or via a callback), will be sent to the peer. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tls13/certificate: parse OCSP status response and save responses in auth ↵Nikos Mavrogiannopoulos2018-02-191-43/+85
| | | | | | | | info struct That provides support of OCSP status response under TLS 1.3. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status