| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
This partially reverts commit 97117556 with a simpler interface. The
original intention of having the callback mechanism was to reuse it
for monitoring QUIC encryption changes. However, it turned out to be
insufficient because such changes must be emitted after a new epoch is
ready.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This refactors the keylogfile mechanism by adding a callback to get
notified when a new secret is derived and installed. That way,
consumers can implement custom logging feature per session, which is
particularly useful in QUIC implementation.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
|
| |
GnuTLS is depending already on uint64_t being a properly defined type.
So there is no need to have a special byte-array type for 8-byte
integers. Use uint64_t instead, thus simplifying a code quite heavily.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
| |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since some point in 3.6.x we updated the calculation of maximum record size,
however that did not include the possibility of random record padding available
for CBC ciphersuites which exceeds the maximum. This commit allows for larger
sizes for these ciphersuites to account for random padding as applied by
gnutls 2.12.x.
Resolves: #811
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous behavior was that both sending and receiving limits are
negotiated to be the same value. It was problematic when:
- client sends a record_size_limit with a large value in CH
- server sends a record_size_limit with a smaller value in EE
- client updates the limit for both sending and receiving, upon
receiving EE
- server sends a Certificate message larger than the limit
With this patch, each peer maintains the sending / receiving limits
separately so not to confuse with the contradicting settings.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
|
| |
We expand informational comments on limitations, but with removing
FIXME (keyword didn't help fixing these), and remove completely unhelpful
comments, obsolete ones, or comments about ideas.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This plumbers early data handling in the handshake processes, which
consists of:
- traffic key updates taking into account of client_early_traffic_secret
- early data buffering in both server and client
- the EndOfEarlyData message handling
- making use of max_early_data_size extension in NewSessionTicket
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This is necessary for handling early data. Previously,
_gnutls_epoch_dup() copied the parameters from EPOCH_READ_CURRENT,
while the client only sets EPOCH_WRITE_CURRENT when sending early
data. This allows caller to specify from which epoch the parameters
are copied.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
| |
Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
|
|
|
|
|
|
|
|
|
|
|
|
| |
With the introduction of session ticket support (TLS1.2) and
TLS1.3, session identifiers have no persistency on server or
client side. Improve the situation by introducing persistent
session identifiers on server side in a backwards compatible
way.
Resolves #484
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Under TLS1.3 the server knows the negotiated keys early, if no client
certificate is sent. In that case, the server is not only able to
transmit the session ticket immediately after its finished message,
but is also able to transmit data, similarly to false start.
Resolves #481
Resolves #457
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
Include full key block to the debug log.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
|
|
|
| |
_gnutls_set_keys() can dump client/server write keys/ivs to debug log,
but it skips MAC keys. Add MAC keys to log.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|
|
|
|
|
|
|
|
| |
_gnutls_set_keys() creates rrnd as client random + server random, but
does not use it (it was used before for export key generation, but was
not removed when dropping support for export cipher suites).
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Fixes: 8bdb8d53aa5b4c5d04255b6c9b5f2dac8b23d51b
|
|
|
|
|
|
|
|
|
| |
That is, on a resumed session the server would not issue new tickets
that would have extended the lifetime of the originally issued ticket.
Resolves #476
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
| |
Resolves #485
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
This allows a TLS1.3 server to obtain certificate or other
information from the client on a resumed session.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces session resumption under TLS 1.3. For that,
it enables the psk_ke_modes extension when we enable session
tickets. It enables sending session tickets in addition to
PSK usernames. The detection of resumption vs pure PSK is done by
comparing the indexes sent with the index received by the server.
TLS 1.3 session tickets are always sent to the peer unless the
GNUTLS_NO_TICKETS is specified.
Resolves #290
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
|
|
|
| |
On certain cases when re-handshake is interrupted by application
data, _gnutls_epoch_new() will be called twice. Make sure that
this does not lead to an error. We also rename the function to
clarify its purpose _gnutls_epoch_setup_next().
Resolves #426
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This amends 62ea232f180b980a0d4b6462c468706db6cc4700, and
removes invalid NULL checks, as well as corrects the key
set for server side.
This is verified against openssl master, but does not include
automated test suite; it will be tested as part of #328
Resolves #419
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
|
|
|
| |
That is, to reduce memory usage as these protocol cannot be used
in parallel.
Relates: #281
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
That is, with the view of separating the data needed for
TLS1.2 and earlier and TLS1.3.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
This function allows updating keys of the session and notifying
the peer.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
|
|
|
|
|
| |
TLS 1.3 exporters need to derive a secret from exporter_master_secret
or early_exporter_master_secret, not the handshake or application
secret stored in temp_secret. Add a new argument @secret to
_tls13_derive_secret to specify any secret.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
That does not include support for client certificates as it
requires extension handling improvements in order for extensions
to be context sensitive (now they cannot distinguish whether the
parsing routine is called during client hello or certificate request
reading)
This does not include proper parsing of extensions present in
the certificate message.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
This allows to initialize the TLS 1.3 connection state without
additional allocations as required by the external API.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
That way, we avoid multiple function calls to obtain information
such as hash size, and other MAC properties.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The data MTU calculation under CBC ciphersuites takes into
account that the overhead of these ciphersuites is constant (IV +
hash + 1 byte padding), though the capacity varies due to the padding
block. That is, on 16-byte padding block, one padding byte is the
overhead but the rest 15 bytes are accounted for data MTU.
That also has the side effect that setting a data MTU using
gnutls_dtls_set_data_mtu(), is not definite, and the actual
MTU may be larger for these ciphersuites --i.e., the
return value of gnutls_dtls_get_data_mtu().
Resolves #360
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
| |
That allows resumed sessions to have the original group information such as
curve used for key exchange or FFDHE parameters.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
|
|
|
|
| |
cipher_suite_entry_st
That, in addition to simplifying the contents, it allows faster access
to ciphersuite's properties.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|