aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Remove Policy::choose_compression and move to tls_serverlloyd2012-04-044-62/+59
| | | | | | | Make ciphersuite_list a free standing function Now the Policy interface only contains actual policy hooks (no non-virtual functions). Though choose_curve is a little dubious.
* Limit the lifetime of tickets to Policy::session_ticket_lifetime()lloyd2012-04-0415-178/+196
| | | | | | | | | | | | | | | | | seconds and report that value to the client in the NewSessionTicket message. After that point, a session ticket is ignored and a full renegotiation is forced. Only send a new session ticket on a new session, or on a resumed session where the client indicated it supports session tickets but for whatever reason didn't send one in the hello. Perhaps in this case, we should also remove the session from the session manager? Clean up server selection of the ciphersuite a bit, all in an anon function in tls_server instead of scattered over Server, Policy, and Server_Hello. Add Session::session_age and Session_Manager::session_lifetime
* Add anonymous DH/ECDH ciphersuites to the cipher list. Interop checkedlloyd2012-04-022-18/+62
| | | | | | | | | | | | | | | | against OpenSSL. One big issue that needs to be resolved is that with these ciphersuites available to be negotiated, we want to make sure they only are used when the application/user expects them to. Problem is that PSK and SRP are "anonymous" but authenticated via the shared secret. We need to be able to distinguish these on a policy level. Otherwise a MITM could simply offer anon DH, which would be somewhat unfortunate. A client could detect this in the handshake callback, but might not. In the short term to ensure this doesn't occur, disable both anon DH and PSK/SRP in the default policy.
* Use SHA-256 when MD5 is negotiated as the HMAC hash in TLS 1.2,lloyd2012-04-022-2/+6
| | | | | | previously negotiating any MD5-based ciphersuite in TLS 1.2 would cause MAC failures as the master secret would come out differently due to using the wrong PRF.
* Remove the Ciphersuite_Code enum and move all ciphersuitelloyd2012-03-307-351/+298
| | | | | | | | | | | | | | integer->info mapping to tls_suite_info.cpp which is mostly autogenerated by a Python script from the IANA parameters file. The SRP method now uses kex "SRP_SHA" which is what the RFC calls it. (And hypothetically, SRP_SHA256 might be defined at some point and we'd need to be able to distinguish them). Remove IDEA ciphersuite; we don't want to require IDEA be available due to the European patent still being valid (IIRC), but I didn't want to have to hand-edit the autogenerated switch with an #if check. Not a huge issue though as most sites don't support it anyway.
* Rework session crypto code. Drop the 4 bytes of zeros reserved forlloyd2012-03-282-38/+54
| | | | | | | | | flags; if params change just regen the magic value and drop old sessions. Check the magic value right from the start. Use constants for internal sizes. Increase default PBKDF2 iterations in the SQLite session manager to 64K.
* For unencrypted initial handshake records, copy them to the writebuflloyd2012-03-231-12/+12
| | | | | | | | anyway so we can output them with a single message. For some network approaches this won't make any difference but it might help with something doing direct writes on each callback. Additionally it seems important for DTLS, where each record must be contained in a single packet.
* Revert the session_ticket callback in credentials manager. If a PSKlloyd2012-03-236-57/+39
| | | | | | | | | | | manager is being used, it could be easily used for session tickets as well, and if it's not the generate-on-first-call technique is easy to write. Avoid offering the session ticket extension if we know we don't have a key. For one thing it will cause us to avoid using stateful sessions, but additionally OpenSSL 1.0.1 is very intolerant of empty NewSessionTicket messages so definitely worth avoiding when we can.
* Fix depslloyd2012-03-232-0/+6
|
* Add a special hook in credentials manager for the session ticket key,lloyd2012-03-233-17/+49
| | | | | with a default implementation that creates a new random key on the first call.
* Include the curves and sig algos list in a session resumption clientlloyd2012-03-233-5/+18
| | | | | | | | | | | | | | hello. Also include a full list of ciphersuites, ensuring that our original session ciphersuite is in the list regardless of policy (maybe it would be better to just not resume in that case, though?). Otherwise, if the server doesn't remember our session (or the session ticket key), it might not be capable of negotiating using the single ciphersuite we sent due to lack of information (allowed curves was a particular issue here). Including the full ciphersuite list also allows for rengotiating the ciphersuite if, for instance, the session can't be resumed because the server used to have an RSA cert but has since replaced it with an ECDSA cert.
* Use the SQLite session manager if availablelloyd2012-03-231-0/+11
|
* Only claim we support session tickets if we actually have a key oflloyd2012-03-232-9/+16
| | | | | | | | | some kind. Fix New_Session_Ticket decoding. Apparently when the RFC says that a server that does not want to send a ticket sends "an empty ticket" that means a lifetime value plus an empty ticket, not an actually empty extension.
* Call Credentials_Manager::psk for the session ticket key.lloyd2012-03-222-14/+37
|
* Add encryption for the SQLite sessions databaselloyd2012-03-224-54/+163
|
* propagate from branch 'net.randombit.botan.tls-state-machine' (head ↵lloyd2012-03-2216-57/+456
|\ | | | | | | | | | | 6bcbae3d22e4d873a8e941d0325ad666482ac4da) to branch 'net.randombit.botan.tls-session-ticket' (head 9048722b5d18b39cf21f8542942dab94a9bd4e6b)
| * Server side handling of session tickets, though currently with alloyd2012-03-227-33/+106
| | | | | | | | hard-coded key.
| * Working client-side session tickets. Tested against gmail.com andlloyd2012-03-226-17/+37
| | | | | | | | OpenSSL 1.0.1-beta2 running on localhost.
| * Correct ticket decoding/encodinglloyd2012-03-221-5/+6
| |
| * Add missing source file for New_Session_Ticket msglloyd2012-03-221-0/+39
| |
| * propagate from branch 'net.randombit.botan.tls-state-machine' (head ↵lloyd2012-03-225-3/+313
| |\ | | | | | | | | | | | | | | | f761c340d4390c232d1a9896f3fde5c9dec7858b) to branch 'net.randombit.botan.tls-session-ticket' (head bf9feb245aa7185e22948a21a3099acac7237b44)
| * | Basic protocol message flow for session ticketslloyd2012-03-2011-64/+120
| | |
| * | Small fixes, cleanupslloyd2012-03-195-9/+22
| | |
| * | Various merge fixups.lloyd2012-03-165-47/+58
| | | | | | | | | | | | | | | Use AES-256 so we don't encrypt session tickets with a weaker algo than the ciphersuites.
| * | propagate from branch 'net.randombit.botan.tls-state-machine' (head ↵lloyd2012-03-167-4/+190
| |\ \ | | | | | | | | | | | | | | | | | | | | 9a12f28252f9b0a051a85c4647679a715161d06c) to branch 'net.randombit.botan.tls-session-ticket' (head ebf45d24a44fb4d1e66e59fe8abefe6f8a53cf02)
| | * \ propagate from branch 'net.randombit.botan.tls-state-machine' (head ↵lloyd2012-03-1683-2328/+4962
| | |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | c24b5d6b012131b177d38bddb8b06d73f81f70c4) to branch 'net.randombit.botan.tls-session-ticket' (head 9977d4c118e1ac26425cef676ebf26cd5b2a470e)
| | * | | Build fixeslloyd2012-01-114-11/+20
| | | | |
| | * | | Outline of RFC 5077 session ticketslloyd2012-01-115-3/+170
| | | | |
* | | | | Add some helper functions for data accesslloyd2012-03-221-22/+33
| |_|_|/ |/| | |
* | | | Reorder schema and make the session id a primary key since it shouldlloyd2012-03-221-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | not only be unique but fast searches on it are likely useful. Not bothering to put an index on the (hostname,hostport) tuple as it's only used by clients on initial connection, and even at a 10K rows that search wouldn't take long at all.
* | | | Oops, libsqlite is sqlite2, link to libsqlite3lloyd2012-03-221-1/+1
| | | |
* | | | Expire old sessions and limit the cache size in the sqlite session manager.lloyd2012-03-222-16/+62
| | | | | | | | | | | | | | | | | | | | Also when pulling a session via host info, try the most recent session first (rather than the oldest!).
* | | | First rev at a SQLite TLS session manager. Should be encrypting thelloyd2012-03-223-0/+265
| | | | | | | | | | | | | | | | | | | | | | | | sessions; will defer until session ticket support lands. Also currently isn't handling session expiry or limiting the number of stored sessions.
* | | | Remove extra BER_Decoder objectlloyd2012-03-221-2/+0
| | | |
* | | | Off by one in decode_constrained_integer, broke Session DER decodinglloyd2012-03-221-1/+2
|/ / /
* | / Add missing source for DTLS hello verifylloyd2012-03-161-0/+61
| |/ |/|
* | Add SecureQueue::emptylloyd2012-03-079-27/+56
| | | | | | | | | | | | Hide the handshake reader behind a function. Add pieces for DTLS hello verify request message
* | Add an abstraction for reading handshake messages (as DTLS handles itlloyd2012-03-0514-91/+215
| | | | | | | | | | | | | | | | quite differently). Avoid using a queue for reading certificates. Hide the version code in the handshake state with a getter and setter.
* | Move the handshake serialization code to Record_Writerlloyd2012-03-0311-39/+44
| |
* | Move min_version and pref_version to the source file so they can belloyd2012-03-022-4/+12
| | | | | | | | | | overridden easily in a new release without changing binaries linked against an earlier version.
* | Bad conditionallloyd2012-02-281-1/+1
| |
* | We would call the handshake callback twice on session resumption:lloyd2012-02-281-20/+19
| | | | | | | | misplaced braces.
* | Add makefile dependency on credentials.h. Use 1024 bit keys forlloyd2012-02-273-11/+19
| | | | | | | | RSA/DSA. Add function for choosing thread count.
* | Indentationlloyd2012-02-276-38/+38
| |
* | Create and save certs on the fly for hostnames as they are asked forlloyd2012-02-031-17/+89
| |
* | Actually check CA signatures in Credentials_Manager. This area needs alloyd2012-02-016-18/+55
| | | | | | | | lot more work before this can be deployed.
* | Support getting ciphersuites by name as well as suite IDlloyd2012-01-286-10/+29
| |
* | Add Camellia ciphersuites from RFC 4132.lloyd2012-01-283-5/+40
| | | | | | | | | | | | Fix Ciphersuite_Preference_Ordering which treated two ciphersuites with the same algos but different keylengths as equivalent, causing them to be lost. Always prefer the longer key.
* | propagate from branch 'net.randombit.botan' (head ↵lloyd2012-01-28104-4792/+9200
|\ \ | | | | | | | | | | | | | | | 3f6b267bc00d2da1b5d36ca2215c3e1b6a40e796) to branch 'net.randombit.botan.tls-state-machine' (head 7df407e6678bd51328c348fd2a665f20fb22d62d)
| * | Add anon SRP ciphersuites to the list, add missing _CBC on thelloyd2012-01-282-12/+27
| | | | | | | | | | | | existing enum values.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-22 13:21:51 +0000