[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_11-35-g2ab2e5c
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_11-35-g2ab2e5c |
|
Date: |
Wed, 11 Jan 2012 19:20:33 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=2ab2e5cd8acba95851461c880c5a57714a792d5b
The branch, master has been updated
via 2ab2e5cd8acba95851461c880c5a57714a792d5b (commit)
via d22267bd36b76e5d72edd8fdb9b81bb901d6136f (commit)
from d6708897f61b44f6e57d4206c7a9f9fc86e26d51 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 2ab2e5cd8acba95851461c880c5a57714a792d5b
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Jan 11 20:24:30 2012 +0100
documentation update
commit d22267bd36b76e5d72edd8fdb9b81bb901d6136f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Jan 11 20:22:14 2012 +0100
Added gnutls_session_resumption_requested().
-----------------------------------------------------------------------
Summary of changes:
NEWS | 1 +
doc/cha-gtls-app.texi | 107 ++++++++++++++++++++++----------------
lib/gnutls_handshake.c | 2 +
lib/gnutls_int.h | 3 +-
lib/gnutls_state.c | 25 ++++++++-
lib/includes/gnutls/gnutls.h.in | 3 +-
lib/libgnutls.map | 1 +
7 files changed, 93 insertions(+), 49 deletions(-)
diff --git a/NEWS b/NEWS
index aa7f17f..ef86319 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,7 @@ return a descriptive name of a DN OID.
** API and ABI modifications:
gnutls_pubkey_encrypt_data: Added
gnutls_x509_dn_oid_name: Added
+gnutls_session_resumption_requested: Added
* Version 3.0.11 (released 2012-01-06)
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 50efed2..406e6b3 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -338,6 +338,10 @@ already.
@showfuncD{gnutls_certificate_set_openpgp_key_mem,gnutls_certificate_set_openpgp_key,gnutls_certificate_set_openpgp_key_file,gnutls_certificate_set_key}
+If multiple certificates are used with the functions above each
+client's request will be served with the certificate that matches the
+requested name (see @ref{Server name indication}).
+
As an alternative to loading from files or buffers, a callback may be used for
the
server or the client to specify the certificate and the key at the handshake
time.
In that case a certificate should be selected according the peer's signature
@@ -346,45 +350,23 @@ algorithm preferences. To get those preferences use
@showfuncB{gnutls_certificate_set_retrieve_function,gnutls_sign_algorithm_get_requested}
-Certificate verification is possible by loading the trusted
-authorities into the credentials structure by using
-the following functions, applicable to X.509 and OpenPGP certificates.
-
address@hidden,gnutls_certificate_set_openpgp_keyring_file}
+The functions above do not handle the requested server name automatically.
+A server would need to check the name requested by the client
+using @funcref{gnutls_server_name_get}, and serve the appropriate
+certificate.
-Note however that the peer's certificate is not automatically
-verified, you should call @funcref{gnutls_certificate_verify_peers2},
-after a successful handshake or during if
@funcref{gnutls_certificate_set_verify_function}
-has been used, to verify the certificate's signature.
-An alternative way, which reports a more detailed
-verification output, is to use @funcref{gnutls_certificate_get_peers} to
-obtain the raw certificate of the peer and verify it using the
-functions discussed in @ref{X.509 certificates}.
-
address@hidden
-
-In a handshake, the negotiated cipher suite also depends on the
+In a handshake, the negotiated cipher suite depends on the
certificate's parameters, so some key exchange methods might not be
-available with some certificates. @acronym{GnuTLS} will disable
+available with all certificates. @acronym{GnuTLS} will disable
ciphersuites that are not compatible with the key, or the enabled
authentication methods. For example keys marked as sign-only, will
not be able to access the plain RSA ciphersuites, that require
decryption. It is not recommended to use RSA keys for both
signing and encryption. If possible use a different key for the
address@hidden which uses signing and @code{RSA} that requires decryption.
address@hidden which uses signing and @code{RSA} that requires decryption.
All the key exchange methods shown in @ref{tab:key-exchange} are
available in certificate authentication.
address@hidden
-
-Note that the DHE key exchange methods are generally
address@hidden depends on the group used. Primes with
-lesser bits are always faster, but also easier to break. See @ref{Selecting
cryptographic key sizes}
-for the acceptable security levels.} than the elliptic curves counterpart
-(ECDHE). Moreover the plain Diffie-Hellman key exchange
-requires parameters to be generated and associated with a credentials
-structure by the server (see @ref{Parameter generation}).
-
@subsubheading Client certificate authentication
@@ -403,6 +385,31 @@ signed by server's acceptable signers.
@showfuncdesc{gnutls_certificate_send_x509_rdn_sequence}
address@hidden Client or server certificate verification
+
+Certificate verification is possible by loading the trusted
+authorities into the credentials structure by using
+the following functions, applicable to X.509 and OpenPGP certificates.
+
address@hidden,gnutls_certificate_set_openpgp_keyring_file}
+
+The peer's certificate is not automatically verified and one
+should call @funcref{gnutls_certificate_verify_peers2}
+after a successful handshake to verify the certificate's signature.
+Alternative the verification can occur during the handshake
+by using @funcref{gnutls_certificate_set_verify_function}.
+
+In order to report a detailed verification output, an alternative
+way has to be used. For that, one should call
@funcref{gnutls_certificate_get_peers}
+to obtain the raw certificate of the peer and verify it using the
+functions discussed in @ref{X.509 certificates}.
+
address@hidden
+
address@hidden
+
+
+
@node SRP credentials
@subsection SRP
@@ -804,7 +811,13 @@ CURVE-SECP192R1, CURVE-SECP224R1, CURVE-SECP256R1,
CURVE-SECP384R1, CURVE-SECP52
@caption{The supported algorithm keywords in priority strings.}
@end float
-
+Note that the DHE key exchange methods are generally
address@hidden depends on the group used. Primes with
+lesser bits are always faster, but also easier to break. See @ref{Selecting
cryptographic key sizes}
+for the acceptable security levels.} than their elliptic curves counterpart
+(ECDHE). Moreover the plain Diffie-Hellman key exchange
+requires parameters to be generated and associated with a credentials
+structure by the server (see @ref{Parameter generation}).
@float Table,tab:prio-special
@multitable @columnfractions .45 .45
@@ -888,17 +901,19 @@ will allow V1 CAs in chains.
@subsubheading Client side
To reduce time and roundtrips spent in a handshake the client can
-utilize session resumption. This requires the client to retrieve and store
-the session parameters. On new sessions to the same server the parameters must
-be re-associated with sessions using @funcref{gnutls_session_set_data}.
+request session resumption from a server that previously shared
+a session with. For that the client has to retrieve and store
+the session parameters. Before establishing a new session to the same
+server the parameters must be re-associated with the GnuTLS session
+using @funcref{gnutls_session_set_data}.
@showfuncC{gnutls_session_get_data,gnutls_session_get_id,gnutls_session_set_data}
-Keep in mind that sessions might be expired after some time,
-and it may be normal for a server not to resume a session
-even it was requested. That is to prevent temporal session keys
-from becoming long-term keys. Also note that as a client you must enable,
using the
-priority functions, at least the algorithms used in the last session.
+Keep in mind that sessions will be expired after some time, depending
+on the server, and a server may choose not to resume a session
+even when requested to. The expiration is to prevent temporal session keys
+from becoming long-term keys. Also note that as a client you must enable,
+using the priority functions, at least the algorithms used in the last session.
It is highly recommended for clients to enable the session ticket extension
using
@funcref{gnutls_session_ticket_enable_client} in order to allow resumption
with
@@ -906,14 +921,15 @@ servers that do not store any state.
@showfuncA{gnutls_session_ticket_enable_client}
address@hidden
@subsubheading Server side
-In order to support resumption a server might do it either by storing
+In order to support resumption a server can store
the session security parameters in a local database or by using session
tickets (see @ref{Session tickets}) to delegate storage to the client. Because
session tickets might not be supported by all clients, servers
-might combine the two methods.
+could combine the two methods.
A storing server needs to specify callback functions to store, retrieve and
delete session data. These can be
registered with the functions below. The stored sessions in the database can
be checked using @funcref{gnutls_db_check_entry}
@@ -922,13 +938,14 @@ for expiration.
@showfuncD{gnutls_db_set_retrieve_function,gnutls_db_set_store_function,gnutls_db_set_ptr,gnutls_db_set_remove_function}
@showfuncA{gnutls_db_check_entry}
-A server utilizing tickets should use
address@hidden to generate a ticket encryption key and
-call @funcref{gnutls_session_ticket_enable_server} to enable the extension.
+A server utilizing tickets should generate ticket encryption
+and authentication keys using @funcref{gnutls_session_ticket_key_generate}.
+Those keys should be associated with the GnuTLS session using
address@hidden
address@hidden
address@hidden
@showfuncdesc{gnutls_session_ticket_key_generate}
-
address@hidden
@node Parameter generation
@subsection Parameter generation
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index 805bed5..36cf8a7 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -441,6 +441,8 @@ _gnutls_read_client_hello (gnutls_session_t session, opaque
* data,
session_id = &data[pos];
ret = _gnutls_server_restore_session (session, session_id, session_id_len);
pos += session_id_len;
+
+ if (session_id_len > 0) session->internals.resumption_requested = 1;
if (ret == 0)
{ /* resumed using default TLS resumption! */
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 0895491..d2119e1 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -683,7 +683,8 @@ typedef struct
struct gnutls_priority_st priorities;
/* resumed session */
- unsigned int resumed:1; /* RESUME_TRUE or FALSE - if we are
resuming a session */
+ unsigned int resumed:1; /* RESUME_TRUE or FALSE - if we are resuming a
session */
+ unsigned int resumption_requested:1; /* non-zero if resumption was requested
by client */
security_parameters_st resumed_security_parameters;
/* These buffers are used in the handshake
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 712ba1d..4f20465 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -1,6 +1,5 @@
/*
- * Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011
- * Free Software Foundation, Inc.
+ * Copyright (C) 2002-2012 Free Software Foundation, Inc.
*
* Author: Nikos Mavrogiannopoulos
*
@@ -1112,6 +1111,28 @@ gnutls_session_is_resumed (gnutls_session_t session)
return 0;
}
+/**
+ * gnutls_session_resumption_requested:
+ * @session: is a #gnutls_session_t structure.
+ *
+ * Check whether the client has asked for session resumption.
+ * This function is valid only on server side.
+ *
+ * Returns: non zero if session resumption was asked, or a zero if not.
+ **/
+int
+gnutls_session_resumption_requested(gnutls_session_t session)
+{
+ if (session->security_parameters.entity == GNUTLS_CLIENT)
+ {
+ return 0;
+ }
+ else
+ {
+ return session->internals.resumption_requested;
+ }
+}
+
/*-
* _gnutls_session_is_export - Used to check whether this session is of export
grade
* @session: is a #gnutls_session_t structure.
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 424deae..296ca4a 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1,5 +1,5 @@
/* -*- c -*-
- * Copyright (C) 2000-2011 Free Software Foundation, Inc.
+ * Copyright (C) 2000-2012 Free Software Foundation, Inc.
*
* Author: Nikos Mavrogiannopoulos
*
@@ -959,6 +959,7 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t
session);
/* checks if this session is a resumed one
*/
int gnutls_session_is_resumed (gnutls_session_t session);
+ int gnutls_session_resumption_requested (gnutls_session_t session);
typedef int (*gnutls_db_store_func) (void *, gnutls_datum_t key,
gnutls_datum_t data);
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index d570cb1..5417950 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -729,6 +729,7 @@ GNUTLS_3_0_0 {
gnutls_random_art;
gnutls_pubkey_encrypt_data;
gnutls_x509_dn_oid_name;
+ gnutls_session_resumption_requested;
} GNUTLS_2_12;
GNUTLS_PRIVATE {
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_0_11-35-g2ab2e5c,
Nikos Mavrogiannopoulos <=