| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
session.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
checking, allowed client auth CAs, etc than the policy class. With
this change, most users won't ever need to modify the default policy
which is likely a good thing.
Remove copy and paste of the credentials manager implemenation in the
examples.
|
| | |
|
| | |
|
| |
|
|
|
| |
Add a convenience function to Session that returns the ciphersuite
class since mostly users won't care about the underlying code point.
|
| |
|
|
| |
for such a minor change.
|
| |
|
|
|
| |
everything into a new namespace (Botan::TLS), removing the TLS_
prefixes on everything.
|
| |
|
|
|
| |
the client key exchange object to interpret the message on the basis
of the chosen ciphersuite.
|
| |
|
|
|
|
|
| |
directly (if it was sent), so that the client implementation doesn't
have to know what key exchange mechanisms we actually support.
Return a value in ECC curves extension serialization method.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
counterparty by using the highest preference hash they have available
for the signature type we are generating. This does mean we will do
stupid things, if the counterparty is stupid (for instance some
versions of GnuTLS will prefer SHA-1 over the SHA-2s - likely someone
misread the spec and ordered the list backwards). But because we
filter out MD5 we'll never use that; even in the worst case, if
someone requests only MD5, we'll skip over it and use SHA-1 as the
fallback algorithm. Theoretically this is against the spec because we
"MUST" send something compatible, but seriously, fuck em. Right in the
eye.
|
| |
|
|
|
| |
happens it'll be reproductible, etc, might as well have the
information immediately.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
run into trouble in the TLS PRF with large pre-master secrets. This
especially crops up in TLS 1.2 as there the entire pre master secret
is fed to a single PRF (in earlier verions it is split in half). A
limit of 512 bytes allows a DH group up to 4096 bits which seems good
enough for now.
Also catch Invalid_Key_Length in the TLS PRF and throw an exception
that makes more sense - initially I was completely thrown off by the
HMAC key length exception, and it took me a while to figure it
out. Someone else looking at this the first time a server sends a 8192
bit DH group would be even more confused.
|
| |
|
|
|
|
|
|
|
| |
SSLv3 handshakes: we need to copy the handshake state when we computed
the finished data in the SSLv3 case because we need to add a little
bit of data onto the end, but we don't want to include that data with
the next computation. This meant that the finished message a client
sent us was fine, but the one we sent out had a bad finished value and
was rejected.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
entirely if we see it.
|
| |
|
|
|
|
|
|
| |
policy. Only functional change here from before is we now send DSA
with SHA-2. This is fine, OpenSSL does it as well and while the spec
says to wait until NIST comes up with a way to prevent hash
impersonation, it doesn't really make sense to avoid possible hash
substitution attacks by using the weakest available hash...
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
would like to use, in order of preference. Client sorts list of known
ciphersuites by those preferences and sends them. Server now picks the
first client method it knows and that it can use (previously, it would
choose the one it liked the best out of what the client sent).
New policy callback returns list of CAs allowed for client auth.
Don't send certificate request unless we have at least one CA we want
signatures from. OpenSSL has a behavior (bug?) in TLS 1.2 mode such
that it will reject a connection if a certificate request is sent
without any names included.
|
| |
|
|
|
| |
better checking (for instance, the DHE/RSA/SEED ciphersuite was not
there, instead the DHE/DSS/SEED ciphersuite value was being checked).
|
| |
|
|
|
|
|
|
| |
instead of TLS 1.2.
The server now will respect policy.pref_version - if the client sends
a version later than that, we reply with our preferred version. Before
we would always reply with the version offered by the client.
|
| |
|
|
| |
older versions.
|
| |
|
|
|
|
|
|
| |
the ciphersuite code and a set of strings specifying the underlying
suite algorithms. Remove it entirely.
Some things are likely broken. One I know about is that we always send
the hash/signature type indicator but should only do so for TLS >= 1.2
|
| | |
|
| | |
|
| |
|
|
|
|
| |
remain broken.
New interface for querying the TLS extensions, much cleaner.
|
| | |
|
| |
|
|
|
|
| |
with GnuTLS. Seemingly it will not negotiate them if it is under an
earlier protocol version. Some reports indicate Opera's TLS will do
so, and there doesn't seem any reason to prohibit it.
|
| |
|
|
|
|
|
|
| |
basic connection with a GnuTLS server does work. Currently we don't
respect the signature_algorithms extension at all, and using SHA-256
with a 12-byte finished value is hardcoded though the spec is that it
can depend on the ciphersuite (likely relevant for GOST ciphersuites
in particular).
|
| |
|
|
|
|
| |
Instead deserialize directly in the constructors that are passed the
raw message data. This makes it easier to pass contextual information
needed for decoding (eg, version numbers) where necessary.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
entire handshake state in many cases makes things simpler to update,
in that each message type already knows what it needs depending on the
version, params, etc, and this way a) that knowledge doesn't need to
percolate up the the actual client and server handshake code and b)
each message type can be updated for new formats/version without
having to change its callers. Downside is it hides the dependency
information away, and makes it non-obvious what needs to be created
beforehand for each message to work correctly. However this is
(almost) entirely predicated on the handshake message flows, and these
we control with the next expected message scheme, so this should be
fairly safe to do.
This checkin only updates the ones where it was immediately relevant
but for consistency probably all of them should be updated in the same
way.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Add getters for major and minor protocoll version on TLS_Session.
Add Certificate_Type code points for ECC certs.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
stripped out. Would cause failures with DHE in one out of every few
hundred connection attempts where the finished message would not
decrypt properly and the handshake would be rejected.
|
| | |
|
| | |
|
| | |
|
