aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Remove the old (unused) <supports_shared> config block. It specifiedlloyd2010-05-1318-70/+19
| | | | | | | which architectures the OS supported shared libs on; in all cases it was either all or none. Replace with new config build_shared [yes|no], which defaults to yes but is set to no for MinGW and Cygwin since shared libs don't seem to be working well there.
* Partially protect OAEP decoding against a timing attack. Possibilitylloyd2010-05-121-12/+28
| | | | | | | | of this pointed out by Falko Strenzke. The timing differences between different error conditions could lead to attacks even with the same error message. Instead use a (mostly) straightline implementation. However scanning for the delim byte is still timing/input dependenant, so this is not a 100% fix.
* merge of '22c256e152c9765e98afa4d164af3f6783e96257'lloyd2010-05-101-4/+11
|\ | | | | | | and '561b7dbb17d3809ca98a31b718ee55ae9d52cb2c'
| * Prevent crash if asked to benchmark unknown block cipher with a modelloyd2010-05-051-4/+11
| | | | | | | | (eg "NoSuchCipher/CBC")
* | Avoid trying to use GCC's cpuid.h in versions where it doesn't existlloyd2010-05-061-1/+3
|/ | | | | (before 4.3). Probably will need to write asm blocks for those older versions.
* Modify the implementation of multiplication mod 65537 used in IDEA tolloyd2010-04-303-10/+534
| | | | | | | | | | be branch-free. This reduces performance noticably on my Core2 (from 32 MiB/s to a bit over 27 MiB), but so it goes. The IDEA implementation using SSE2 is already branch-free here, and runs at about 135 MiB/s on my machine. Also add more IDEA tests, generated by OpenSSL
* Tick to 1.9.8-devlloyd2010-04-283-4/+6
|
* Update log, readme, configure for 1.9.7 release1.9.7lloyd2010-04-273-3/+3
|
* HMAC_RNG handling changes - split up reseed() and add_entropy()lloyd2010-04-272-35/+31
| | | | | | | | entirely. add_entropy() just adds the input into the extractor; if more than 1024 bytes of input have been added by the user since the last reseed, then force a reseed. Until that point, the data simply remains accumulating in the extractor, which is fast and helps ensure a large block of data is input when we finally do reseed.
* Remove add_entropy_vec. Much cleaner way of doing this: add the entirelloyd2010-04-273-7/+4
| | | | contents of all SSL/TLS handshake messages into the PRNG input.
* mutex.h is internal - had been picking up system installed versionlloyd2010-04-231-1/+1
|
* Add the other parties Random value to the local PRNG statelloyd2010-04-232-0/+4
|
* Return SecureVector vals by const reflloyd2010-04-231-4/+4
|
* Add add_entropy_vec which calls add_entropy on the passed vector. Haslloyd2010-04-231-0/+3
| | | | | to be named differently from add_entropy to deal with odd C++ overloading/virtual rules.
* Add a couple of Comb4P tests, generated by the python implementationlloyd2010-04-231-0/+9
|
* Check to make sure the user didn't provide two of the same has forlloyd2010-04-231-0/+3
| | | | | | Comb4P. If you do this, the first N bytes are all zero, which could expose some problems, especially if the caller truncates or is relying on Comb4P acting like a random function.
* Remove some C-style castslloyd2010-04-234-6/+6
|
* Comb4P: hashes must be the same lengthlloyd2010-04-221-2/+0
|
* Fix EMSA_Raw in the case where the original input had leading 0 bytes.lloyd2010-04-212-1/+20
|
* Add a test for RSA verification with raw padding and an unusual keylloyd2010-04-211-0/+33
|
* Extension codes for ECC negotiationlloyd2010-04-211-0/+3
|
* If we couldn't agree on a suite, fail immediatelylloyd2010-04-201-0/+5
|
* Expose public_value() in ECDH public keylloyd2010-04-201-3/+10
|
* Compile fixlloyd2010-04-201-1/+1
|
* Expose function breaking down ciphersuite to algo valueslloyd2010-04-192-3/+5
|
* In the string constructor of EC_Domain_Params, check if the PEM decodinglloyd2010-04-192-6/+16
| | | | failed. If so, assume the input string was an OID and try that.
* Dist script updateslloyd2010-04-191-4/+8
|
* Cleanups. Name our cert for localhost. Used AutoSeeded_RNG.lloyd2010-04-191-12/+16
| | | | Report SNI request, if any.
* Just report total size output at the endlloyd2010-04-191-1/+7
|
* Add codes for SHA-1 based ECC suites (RFC 4492).lloyd2010-04-192-25/+81
|
* Add support for SEED ciphersuites. Tested against OpenSSL 0.9.8nlloyd2010-04-174-0/+25
|
* Add support for reading SSLv2 client helloslloyd2010-04-176-8/+87
|
* Clean up ciphersuite handlinglloyd2010-04-177-91/+273
|
* Add support for TLS 1.2 PRFlloyd2010-04-172-22/+63
|
* Add Comb4P hash combiner, as described in Anja Lehmann's thesis.lloyd2010-04-175-0/+168
|
* Tick version to 1.9.7-devlloyd2010-04-163-4/+6
|
* Tick for 1.9.6 release1.9.6lloyd2010-04-093-3/+4
|
* If the CBC padding is incorrect, then assume the pad size is zero andlloyd2010-04-091-4/+10
| | | | | | | | carry on with the procedure. This prevents a timing attack where an attacker could distinguish bad padding vs MAC failure. This timing channel used in the paper "Password Interception in a SSL/TLS Channel" by Vaudenay et. al. to attack SSL in certain fairly realistic use scenarios.
* Retrodocument some 1.9.5 changes. Document other TLS fixes in 1.9.6lloyd2010-04-071-2/+7
|
* Present requested hostname (SNI extn) to TLS_Server userlloyd2010-03-302-0/+6
|
* Remove bad filenamelloyd2010-03-301-1/+0
|
* Document adding SNIlloyd2010-03-301-0/+1
|
* Instead of just discarding the extension size, confirm that thelloyd2010-03-301-1/+4
| | | | | claimed length matches the length of the data left in the client hello packet.
* Support TLS Extensions, specifically SNIlloyd2010-03-301-35/+29
|
* Constify assert_at_least. Add some helperslloyd2010-03-301-1/+17
|
* Add some magic numbers for TLS extension codeslloyd2010-03-301-0/+11
|
* Add a class that knows how to decode a (very small subset of) TLS datalloyd2010-03-306-61/+249
| | | | | | formatting. Particularly useful in the ClientHello, but generally helps centralize the offset handling, which was particularly unreadable in the hello messages.
* Don't fail simply because the client sent a version code that we don'tlloyd2010-03-301-6/+0
| | | | | | | | know about; just continue and the server will choose either whatever the client supports, if it knows about it, or else the latest version it supports. So for instance if a client attempts to negotiate TLS 1.2, we'll not know about that version and return a ServerHello for 1.1 instead.
* Fix server handshake.lloyd2010-03-302-15/+14
| | | | Support TLS 1.1 servers
* Fix DSA TLS serverslloyd2010-03-301-1/+1
|
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-14 04:35:43 +0000