summaryrefslogtreecommitdiff
path: root/lib/constate.c
Commit message (Collapse)AuthorAgeFilesLines
* keylogfile: simplify the callback mechanismtmp-keylog-funcDaiki Ueno2020-02-221-15/+7
| | | | | | | | | | This partially reverts commit 97117556 with a simpler interface. The original intention of having the callback mechanism was to reuse it for monitoring QUIC encryption changes. However, it turned out to be insufficient because such changes must be emitted after a new epoch is ready. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* keylogfile: generalize with a callbacktmp-keylog-hookDaiki Ueno2020-02-071-11/+23
| | | | | | | | | This refactors the keylogfile mechanism by adding a callback to get notified when a new secret is derived and installed. That way, consumers can implement custom logging feature per session, which is particularly useful in QUIC implementation. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* lib: drop gnutls_uint64 usage as sequence numberDmitry Eremin-Solenikov2019-10-241-4/+6
| | | | | | | | GnuTLS is depending already on uint64_t being a properly defined type. So there is no need to have a special byte-array type for 8-byte integers. Use uint64_t instead, thus simplifying a code quite heavily. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Allow using implicit IV for stream ciphers with TLSDmitry Eremin-Solenikov2019-10-171-2/+6
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* _gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuitesNikos Mavrogiannopoulos2019-09-061-2/+9
| | | | | | | | | | | | Since some point in 3.6.x we updated the calculation of maximum record size, however that did not include the possibility of random record padding available for CBC ciphersuites which exceeds the maximum. This commit allows for larger sizes for these ciphersuites to account for random padding as applied by gnutls 2.12.x. Resolves: #811 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* ext/record_size_limit: distinguish sending and receiving limitstmp-record-sizesDaiki Ueno2019-05-141-6/+4
| | | | | | | | | | | | | | | | The previous behavior was that both sending and receiving limits are negotiated to be the same value. It was problematic when: - client sends a record_size_limit with a large value in CH - server sends a record_size_limit with a smaller value in EE - client updates the limit for both sending and receiving, upon receiving EE - server sends a Certificate message larger than the limit With this patch, each peer maintains the sending / receiving limits separately so not to confuse with the contradicting settings. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Removed all FIXME comments in code [ci skip]Nikos Mavrogiannopoulos2019-03-161-2/+0
| | | | | | | | We expand informational comments on limitations, but with removing FIXME (keyword didn't help fixing these), and remove completely unhelpful comments, obsolete ones, or comments about ideas. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Use https:// for www.gnu.org and www.example.comTim Rühsen2019-03-131-1/+1
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Protected _gnutls_epoch_get from _gnutls_epoch_gc on false startNikos Mavrogiannopoulos2019-03-021-5/+20
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* constate: reset max_record_recv_size upon renegotiationDaiki Ueno2019-02-141-0/+9
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* constate: don't restore max_record_recv_size from resumed dataDaiki Ueno2019-01-231-3/+8
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* handshake: handle early dataDaiki Ueno2018-11-111-7/+72
| | | | | | | | | | | This plumbers early data handling in the handshake processes, which consists of: - traffic key updates taking into account of client_early_traffic_secret - early data buffering in both server and client - the EndOfEarlyData message handling - making use of max_early_data_size extension in NewSessionTicket Signed-off-by: Daiki Ueno <dueno@redhat.com>
* constate: add epoch_rel argument to _gnutls_epoch_dupDaiki Ueno2018-11-111-2/+2
| | | | | | | | | | This is necessary for handling early data. Previously, _gnutls_epoch_dup() copied the parameters from EPOCH_READ_CURRENT, while the client only sets EPOCH_WRITE_CURRENT when sending early data. This allows caller to specify from which epoch the parameters are copied. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Implemented RFC7250 certificate type negotiation extensions.Tom Vrancken2018-08-201-5/+6
| | | | Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* resume: keep persistent session identifiersNikos Mavrogiannopoulos2018-08-071-2/+2
| | | | | | | | | | | | With the introduction of session ticket support (TLS1.2) and TLS1.3, session identifiers have no persistency on server or client side. Improve the situation by introducing persistent session identifiers on server side in a backwards compatible way. Resolves #484 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tls1.3: server returns early on handshake when no cert is provided by clientNikos Mavrogiannopoulos2018-08-031-16/+59
| | | | | | | | | | | | Under TLS1.3 the server knows the negotiated keys early, if no client certificate is sent. In that case, the server is not only able to transmit the session ticket immediately after its finished message, but is also able to transmit data, similarly to false start. Resolves #481 Resolves #457 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* constate: dump full key block to logDmitry Eremin-Solenikov2018-07-231-1/+2
| | | | | | Include full key block to the debug log. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* constate: dump MAC keys to debug logDmitry Eremin-Solenikov2018-07-231-0/+12
| | | | | | | _gnutls_set_keys() can dump client/server write keys/ivs to debug log, but it skips MAC keys. Add MAC keys to log. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* constate: drop unused variable in _gnutls_set_keysDmitry Eremin-Solenikov2018-07-231-7/+0
| | | | | | | | | _gnutls_set_keys() creates rrnd as client random + server random, but does not use it (it was used before for export key generation, but was not removed when dropping support for export cipher suites). Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> Fixes: 8bdb8d53aa5b4c5d04255b6c9b5f2dac8b23d51b
* generate_session_ticket: tickets cannot extend the original session timeNikos Mavrogiannopoulos2018-07-111-1/+1
| | | | | | | | | That is, on a resumed session the server would not issue new tickets that would have extended the lifetime of the originally issued ticket. Resolves #476 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* key update: corrected generation of keysNikos Mavrogiannopoulos2018-06-271-4/+8
| | | | | | Resolves #485 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: store session parameters in TLS1.3 ticketNikos Mavrogiannopoulos2018-05-261-4/+6
| | | | | | | This allows a TLS1.3 server to obtain certificate or other information from the client on a resumed session. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* TLS 1.3: Introduced TLS 1.3 session resumptionAnder Juaristi2018-05-261-14/+18
| | | | | | | | | | | | | | | | | This introduces session resumption under TLS 1.3. For that, it enables the psk_ke_modes extension when we enable session tickets. It enables sending session tickets in addition to PSK usernames. The detection of resumption vs pure PSK is done by comparing the indexes sent with the index received by the server. TLS 1.3 session tickets are always sent to the peer unless the GNUTLS_NO_TICKETS is specified. Resolves #290 Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> Signed-off-by: Daiki Ueno <dueno@redhat.com>
* several updates to address issues found by clang static analyzerNikos Mavrogiannopoulos2018-05-091-1/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* _gnutls_epoch_new: allow re-allocation epoch next epochtmp-constate-fixNikos Mavrogiannopoulos2018-04-181-7/+19
| | | | | | | | | | | On certain cases when re-handshake is interrupted by application data, _gnutls_epoch_new() will be called twice. Make sure that this does not lead to an error. We also rename the function to clarify its purpose _gnutls_epoch_setup_next(). Resolves #426 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* constate: fixed key generation for TLS1.3Nikos Mavrogiannopoulos2018-04-061-2/+2
| | | | | | | | | | | | | This amends 62ea232f180b980a0d4b6462c468706db6cc4700, and removes invalid NULL checks, as well as corrects the key set for server side. This is verified against openssl master, but does not include automated test suite; it will be tested as part of #328 Resolves #419 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* session state: TLS1.2 and TLS1.3 state is stored as unionNikos Mavrogiannopoulos2018-02-191-18/+18
| | | | | | | | | That is, to reduce memory usage as these protocol cannot be used in parallel. Relates: #281 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* session state: organized key exchange keys into structuresNikos Mavrogiannopoulos2018-02-191-18/+18
| | | | | | | That is, with the view of separating the data needed for TLS1.2 and earlier and TLS1.3. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* record state: avoid memory allocations for stored keysNikos Mavrogiannopoulos2018-02-191-99/+89
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: introduced gnutls_session_key_update()Nikos Mavrogiannopoulos2018-02-191-47/+79
| | | | | | | This function allows updating keys of the session and notifying the peer. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: added TLS1.3 passive key updateNikos Mavrogiannopoulos2018-02-191-20/+122
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* keylogfile: write TLS 1.3 secretsDaiki Ueno2018-02-191-0/+13
| | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* _tls13_derive_secret: define secret argumentDaiki Ueno2018-02-191-0/+2
| | | | | | | | | TLS 1.3 exporters need to derive a secret from exporter_master_secret or early_exporter_master_secret, not the handshake or application secret stored in temp_secret. Add a new argument @secret to _tls13_derive_secret to specify any secret. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* handshake: send hello retry request when no key share matchesNikos Mavrogiannopoulos2018-02-191-4/+13
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* record: adjusted overhead calculation for TLS1.3Nikos Mavrogiannopoulos2018-02-191-3/+8
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: generate application keysNikos Mavrogiannopoulos2018-02-191-11/+31
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* constate: added _gnutls_epoch_dupNikos Mavrogiannopoulos2018-02-191-2/+29
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* constate: indentation fixesNikos Mavrogiannopoulos2018-02-191-6/+7
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: added basic support for TLS 1.3 handshake in client sideNikos Mavrogiannopoulos2018-02-191-8/+6
| | | | | | | | | | | | | That does not include support for client certificates as it requires extension handling improvements in order for extensions to be context sensitive (now they cannot distinguish whether the parsing routine is called during client hello or certificate request reading) This does not include proper parsing of extensions present in the certificate message. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* crypto-api: introduce internal version of AEAD APINikos Mavrogiannopoulos2018-02-191-3/+4
| | | | | | | This allows to initialize the TLS 1.3 connection state without additional allocations as required by the external API. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* record: added TLS 1.3 record parsing and key derivationNikos Mavrogiannopoulos2018-02-191-20/+182
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* extensions: files renamed to hello_extNikos Mavrogiannopoulos2018-02-191-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* security params: store PRF when packing sessionNikos Mavrogiannopoulos2018-02-191-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* handshake: simplify by storing a pointer to PRF mac entryNikos Mavrogiannopoulos2018-02-191-2/+2
| | | | | | | That way, we avoid multiple function calls to obtain information such as hash size, and other MAC properties. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* DTLS: improved data MTU calculation under CBC ciphersuitesNikos Mavrogiannopoulos2018-01-161-1/+1
| | | | | | | | | | | | | | | | | The data MTU calculation under CBC ciphersuites takes into account that the overhead of these ciphersuites is constant (IV + hash + 1 byte padding), though the capacity varies due to the padding block. That is, on 16-byte padding block, one padding byte is the overhead but the rest 15 bytes are accounted for data MTU. That also has the side effect that setting a data MTU using gnutls_dtls_set_data_mtu(), is not definite, and the actual MTU may be larger for these ciphersuites --i.e., the return value of gnutls_dtls_get_data_mtu(). Resolves #360 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_set_resumed_parameters: restore the group from resumed parametersNikos Mavrogiannopoulos2017-11-271-0/+1
| | | | | | | That allows resumed sessions to have the original group information such as curve used for key exchange or FFDHE parameters. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_epoch_gc: ensure there are no stray epochs after gcNikos Mavrogiannopoulos2017-09-251-3/+7
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* constate: simplified allocation of epochsNikos Mavrogiannopoulos2017-09-251-27/+16
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_epoch_get(): simplified useNikos Mavrogiannopoulos2017-09-251-1/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* security_parameters: simplified contents by keeping pointer to ↵Nikos Mavrogiannopoulos2017-08-021-54/+8
| | | | | | | | | cipher_suite_entry_st That, in addition to simplifying the contents, it allows faster access to ciphersuite's properties. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status