| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| |
| |
| |
| | |
494c5d548ce3f370c2b771ca6b11e5f41e720da2)
to branch 'net.randombit.botan.tls-state-machine' (head b2cd26ff6f093caa79aecb2d674205f45b6aadff)
|
| | |
|
| |\
| | |
| | |
| | |
| | |
| | | |
fdbd3afd02bcb9b4a7702a922581580297add684)
to branch 'net.randombit.botan.tls-state-machine' (head 5f2f96b909365dc6e0faeccc7fa59470721e807a)
|
| |\ \
| | | |
| | | |
| | | |
| | | |
| | | | |
50fa70d871f837c3c3338fabf5fb45649669aabf)
to branch 'net.randombit.botan.tls-state-machine' (head 2358daac57db0411e62da2ef5a484468cb9307b7)
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | | |
update. Increase DHE group size from 1536 to 2048 bits, which per
NIST/ECRYPT should be good to 2030 or so.
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
renegotiation or not.
Save the hostname in the client so we can pull the session from the
session manager.
|
| | | |
| | | |
| | | |
| | | |
| | | | |
channel, except NPN which is strictly a per-connection extension.
Makes life easier for servers. OpenSSL seems to behave the same way.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
resumption, which would cause failures if doing a renegotiation under
the same session (eg to refresh keys).
The peer_certs variable was not set until after the Session object was
created, meaning the session (or session ticket) would not include
client certs. Worse, they would be included in the next session saved,
so if a client presented one cert, then renegotiated and presented
another one, the first cert would be associated with the second
session!
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
nothing meaningful to compare to.
|
| | | |
| | | |
| | | |
| | | | |
in response to a certificate request.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
encoded CA DN has a length field but also the entire block has one.
This caused decoding errors if we requested a certificate and sent one
or more DNs to request particular CAs. The decoding side had it correct.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
the peer are automatically responded to. TLS::Channel::heartbeat can
initiate a new heartbeat if the peer allows it. Heartbeat replies are
passed back to the application processing function with an Alert value
of HEARTBEAT_PAYLOAD (a 'fake' value, 256, which is out of range of
the valid TLS alert space), along with the sent payload.
The RFC requires us to have no more than one heartbeat 'in flight' at
a time, ie without getting a response (or a timeout in the case of
DTLS). Currently we do not prevent an application from requesting
more.
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add SRP hooks in the examples
Fix next protocol support in the tls_server example.
|
| |\ \ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
058444ec216dd9690938c82922d911df2da535b4)
to branch 'net.randombit.botan.tls-state-machine' (head 54985e112aecb7b7c98a7dace924a2f704e6c9c1)
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Initial outline of server side SRP support. Need to figure out how to
transfer the v, b, B params from the server key exchange message to
the client key exchange. The DH variants do this by passing a
Private_Key via server_kex_key call, but wrapping SRP params in a
Private_Key really doesn't feel right. Not sure what to do here.
Possibly both SRP and DH should return a Key_Exchange_Material* that a
client key exchange knows how to dynamic cast on.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
1.0.1, only the certificate versions tested currently as OpenSSL
doesn't support anon SRP.
|
| | |\ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
91305e3daaae9ea8a1786daf058d961991c68251)
to branch 'net.randombit.botan.tls-state-machine' (head 474a00b316f5b21a4e56033d4d990d87d9d3eed6)
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Make ciphersuite_list a free standing function
Now the Policy interface only contains actual policy hooks (no
non-virtual functions). Though choose_curve is a little dubious.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
seconds and report that value to the client in the NewSessionTicket
message. After that point, a session ticket is ignored and a full
renegotiation is forced.
Only send a new session ticket on a new session, or on a resumed
session where the client indicated it supports session tickets but for
whatever reason didn't send one in the hello. Perhaps in this case, we
should also remove the session from the session manager?
Clean up server selection of the ciphersuite a bit, all in an anon
function in tls_server instead of scattered over Server, Policy, and
Server_Hello.
Add Session::session_age and Session_Manager::session_lifetime
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
against OpenSSL.
One big issue that needs to be resolved is that with these
ciphersuites available to be negotiated, we want to make sure they
only are used when the application/user expects them to. Problem is
that PSK and SRP are "anonymous" but authenticated via the shared
secret. We need to be able to distinguish these on a policy
level. Otherwise a MITM could simply offer anon DH, which would be
somewhat unfortunate. A client could detect this in the handshake
callback, but might not.
In the short term to ensure this doesn't occur, disable both anon DH
and PSK/SRP in the default policy.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
previously negotiating any MD5-based ciphersuite in TLS 1.2 would
cause MAC failures as the master secret would come out differently due
to using the wrong PRF.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
integer->info mapping to tls_suite_info.cpp which is mostly
autogenerated by a Python script from the IANA parameters file.
The SRP method now uses kex "SRP_SHA" which is what the RFC calls it.
(And hypothetically, SRP_SHA256 might be defined at some point and
we'd need to be able to distinguish them).
Remove IDEA ciphersuite; we don't want to require IDEA be available
due to the European patent still being valid (IIRC), but I didn't want
to have to hand-edit the autogenerated switch with an #if check. Not a
huge issue though as most sites don't support it anyway.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
flags; if params change just regen the magic value and drop old
sessions. Check the magic value right from the start. Use constants
for internal sizes.
Increase default PBKDF2 iterations in the SQLite session manager
to 64K.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
anyway so we can output them with a single message. For some network
approaches this won't make any difference but it might help with
something doing direct writes on each callback. Additionally it seems
important for DTLS, where each record must be contained in a single
packet.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
manager is being used, it could be easily used for session tickets as
well, and if it's not the generate-on-first-call technique is easy to
write.
Avoid offering the session ticket extension if we know we don't have a
key. For one thing it will cause us to avoid using stateful sessions,
but additionally OpenSSL 1.0.1 is very intolerant of empty
NewSessionTicket messages so definitely worth avoiding when we can.
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
with a default implementation that creates a new random key on the
first call.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
hello. Also include a full list of ciphersuites, ensuring that our
original session ciphersuite is in the list regardless of policy
(maybe it would be better to just not resume in that case, though?).
Otherwise, if the server doesn't remember our session (or the session
ticket key), it might not be capable of negotiating using the single
ciphersuite we sent due to lack of information (allowed curves was a
particular issue here). Including the full ciphersuite list also
allows for rengotiating the ciphersuite if, for instance, the session
can't be resumed because the server used to have an RSA cert but has
since replaced it with an ECDSA cert.
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
some kind.
Fix New_Session_Ticket decoding. Apparently when the RFC says that a
server that does not want to send a ticket sends "an empty ticket"
that means a lifetime value plus an empty ticket, not an actually
empty extension.
|
| | | | | | |
|
| | | | | | |
|
| | |\ \ \ \
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
6bcbae3d22e4d873a8e941d0325ad666482ac4da)
to branch 'net.randombit.botan.tls-session-ticket' (head 9048722b5d18b39cf21f8542942dab94a9bd4e6b)
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
hard-coded key.
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
OpenSSL 1.0.1-beta2 running on localhost.
|
| | | | | | | |
|
| | | | | | | |
|
| | | |\ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
f761c340d4390c232d1a9896f3fde5c9dec7858b)
to branch 'net.randombit.botan.tls-session-ticket' (head bf9feb245aa7185e22948a21a3099acac7237b44)
|
| | | | | | | | |
|
| | | | | | | | |
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Use AES-256 so we don't encrypt session tickets with a weaker algo
than the ciphersuites.
|
| | | |\ \ \ \ \
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
9a12f28252f9b0a051a85c4647679a715161d06c)
to branch 'net.randombit.botan.tls-session-ticket' (head ebf45d24a44fb4d1e66e59fe8abefe6f8a53cf02)
|
| | | | |\ \ \ \ \
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
c24b5d6b012131b177d38bddb8b06d73f81f70c4)
to branch 'net.randombit.botan.tls-session-ticket' (head 9977d4c118e1ac26425cef676ebf26cd5b2a470e)
|
| | | | | | | | | | |
|
| | | | | | | | | | |
|
| | | |_|_|/ / / /
| | |/| | | | | | |
|