diff options
| -rw-r--r-- | doc/contents.rst | 1 | ||||
| -rw-r--r-- | doc/cryptobox.rst | 2 | ||||
| -rw-r--r-- | doc/download.rst | 46 | ||||
| -rw-r--r-- | doc/release_process.rst | 2 | ||||
| -rw-r--r-- | doc/relnotes/1_11_2.rst | 2 | ||||
| -rw-r--r-- | doc/relnotes/1_11_3.rst | 9 | ||||
| -rw-r--r-- | doc/tls.rst | 16 | ||||
| -rw-r--r-- | doc/vcs.rst | 41 | ||||
| -rw-r--r-- | src/build-data/arch/mips64.txt | 4 | ||||
| -rwxr-xr-x | src/build-data/scripts/dist.py | 2 | ||||
| -rw-r--r-- | src/engine/aes_isa_eng/aes_isa_engine.cpp | 2 | ||||
| -rw-r--r-- | src/tls/tls_policy.cpp | 8 | ||||
| -rw-r--r-- | src/tls/tls_policy.h | 7 | ||||
| -rw-r--r-- | src/tls/tls_server.cpp | 15 | ||||
| -rw-r--r-- | src/tls/tls_version.h | 8 |
15 files changed, 109 insertions, 56 deletions
diff --git a/doc/contents.rst b/doc/contents.rst index ba9396c99..a5591d0b0 100644 --- a/doc/contents.rst +++ b/doc/contents.rst @@ -39,6 +39,7 @@ Contents users pgpkey algos + vcs release_process build_log diff --git a/doc/cryptobox.rst b/doc/cryptobox.rst index a418ddaf6..ea77eee5a 100644 --- a/doc/cryptobox.rst +++ b/doc/cryptobox.rst @@ -22,7 +22,7 @@ namespace `Botan::CryptoBox`. Decrypts something encrypted with encrypt. - .. cpp:function:: std::string decrypt(const std::string& input, + .. cpp:function:: std::string decrypt(const std::string& input, \ const std::string& passphrase) Decrypts something encrypted with encrypt. diff --git a/doc/download.rst b/doc/download.rst index 8382ebc53..a67039976 100644 --- a/doc/download.rst +++ b/doc/download.rst @@ -38,8 +38,9 @@ The latest version of the current development series, from branch :tgz:`1.11.2` (:tgz_sig:`sig <1.11.2>`), :tbz:`1.11.2` (:tbz_sig:`sig <1.11.2>`) -A script also creates daily snapshots of trunk, which are available -`here <https://files.randombit.net/botan/snapshots/>`_. +To access the latest unreleased sources, see :doc:`vcs`. A script also +creates regular snapshots of trunk, which are available `here +<https://files.randombit.net/botan/snapshots/>`_. .. note:: @@ -53,44 +54,3 @@ The latest version of the previous stable series, from branch ``net.randombit.botan.1_8`` is :doc:`relnotes/1_8_14`: :tgz:`1.8.14` (:tgz_sig:`sig <1.8.14>`), :tbz:`1.8.14` (:tbz_sig:`sig <1.8.14>`) - -Accessing Version Control ----------------------------------------- - -Botan's development occurs using a distributed version control system -called `Monotone <http://www.monotone.ca>`_ (though there is also a -mirror on `github <https://github.com/randombit/botan>`_. The main -branch of development occurs on the branch named -``net.randombit.botan``. To download that branch and set up a new -workspace, run:: - - $ mtn db init --db=botan.mtn - $ mtn pull --db=botan.mtn randombit.net 'net.randombit.botan' - [...] - $ mtn checkout --db=botan.mtn --branch=net.randombit.botan - [...] - -By default the ``checkout`` command will place the workspace in a -directory with the same name as the branch you are checking out. If -you want a different directory name, just include it after the -``--branch`` option (you can also rename this directory at any time). - -If this is the first time you've connected to the server, Monotone -will print:: - - mtn: first time connecting to server randombit.net - mtn: I'll assume it's really them, but you might want to double-check - mtn: their key's fingerprint: 8c0b868f2247215c63c96983b1c8ca0f0f0cfd9a - -The fingerprint shown above was the correct one as of June 20, 2012. - -To pull further changes, from anywhere in the workspace run these -commands:: - - $ mtn pull - [...] - $ mtn update - [summary of changes] - -The ``mtn update`` command will give you a summary of which files -changed; to view the full changelog, run ``mtn log``. diff --git a/doc/release_process.rst b/doc/release_process.rst index 04e40f613..88daff0c6 100644 --- a/doc/release_process.rst +++ b/doc/release_process.rst @@ -73,7 +73,7 @@ The current botan website is derived entirely from the ReST content in called ``mtn-watch`` periodically checks for new updates on the ``net.randombit.botan`` branch (only), and if found regenerates the site content. Thus as soon as the changes are synced to the server -running on ``randombit.net``, the website will be updated. +running on ``mtn.randombit.net``, the website will be updated. Announce The Release ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/doc/relnotes/1_11_2.rst b/doc/relnotes/1_11_2.rst index 714091d8f..767fbf624 100644 --- a/doc/relnotes/1_11_2.rst +++ b/doc/relnotes/1_11_2.rst @@ -21,7 +21,7 @@ New Parallel Filter """""""""""""""""""""""""""""""""""""""" * The new filter :cpp:class:`Threaded_Fork` acts like a normal - :cpp:class:`Fork,` sending its input to a number of different + :cpp:class:`Fork`, sending its input to a number of different filters, but each subchain of filters in the fork runs in its own thread. Contributed by Joel Low. diff --git a/doc/relnotes/1_11_3.rst b/doc/relnotes/1_11_3.rst index 73e16e96a..3c1ab4c30 100644 --- a/doc/relnotes/1_11_3.rst +++ b/doc/relnotes/1_11_3.rst @@ -1,6 +1,13 @@ Version 1.11.3, Not Yet Released ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +* A new TLS policy mechanism + :cpp:func:`TLS::Policy::server_uses_own_ciphersuite_preferences` + controls how a server chooses a ciphersuite. Previously it always + chose its most preferred cipher out of the client's list, but this + can allow configuring a server to choose by the client's preferences + instead. + * Implementations of the OCB and GCM authenticated cipher modes are now included @@ -12,8 +19,8 @@ Version 1.11.3, Not Yet Released have been removed * New functions for symmetric encryption are included in cryptobox.h + though interfaces and formats are subject to change. * A new function :cpp:func:`algorithm_kat_detailed` returns a string providing information about failures, instead of just a pass/fail indicator as in :cpp:func:`algorithm_kat`. - diff --git a/doc/tls.rst b/doc/tls.rst index 83503fcb1..406b94d93 100644 --- a/doc/tls.rst +++ b/doc/tls.rst @@ -526,17 +526,24 @@ be negotiated during a handshake. Default: "secp521r1", "secp384r1", "secp256r1", "secp256k1", "secp224r1", "secp224k1" - Also allowed: "secp192r1", "secp192k1", "secp160r2", "secp160r1", "secp160k1" + Also allowed: "secp192r1", "secp192k1", "secp160r2", "secp160r1", + "secp160k1" .. cpp:function:: std::vector<byte> compression() const Return the list of compression methods we are willing to use, in order of - preference. + preference. Default is null compression only. .. note:: TLS compression is not currently supported. + .. cpp:function:: bool server_uses_own_ciphersuite_preferences() const + + If this returns true, a server will pick the cipher it prefers the + most out of the client's list. Otherwise, it will negotiate the + first cipher in the client's ciphersuite list that it supports. + .. cpp:function:: bool negotiate_heartbeat_support() const If this function returns true, clients will offer the heartbeat @@ -545,6 +552,11 @@ be negotiated during a handshake. support and servers will ignore clients offering heartbeat support. + If this returns true, callers should expect to handle heartbeat + data in their ``proc_fn``. + + Default + .. cpp:function:: bool allow_server_initiated_renegotiation() const If this function returns true, a client will accept a diff --git a/doc/vcs.rst b/doc/vcs.rst new file mode 100644 index 000000000..e2353ee53 --- /dev/null +++ b/doc/vcs.rst @@ -0,0 +1,41 @@ + +Accessing Version Control +======================================== + +Botan's development occurs using a distributed version control system +called `Monotone <http://www.monotone.ca>`_ (though there is also a +mirror on `github <https://github.com/randombit/botan>`_). The main +branch of development occurs on the branch named +``net.randombit.botan``. To download that branch and set up a new +workspace, run:: + + $ mtn db init --db=botan.mtn + $ mtn pull --db=botan.mtn mtn.randombit.net 'net.randombit.botan' + [...] + $ mtn checkout --db=botan.mtn --branch=net.randombit.botan + [...] + +By default the ``checkout`` command will place the workspace in a +directory with the same name as the branch you are checking out. If +you want a different directory name, just include it after the +``--branch`` option (you can also rename this directory at any time). + +If this is the first time you've connected to the server, Monotone +will print:: + + mtn: first time connecting to server mtn.randombit.net + mtn: I'll assume it's really them, but you might want to double-check + mtn: their key's fingerprint: 8c0b868f2247215c63c96983b1c8ca0f0f0cfd9a + +The fingerprint shown above was the correct one as of March 21, 2013. + +To pull further changes, from anywhere in the workspace run these +commands:: + + $ mtn pull + [...] + $ mtn update + [summary of changes] + +The ``mtn update`` command will give you a summary of which files +changed; to view the full changelog, run ``mtn log``. diff --git a/src/build-data/arch/mips64.txt b/src/build-data/arch/mips64.txt index a2fd5849b..d6f481346 100644 --- a/src/build-data/arch/mips64.txt +++ b/src/build-data/arch/mips64.txt @@ -1,3 +1,7 @@ +<aliases> +mips64el +</aliases> + <submodels> r4000 r4100 diff --git a/src/build-data/scripts/dist.py b/src/build-data/scripts/dist.py index e9dd30118..316057d22 100755 --- a/src/build-data/scripts/dist.py +++ b/src/build-data/scripts/dist.py @@ -231,7 +231,7 @@ def main(args = None): rev_id = run_monotone(options.mtn_db, ['automate', 'select', selector(args)]) if rev_id == '': - logging.error('No revision for %s found' % (version)) + logging.error('No revision matching %s found' % (selector(args))) return 2 logging.info('Found revision id %s' % (rev_id)) diff --git a/src/engine/aes_isa_eng/aes_isa_engine.cpp b/src/engine/aes_isa_eng/aes_isa_engine.cpp index e56f6e9ca..956a1ce38 100644 --- a/src/engine/aes_isa_eng/aes_isa_engine.cpp +++ b/src/engine/aes_isa_eng/aes_isa_engine.cpp @@ -30,7 +30,7 @@ AES_ISA_Engine::find_block_cipher(const SCAN_Name& request, } #endif - return 0; + return nullptr; } } diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp index 98e3c6bca..1048e0a62 100644 --- a/src/tls/tls_policy.cpp +++ b/src/tls/tls_policy.cpp @@ -131,6 +131,14 @@ u32bit Policy::session_ticket_lifetime() const bool Policy::acceptable_protocol_version(Protocol_Version version) const { return version.known_version(); // accept any version we know about + + // maybe someday... + //return version >= Protocol_Version::TLS_V11; + } + +bool Policy::server_uses_own_ciphersuite_preferences() const + { + return true; } namespace { diff --git a/src/tls/tls_policy.h b/src/tls/tls_policy.h index 125faa665..7176f7fd5 100644 --- a/src/tls/tls_policy.h +++ b/src/tls/tls_policy.h @@ -126,6 +126,13 @@ class BOTAN_DLL Policy */ virtual bool acceptable_protocol_version(Protocol_Version version) const; + /** + * @return true if servers should choose the ciphersuite matching + * their highest preference, rather than the clients. + * Has no effect on client side. + */ + virtual bool server_uses_own_ciphersuite_preferences() const; + virtual ~Policy() {} }; diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index 2c393b32d..d8e827b39 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -112,6 +112,8 @@ u16bit choose_ciphersuite( const std::map<std::string, std::vector<X509_Certificate> >& cert_chains, const Client_Hello* client_hello) { + const bool our_choice = policy.server_uses_own_ciphersuite_preferences(); + const bool have_srp = creds.attempt_srp("tls-server", client_hello->sni_hostname()); @@ -128,12 +130,15 @@ u16bit choose_ciphersuite( const bool have_shared_ecc_curve = (policy.choose_curve(client_hello->supported_ecc_curves()) != ""); - // Ordering by our preferences rather than by clients - for(size_t i = 0; i != server_suites.size(); ++i) - { - const u16bit suite_id = server_suites[i]; + std::vector<u16bit> pref_list = server_suites; + std::vector<u16bit> other_list = client_suites; - if(!value_exists(client_suites, suite_id)) + if(!our_choice) + std::swap(pref_list, other_list); + + for(auto suite_id : pref_list) + { + if(!value_exists(other_list, suite_id)) continue; Ciphersuite suite = Ciphersuite::by_id(suite_id); diff --git a/src/tls/tls_version.h b/src/tls/tls_version.h index 39712db27..2fb5365dc 100644 --- a/src/tls/tls_version.h +++ b/src/tls/tls_version.h @@ -129,6 +129,14 @@ class BOTAN_DLL Protocol_Version */ bool operator>(const Protocol_Version& other) const; + /** + * @return if this version is later than or equal to other + */ + bool operator>=(const Protocol_Version& other) const + { + return (*this == other || *this > other); + } + private: u16bit m_version; }; |