summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* Implemented RFC7250 certificate type negotiation extensions.Tom Vrancken2018-08-2024-106/+1346
| | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* ext/record_size_limit: new extensionDaiki Ueno2018-08-207-26/+177
| | | | | | | | | | | This implements the record_size_limit extension as defined in RFC 8449. Although it obsoletes the max_record_size extension, for compatibility reasons GnuTLS still sends it on certain occasions. For example, when the new size is representable as the codepoint defined for max_record_size. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* ext/max_record: remove use of extension private dataDaiki Ueno2018-08-201-67/+11
| | | | | | | | As the extension data is always stored in session->security_parameters.max_record_send_size, it shouldn't be necessary to track it with the private data. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* gnutls_session_resumption_requested: fixed behavior under TLS1.3Nikos Mavrogiannopoulos2018-08-202-1/+6
| | | | | | | | | This makes gnutls_session_resumption_requested() functional under TLS1.3 and introduces a unit test of the function. Resolves #546 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* hello_ext: removed bogus commentNikos Mavrogiannopoulos2018-08-191-2/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Fix two typos (overriden/guarranteed)Andreas Metzler2018-08-165-9/+9
| | | | Signed-off-by: Andreas Metzler <ametzler@bebt.de>
* write_oid_and_params: moved nullity check of params earlierNikos Mavrogiannopoulos2018-08-131-6/+5
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls_session_set_premaster: corrected error checksNikos Mavrogiannopoulos2018-08-131-5/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pubkey_verify_hashed_data: apply algorithm checksNikos Mavrogiannopoulos2018-08-131-2/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* privkey_sign_raw_data: use assert to mark code which always succeedsNikos Mavrogiannopoulos2018-08-131-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_send_change_cipher_spec: removed unnecessary testNikos Mavrogiannopoulos2018-08-131-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_memset: use explicit_bzeroNikos Mavrogiannopoulos2018-08-081-8/+9
| | | | | | | | | That is, use the glibc function when available and the second parameter is zero. Resolves #230 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* use a consistent method to mark fall-through in switch casesNikos Mavrogiannopoulos2018-08-0811-94/+94
| | | | | | | | Also document that method in contribution guide. Resolves #306 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* ext/pre_shared_key: prevent crash if no server credentials are setDaiki Ueno2018-08-081-1/+2
| | | | | | | | | | | | Previously, if server is configured without PSK credentials and the client authenticated with PSK, the server crashed with: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7b190ba in server_recv_params (session=0x636fc0, data=0x634e6e "", len=46, pskcred=0x0) at pre_shared_key.c:523 523 prf = pskcred->binder_algo; Signed-off-by: Daiki Ueno <dueno@redhat.com>
* alert: map GNUTLS_E_NO_COMMON_KEY_SHARE to handshake_failureDaiki Ueno2018-08-081-1/+1
| | | | | | | | | | Previously, when server received a ClientHello that does include only groups from unassigned ranges in supported_groups, it aborted the connection with an illegal_parameter. Resolves #537 Signed-off-by: Daiki Ueno <dueno@redhat.com>
* algorithms: add support for FFDHE6144Daiki Ueno2018-08-085-1/+144
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Corrected the importing of ECDSA public keysNikos Mavrogiannopoulos2018-08-071-8/+0
| | | | | | | | | | | | This seems to be a regression since EdDSA support. The call to _gnutls_x509_get_pk_algorithm() in public key import was unnecessary and in fact it was overriding the available curve with a curve associated with the OID. As the ECDSA OID doesn't include the curve, that had the result of deleting the already read curve. Resolves #538 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Ensure we are sending the right protocol version on second client helloNikos Mavrogiannopoulos2018-08-071-4/+5
| | | | | | | | | | | | That is, when we respond to a Hello Retry Request as client, we put the TLS1.2 version on the second client hello to send a hello that is as close as possible to the original hello. That effectively separates the handling of TLS1.2 rehandshake and TLS1.3 hello retry request when sending a client hello. Resolves #535 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: few improvements over certificate validation textNikos Mavrogiannopoulos2018-08-071-5/+21
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* resume: keep persistent session identifiersNikos Mavrogiannopoulos2018-08-076-55/+96
| | | | | | | | | | | | With the introduction of session ticket support (TLS1.2) and TLS1.3, session identifiers have no persistency on server or client side. Improve the situation by introducing persistent session identifiers on server side in a backwards compatible way. Resolves #484 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* record: send unexpected_message upon empty unencrypted recordsDaiki Ueno2018-08-061-1/+8
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* buffers: handle very short fragmentation of handshake messagesDaiki Ueno2018-08-063-3/+36
| | | | | | | | | | | | If the received record doesn't even complete the handshake header (i.e., the record size < 4), keep it in a temporary buffer and let the caller receive more records. Once enough amount of data is received, move the already received records back to record_buffer and proceed to the normal processing. Fixes: #272 Signed-off-by: Daiki Ueno <dueno@redhat.com>
* mbuffers: introduce _mbuffer_head_push_firstDaiki Ueno2018-08-062-0/+21
| | | | | | | | | This is similar to _mbuffer_enqueue, but adds an element to the beginning of the buffer. This is to make the incomplete header handling case easier. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* _gnutls_parse_record_buffered_msgs: eliminate local variable usageDaiki Ueno2018-08-061-11/+5
| | | | | | | | | If `remain > 0` is true, `recv_buf[0].length > 0` always holds. Combine those conditions and remove the `remain` utilizing MIN(). This is to make the incomplete header handling case easier. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* buffers: avoid confusion in fragment length calculationDaiki Ueno2018-08-061-14/+13
| | | | | | | | Previously, to calculate the fragment length, it added/subtracted one to the ending offset back and forth; that was not easier to read and couldn't handle empty payload messages in TLS. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* TLS 1.3: ignore "early_data" extensionDaiki Ueno2018-08-0610-3/+210
| | | | | | | | | | As 0-RTT is still not implemented in GnuTLS, the server responds with 1-RTT, by skipping decryption failure up to max_early_data_size, as suggested in 4.2.10 Early Data Detection. Resolves #512 Signed-off-by: Daiki Ueno <dueno@redhat.com>
* tls1.3: server returns early on handshake when no cert is provided by clientNikos Mavrogiannopoulos2018-08-0313-96/+324
| | | | | | | | | | | | Under TLS1.3 the server knows the negotiated keys early, if no client certificate is sent. In that case, the server is not only able to transmit the session ticket immediately after its finished message, but is also able to transmit data, similarly to false start. Resolves #481 Resolves #457 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ext/key_share: check the validity of server key sharesNikos Mavrogiannopoulos2018-07-272-0/+11
| | | | | | | | | That is, when generating the public key based on the server's key share, ensure that the algorithms match completely with the key shares the client initially sent. This was detected by the updated traces for TLS1.3 fuzzying. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls.h: corrected typotmp-tls13-fixesNikos Mavrogiannopoulos2018-07-251-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* send_client_hello: don't override version after HRR is receivedNikos Mavrogiannopoulos2018-07-251-7/+9
| | | | | | | | | | | | | When a Hello Retry Request is received, do not set our (transient) version to TLS1.2 on the second client hello. That's because both peers have already negotiated TLS1.3. This addresses issue with peers which may send a changecipherspec message at this stage, which is now allowed when our version is set to be TLS1.2. Introduced test suite using openssl and resumption using HRR which reproduces the issue. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* hello_ext_parse: apply the test for pre-shared key ext being last on client ↵Nikos Mavrogiannopoulos2018-07-251-1/+1
| | | | | | | | | | | | | | | | | | hello We were incorrectly insisting on pre-shared key extension being last in both client and server hello. That was incorrect, as only in client hello it is required by TLS1.3 to be last. Quoting: The "pre_shared_key" extension MUST be the last extension in the ClientHello (this facilitates implementation as described below). Servers MUST check that it is the last extension and otherwise fail the handshake with an "illegal_parameter" alert. Resolves #525 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* allow no certificates to be reported by the ↵Nikos Mavrogiannopoulos2018-07-241-0/+7
| | | | | | | | | | | gnutls_certificate_retrieve_function callbacks In 9829ef9a we introduced a wrapper over the older callback functions which didn't handle this case. Resolves #528 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* cert-cred: fix possible segfault when resetting cert retrieval functionDmitry Eremin-Solenikov2018-07-241-2/+8
| | | | | | | | | | Reset get_cert_callback3 callback to NULL if provided callback is NULL. Otherwise after the certificate request call_legacy_cert_cb1 / call_legacy_cert_cb2 will try to unconditionally call legacy_cert_cb1 / legacy_cert_cb2 callback (set to NULL) leading to segfault. Fixes: 9829ef9a3ca06d60472599df7c74ebb9a53f1fe2 Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* kx: for uniformity print master secret sizeDmitry Eremin-Solenikov2018-07-231-1/+2
| | | | | | | | During keys setup phase debug log will contain sizes of all keys and secrets, except master secret. Dump MS length (48) to log for uniformity. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* constate: dump full key block to logDmitry Eremin-Solenikov2018-07-231-1/+2
| | | | | | Include full key block to the debug log. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* constate: dump MAC keys to debug logDmitry Eremin-Solenikov2018-07-231-0/+12
| | | | | | | _gnutls_set_keys() can dump client/server write keys/ivs to debug log, but it skips MAC keys. Add MAC keys to log. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* constate: drop unused variable in _gnutls_set_keysDmitry Eremin-Solenikov2018-07-231-7/+0
| | | | | | | | | _gnutls_set_keys() creates rrnd as client random + server random, but does not use it (it was used before for export key generation, but was not removed when dropping support for export cipher suites). Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> Fixes: 8bdb8d53aa5b4c5d04255b6c9b5f2dac8b23d51b
* cert auth: simplify certificate selection codeDmitry Eremin-Solenikov2018-07-231-55/+25
| | | | | | | Merge pubkey_is_compat_with_cs() and select_sign_algorithm() functions to ease extension of certificate selection code. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* gnutls_x509_privkey_import_ecc_raw: encode parameters on importtmp-fix-pkcs8-exportNikos Mavrogiannopoulos2018-07-202-4/+12
| | | | | | | | | | | | | That makes the structure fully usable after import. In _encode_privkey() use the lower-level _gnutls_x509_export_int2() for key encoding as the call to higher gnutls_x509_privkey_export2() could result to an infinite recursion when keys are incomplete. Introduced additional tests for PKCS#8 key import and export. Resolves: #516 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_priority_init: fix err_pos on invalid stringsNikos Mavrogiannopoulos2018-07-192-5/+13
| | | | | | | | | | | | | | When the provided string would be resolved (e.g., due to a @ priority being used), to a different string, then do not attempt to detect the right location of the error. It will not be useful to the caller. This addresses the issue of test suite failure when --with-system-priority-file and --with-default-priority-string are provided. It also enhances the test suite with these options being active. Resolves #517 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_resolve_priorities: avoid gnu extension for ?: constructNikos Mavrogiannopoulos2018-07-141-1/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* nettle/rnd-fips: updated documentationNikos Mavrogiannopoulos2018-07-131-4/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priorities: ensure that SSL3.0 enablement fails early when disabledNikos Mavrogiannopoulos2018-07-132-8/+15
| | | | | | | That is, that a priority string with only SSL3.0 present is discarded as invalid. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* The SSL 3.0 protocol is disabled on compile time by defaultNikos Mavrogiannopoulos2018-07-131-0/+2
| | | | | | | | | It can be re-enabled by specifying --enable-ssl3-support on configure script. This is the first step before removing support for the protocol completely. Relates #103 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc: minor text updatesNikos Mavrogiannopoulos2018-07-132-2/+3
| | | | | | | Updated text for gnutls_session_ext_master_secret_status and for GNUTLS_NO_EXTENSIONS flag which is defunc. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* _gnutls13_recv_async_handshake: process multiple and split handshake messagestmp-fix-multi-async-msgNikos Mavrogiannopoulos2018-07-125-84/+145
| | | | | | | | | | | | | | It is permitted to concatenate multiple async handshake messages in a single record message as well as split large messages (NST) into multiple records. Modified _gnutls13_recv_async_handshake() to process them correctly, instead of assuming that they are formatted as one message per record. Resolves #510 Resolves #504 Relates #511 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_session_ticket_send: allow sending multiple tickets in one goNikos Mavrogiannopoulos2018-07-126-54/+83
| | | | | | | This allows combining the tickets in a single record message when possible. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* generate_session_ticket: tickets cannot extend the original session timeNikos Mavrogiannopoulos2018-07-112-6/+23
| | | | | | | | | That is, on a resumed session the server would not issue new tickets that would have extended the lifetime of the originally issued ticket. Resolves #476 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* pre_shared_key: do not send extension when no identities are presentNikos Mavrogiannopoulos2018-07-111-0/+7
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* generate_session_ticket: use a 4-byte nonce by defaultNikos Mavrogiannopoulos2018-07-111-2/+2
| | | | | | It is not necessary to use large nonces. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status