Tim Rühsen [Fri, 15 Jun 2018 17:39:22 +0000 (19:39 +0200)]
Fix usage of 'autoreconf'
'autoreconf' created a different configure script than ./bootstrap.
The result was a broken wchar.h that failed to compile.
The work-around was 'autoreconf -I gl/m4' which is not what a developer
expects. This patch moves gl/m4/* to m4/ which is the default include dir
for autoreconf.
Martin Storsjo [Thu, 14 Jun 2018 09:53:42 +0000 (12:53 +0300)]
configure: Check for clock_gettime and fmemopen using a proper test
Don't use AC_CHECK_FUNCS for these functions, but actually test by
including the real header that defines the functions. This allows
the macOS version selection work as intended, making the references
to these functions weak if targeting a version of macOS where these
functions aren't available. Thanks to -no_weak_imports, these weak
references end up in failed linker tests, marking the functions as
unavailable.
Martin Storsjo [Thu, 14 Jun 2018 09:52:03 +0000 (12:52 +0300)]
configure: Include sys/random.h before checking for getentropy on macOS
This function is available since macOS 10.12, but it's in
sys/random.h on macOS, contrary to the other platforms supporting
it where it is present in unistd.h.
If we don't include the right header that declares the function
and its availability, the configure check would succeed even if
targeting older versions of macOS that lacks the function.
Also include the same header in the source file that actually
uses getentropy.
Martin Storsjo [Thu, 14 Jun 2018 09:36:10 +0000 (12:36 +0300)]
configure: Pass -no_weak_imports to the linker, if supported
This avoids linking to functions that aren't available in the
lowest targeted macOS version.
If the proper header declaring a function is included, and
gnutls is built with -mmacosx-version-min or the
MACOSX_DEPLOYMENT_TARGET environment variable is set, each
reference to a function that doesn't exist in the minimum
targeted version will be made a weak reference, so that loading
the binary still works, but the function pointer will resolve
to NULL if running on a version of the platform that lacks it.
Since this project doesn't do such runtime checks for functions
it expects to have available, we should instead add this linker
option to fail on the weak references. This allows autoconf to
work as intended, detecting that these functions aren't usable.
This flag appeared in Xcode 8, so check for its availability
before using it. (Xcode 8 and the 10.12 SDK is coincidentally
the release where most relevant new functions appeared, so with
older Xcode versions, the modern platform functions we might want
to avoid don't exist.)
This API allows encryption using a scatter input, by also
taking advantage of ciphers which are optimized for such input.
That is particularly useful under TLS1.3 since its encryption is
based on encryption of scattered data (data+pad).
Tim Rühsen [Sat, 19 May 2018 08:19:32 +0000 (10:19 +0200)]
Skip sc_prohibit_always_true_header_tests
We can't simply remove the checks for HAVE_SYS_SOCKET_H.
If we do, we have to make checks on real WIN32, which
is currently not an option.
So we skip sc_prohibit_always_true_header_tests.
Nettle version 3.4 was released more than a half year ago, require it to
compile GnuTLS library. It allows us to remove bundled code that was
merged into that release.
Daiki Ueno [Fri, 8 Jun 2018 13:55:06 +0000 (15:55 +0200)]
record: improve empty message handling in TLS 1.3
Previously, _gnutls_recv_in_buffers() silently discarded empty
messages because such messages are used as a countermeasure to
vulnerabilities in the CBC mode. In TLS 1.3, however, there are only
AEAD ciphers and such logic is meaningless. Moreover, in the protocol
it is suggested to send "unexpected_message" alert when receiving
empty messages in certain occasions. This change moves the empty
message handling to record_add_to_buffers().
priorities: hmac-sha256 ciphersuites were removed from defaults
These ciphersuites are deprecated since the introduction of AEAD
ciphersuites, and are only necessary for compatibility with older
servers. Since older servers already support hmac-sha1 there is
no reason to keep these ciphersuites enabled by default, as they
increase our attack surface.
dummy_wait: correctly account the length field in SHA384 HMAC
The existing lucky13 attack count-measures did not work correctly for
SHA384 HMAC.
The overall impact of that should not be significant as SHA384 is prioritized
lower than SHA256 or SHA1 and thus it is not typically negotiated, unless a
client prioritizes a SHA384 MAC, or a server only supports SHA384, and in both
cases the vulnerability is only present if Encrypt-then-MAC (RFC7366) is unsupported
by the peer.
Daiki Ueno [Fri, 1 Jun 2018 13:04:49 +0000 (15:04 +0200)]
tls13/session_ticket: don't send ticket when no common KE modes
When the server had received psk_key_exchange_modes extension which
doesn't have any overlap with the server configuration, omit to send
NewSessionTicket.
Daiki Ueno [Tue, 5 Jun 2018 12:08:26 +0000 (14:08 +0200)]
ext/psk_ke_modes: always send extension unless disabled in config
With the psk_key_exchange_modes extension, clients can restrict the
key exchange modes for use with resumption and in that case the server
shouldn't send NewSessionTicket. This patch makes use of it to avoid
receiving useless tickets, by sending the psk_key_exchange_modes
extension unless PSK is completely disabled.
A couple of tests need to be adjusted: tls13/prf to take into account
of the psk_key_exchange_modes extension sent, and tls13/no-psk-exts to
not treat the presence of the extension as error.
Daiki Ueno [Fri, 1 Jun 2018 07:54:41 +0000 (09:54 +0200)]
ext/pre_shared_key: make PSK identity parsing robuster
Previously, to determine whether a PSK identity is a ticket or a PSK
username, it relied on PskIdentity.obfuscated_ticket_age, which
"SHOULD" be 0 if the identity is a PSK username.
This patch instead checks the key name of the ticket first and then
check the constraints of the PSK username. That way, it can
distinguish tickets and PSK usernames in a more realible manner.
Tim Rühsen [Thu, 24 May 2018 10:45:32 +0000 (12:45 +0200)]
Fix more warnings in tests/
To not introduce larger code changes, these bugs are mostly
fixed by #pragma understood by gcc and clang.
A check for the minimal gcc/clang version prevents warnings about
unknown pragmas with other or older compilers.
tests: added main use-case test for gnutls_session_ticket_send()
It verifies whether a server can use gnutls_session_ticket_send()
to send a ticket after re-authentication, and whether a client
can receive that ticket and re-authenticate with it, while
its certificate is made available to server.
handshake: TLS1.3 async messages trigger the handshake hook
That is, the callback set with gnutls_handshake_set_hook_function() is
now called even on the async handshake messages received under TLS1.3,
such as key update, etc.
That is, check gnutls_session_is_resumed() is functional on server
side, whether PRF is respected on resumption, whether gnutls_certificate_get_peers()
and gnutls_certificate_get_ours() operate as expected, and whether session
resumption fails with tickets after expiration time has passed.
In addition improve function documentation by documenting the current
semantics for the functions above.
This requires a few changes to the resume.c test: because
NewSessionTicket is a post-handshake message,
gnutls_session_get_data2() needs to be called after sending the first
application data. Also, when GNUTLS_E_AGAIN, gnutls_record_recv()
needs to retry.
gnutls-cli: ignore E_AGAIN to accommodate async handshake message
When an async handshake message has arrived while no application data
is available, gnutls_record_recv() returns GNUTLS_E_AGAIN and the loop
in socket_recv() blocks. Since socket_recv() is guarded by select(),
it should be safe to ignore GNUTLS_E_AGAIN.
Ander Juaristi [Mon, 16 Apr 2018 15:13:47 +0000 (17:13 +0200)]
TLS 1.3: Introduced TLS 1.3 session resumption
This introduces session resumption under TLS 1.3. For that,
it enables the psk_ke_modes extension when we enable session
tickets. It enables sending session tickets in addition to
PSK usernames. The detection of resumption vs pure PSK is done by
comparing the indexes sent with the index received by the server.
TLS 1.3 session tickets are always sent to the peer unless the
GNUTLS_NO_TICKETS is specified.
projects / thirdparty / gnutls.git / log
