diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-03-01 11:15:47 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-03-20 10:52:19 +0100 |
commit | c6754cf52ecfb655f04707cef0d4c2d41e1c9587 (patch) | |
tree | 57bf3acab86116da136087c9e936087b5fd5d286 /lib | |
parent | f82ffe2b3031072ad1bfdf589e945263a1696e3f (diff) | |
download | gnutls-c6754cf52ecfb655f04707cef0d4c2d41e1c9587.tar.gz |
handshake: increase the default number of tickets we send to 2tmp-increase-nr-of-tickets
This makes it easier for clients which perform multiple connections
to the server to use the tickets sent by a default server. That's
because 2 tickets allow for 2 new connections (if one is using each
ticket once as recommended), which in turn lead to 4 new and so on.
Resolves: #596
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/Makefile.am | 10 | ||||
-rw-r--r-- | lib/gnutls_int.h | 7 | ||||
-rw-r--r-- | lib/handshake-defs.h | 49 | ||||
-rw-r--r-- | lib/handshake-tls13.c | 8 | ||||
-rw-r--r-- | lib/handshake.h | 15 |
5 files changed, 58 insertions, 31 deletions
diff --git a/lib/Makefile.am b/lib/Makefile.am index 955ac683e7..fe9cf63a2f 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -111,11 +111,11 @@ if ENABLE_NETTLE SUBDIRS += nettle endif -HFILES = abstract_int.h debug.h cipher.h \ - buffers.h errors.h gnutls_int.h dtls.h \ - handshake.h num.h algorithms.h \ - dh.h kx.h hash_int.h cipher_int.h \ - db.h auth.h hello_ext.h \ +HFILES = abstract_int.h debug.h cipher.h \ + buffers.h errors.h gnutls_int.h dtls.h \ + handshake.h num.h algorithms.h \ + dh.h kx.h hash_int.h cipher_int.h \ + db.h auth.h hello_ext.h handshake-defs.h \ x509_b64.h sslv2_compat.h datum.h \ mpi.h pk.h record.h \ constate.h global.h tls-sig.h mem.h \ diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index ccbcc5b558..bfca84c96f 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -127,16 +127,9 @@ typedef struct { #define GNUTLS_MASTER_SIZE 48 #define GNUTLS_RANDOM_SIZE 32 -#define HRR_RANDOM \ - "\xCF\x21\xAD\x74\xE5\x9A\x61\x11\xBE\x1D\x8C\x02\x1E\x65\xB8\x91" \ - "\xC2\xA2\x11\x16\x7A\xBB\x8C\x5E\x07\x9E\x09\xE2\xC8\xA8\x33\x9C" - /* Under TLS1.3 a hello retry request is sent as server hello */ #define REAL_HSK_TYPE(t) ((t)==GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST?GNUTLS_HANDSHAKE_SERVER_HELLO:t) -/* Enable: Appendix D4. Middlebox Compatibility Mode */ -#define TLS13_APPENDIX_D4 1 - /* DTLS */ #define DTLS_RETRANS_TIMEOUT 1000 diff --git a/lib/handshake-defs.h b/lib/handshake-defs.h new file mode 100644 index 0000000000..d322febc90 --- /dev/null +++ b/lib/handshake-defs.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2019 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * The GnuTLS is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + * + */ +#ifndef HANDSHAKE_DEFS_H +#define HANDSHAKE_DEFS_H + +#define EARLY_TRAFFIC_LABEL "c e traffic" +#define EXT_BINDER_LABEL "ext binder" +#define RES_BINDER_LABEL "res binder" +#define EARLY_EXPORTER_MASTER_LABEL "e exp master" +#define HANDSHAKE_CLIENT_TRAFFIC_LABEL "c hs traffic" +#define HANDSHAKE_SERVER_TRAFFIC_LABEL "s hs traffic" +#define DERIVED_LABEL "derived" +#define APPLICATION_CLIENT_TRAFFIC_LABEL "c ap traffic" +#define APPLICATION_SERVER_TRAFFIC_LABEL "s ap traffic" +#define APPLICATION_TRAFFIC_UPDATE "traffic upd" +#define EXPORTER_MASTER_LABEL "exp master" +#define RMS_MASTER_LABEL "res master" +#define EXPORTER_LABEL "exp master" +#define RESUMPTION_LABEL "resumption" + +#define HRR_RANDOM \ + "\xCF\x21\xAD\x74\xE5\x9A\x61\x11\xBE\x1D\x8C\x02\x1E\x65\xB8\x91" \ + "\xC2\xA2\x11\x16\x7A\xBB\x8C\x5E\x07\x9E\x09\xE2\xC8\xA8\x33\x9C" + +#define TLS13_TICKETS_TO_SEND 2 + +/* Enable: Appendix D4. Middlebox Compatibility Mode */ +#define TLS13_APPENDIX_D4 1 + +#endif /* HANDSHAKE_DEFS_H */ diff --git a/lib/handshake-tls13.c b/lib/handshake-tls13.c index 30a45986a7..33ed3afa3b 100644 --- a/lib/handshake-tls13.c +++ b/lib/handshake-tls13.c @@ -362,8 +362,6 @@ static int generate_hs_traffic_keys(gnutls_session_t session) return 0; } -#define TICKETS_TO_SEND 1 - /* * _gnutls13_handshake_server * This function does the server stuff of the handshake protocol. @@ -510,7 +508,7 @@ int _gnutls13_handshake_server(gnutls_session_t session) _gnutls_set_resumed_parameters(session); if (session->internals.hsk_flags & HSK_EARLY_START_USED) { - ret = _gnutls13_send_session_ticket(session, TICKETS_TO_SEND, + ret = _gnutls13_send_session_ticket(session, TLS13_TICKETS_TO_SEND, AGAIN(STATE109)); STATE = STATE109; @@ -566,7 +564,7 @@ int _gnutls13_handshake_server(gnutls_session_t session) FALLTHROUGH; case STATE115: if (!(session->internals.hsk_flags & (HSK_TLS13_TICKET_SENT|HSK_EARLY_START_USED))) { - ret = _gnutls13_send_session_ticket(session, TICKETS_TO_SEND, + ret = _gnutls13_send_session_ticket(session, TLS13_TICKETS_TO_SEND, AGAIN(STATE115)); STATE = STATE115; IMED_RET("send session ticket", ret, 0); @@ -738,7 +736,7 @@ _gnutls13_recv_async_handshake(gnutls_session_t session) * * Sends a fresh session ticket to the peer. This is relevant only * in server side under TLS1.3. This function may also return %GNUTLS_E_AGAIN - * or %GNUTLS_E_INTERRUPTED. + * or %GNUTLS_E_INTERRUPTED and in that case it must be called again. * * Returns: %GNUTLS_E_SUCCESS on success, or a negative error code. **/ diff --git a/lib/handshake.h b/lib/handshake.h index 2d56219591..490e836fae 100644 --- a/lib/handshake.h +++ b/lib/handshake.h @@ -153,20 +153,7 @@ int _gnutls_handshake_get_session_hash(gnutls_session_t session, gnutls_datum_t int _gnutls_check_id_for_change(gnutls_session_t session); int _gnutls_check_if_cert_hash_is_same(gnutls_session_t session, gnutls_certificate_credentials_t cred); -#define EARLY_TRAFFIC_LABEL "c e traffic" -#define EXT_BINDER_LABEL "ext binder" -#define RES_BINDER_LABEL "res binder" -#define EARLY_EXPORTER_MASTER_LABEL "e exp master" -#define HANDSHAKE_CLIENT_TRAFFIC_LABEL "c hs traffic" -#define HANDSHAKE_SERVER_TRAFFIC_LABEL "s hs traffic" -#define DERIVED_LABEL "derived" -#define APPLICATION_CLIENT_TRAFFIC_LABEL "c ap traffic" -#define APPLICATION_SERVER_TRAFFIC_LABEL "s ap traffic" -#define APPLICATION_TRAFFIC_UPDATE "traffic upd" -#define EXPORTER_MASTER_LABEL "exp master" -#define RMS_MASTER_LABEL "res master" -#define EXPORTER_LABEL "exp master" -#define RESUMPTION_LABEL "resumption" +#include "handshake-defs.h" int _gnutls_call_hook_func(gnutls_session_t session, gnutls_handshake_description_t type, |