aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Use a special case for odd moduli in inverse_mod with close to doublelloyd2012-06-171-1/+51
| | | | performance.
* inverse_mod - avoid mutable zero_bits, avoid making needless copies oflloyd2012-06-171-11/+12
| | | | the arguments
* Put an upper bound on the blinding value to 160 bits. This seems to belloyd2012-06-174-4/+4
| | | | | | plenty sufficient, and reduces the overhead of setting up the blinder (in terms of exponent size and the cost of computing modular inverses).
* m_ namespace member varslloyd2012-06-152-44/+42
|
* Index, comments, name vars in headerslloyd2012-06-153-5/+15
|
* Computing the Montgomery parameter can be done much cheaper because welloyd2012-06-151-3/+4
| | | | | | | only need the low word of the result. Credits to HAC, somehow I missed that this was possible. This helps especially when a program does a lot of setups, so the improvement is only minor on the benchmark but fairly huge for asio_tls_server.
* Fix X509_Certificate::operator<. It was comparing by calling to_stringlloyd2012-06-142-6/+28
| | | | | | | | | | on each and comparing that. However that is very expensive (lots of formatting) and doesn't even work that well because to_string skips over a lot of information. Instead, compare the tbs bits directly which is both much faster and more accurate. Add a new X509_Certificate::fingerprint which returns a fingerprint compatible at least with what OpenSSL does.
* Profiling with valgrind shows that the 2**16 iteration for findinglloyd2012-06-145-116/+139
| | | | | | ciphersuites was actually a substantial hit on handshakes. Add a new function TLS::Ciphersuite::all_known_ciphersuites which will do this once and cache it for future use.
* Reformat output on the TLS client on handshake completion.lloyd2012-06-134-23/+49
| | | | In ASN.1 print values as URL % escaped instead of all hex.
* Add support (decoding only) for the CRL Distribution Point extension.lloyd2012-06-138-32/+156
|
* Truncate passwords to 55 characters instead of throwing an exception.lloyd2012-06-131-2/+2
| | | | This matches the behavior of other bcrypt implementations.
* We would fail in the case where we connected to a server that did notlloyd2012-06-131-1/+1
| | | | | | | | | | | support secure renegotiation, and then a renegotiation occured (either due to explicit request by a call to renegotiate, or if the counterparty send a hello request and our policy allowed insecure renegotiations), because supported() would be false but our client hello would still contain the renegotion extension. Instead, only break if the client hello doesn't support it but supported() == true, which indicates that at one point in the past both parties supported the extension.
* Fix westmere GCC buildslloyd2012-06-131-1/+1
|
* Allow x86-32 asm with clang. Compiles fine, though I cannot test as Illoyd2012-06-121-0/+1
| | | | only have a 64-bit libc++.
* Update what() signature on exception typeslloyd2012-06-123-3/+3
|
* Fixes for the change to using std::vector in x86-32 specific codelloyd2012-06-124-7/+11
| | | | | | | (relying on implicit pointer conversions). Also, change Serpent::set_round_keys (used by the x86-32 asm version) to assign() the values instead of copying, as we rely on the key schedule to allocate the key values now to minimize memory waste.
* Compile fixlloyd2012-06-111-1/+1
|
* Avoid integer overflows in calls to the mlock allocator, changing thelloyd2012-06-113-20/+44
| | | | | | | interface to more of a calloc style. Alignment remains set to the underlying type size. Increase the maximum mlock size to 512 KB.
* Generate new session IDs in the same format as hello randoms, with thelloyd2012-06-102-3/+3
| | | | | | first 4 bytes a timestamp. Conveniently this means removing the lexicographically first session id from a cache is removing the oldest session.
* Add Handshake_Type codes for RFC 6066 handshake types.lloyd2012-06-102-19/+27
| | | | | | Change the switch in bitmask_for_handshake_type to not have a default: branch, so GCC can warn if we are missing a type. Instead throw if the switch failed to return.
* A fix for bug 191, that we were not preventing resumption of sessions in thelloyd2012-06-096-63/+85
| | | | | | | | | | | | | | | | | | | | case of a fatal alert, as required by section 7.2.2 of RFC 5246. Resolve this by storing the currently active session in Channel. Whenever we send or receive a fatal alert, tell the session manager to forget about that session. This still doesn't strictly meet the requirement for servers, as a session ticket is not invalidated and could later be reused. A conforming client would forget the whole session including the ticket, but that is assuming the attacker wouldn't prevent delivery of the alert message. However it would be difficult for the server to meet this requirement without per-ticket keys or keeping state about which tickets should not be resumable, both of which are stupid given the whole point of session tickets is that it allows resumption without server side state. OpenSSL also seems to allow resumption of sessions ending in a fatal alert when resumed though a ticket.
* Avoid a spurious unrecognized_name alert when a server is running inlloyd2012-06-091-1/+10
| | | | pure anon mode and the client sent a SNI extension.
* m_ namespace Channel, Client, and Server.lloyd2012-06-096-378/+378
| | | | Fix printing of Camellia ciphersuites.
* Use initialize lists here, much cleanerlloyd2012-06-091-53/+44
|
* Update copyright for 2012.lloyd2012-06-091-16/+15
| | | | | | | | | | In the disclaimer text, replace "AUTHOR(S)" and "AUTHOR(S) OR CONTRIBUTOR(S)" with "COPYRIGHT HOLDERS AND CONTRIBUTORS" and "COPYRIGHT HOLDER OR CONTRIBUTORS", resp. I thought in 38051c192886db139918c59d31c2e1faa9ea8cee I had made the license totally identical with the official BSD-2 text, however clearly I originally got the disclaimer text from somewhere else. Reindent.
* A fix for bug 192. First, when renegotiating in the client, attempt tolloyd2012-06-0911-72/+99
| | | | | | | | | | | | | | | | | | | renegotiate using our currently negotiated version instead of our preferred version. It turns out that neither OpenSSL nor GnuTLS like clients changing the version between negotiations, both send a protocol_version alert. So we probably want to avoid doing that. On the server side, handle a client sending inconsistent versions as best we can. If the client attmepts to renegotiate a session using a later version, return a server hello with their original version (this is what OpenSSL does). If they attempt to renegotiate using an earlier version, send a fatal alert and close the connection, since this seems like a dubious thing to do. Also, fix the situation where we as a TLS v1.0 server (because of configuration) are talking to a TLS v1.2 client. We would still use their signature_algorithms extension and send a SHA-256 (or whatever) signature!
* Make a proper wrapper in util for SQLite3, update the TLS sessionlloyd2012-06-087-171/+255
| | | | manager to use it. Add --with-sqlite to configure.py
* Move to -O3 with Clang. s/c++0x/c++11/lloyd2012-06-081-2/+2
|
* Invert the policy setting as I think it makes it more obvious thatlloyd2012-06-083-7/+7
| | | | enabling this is a bad idea.
* Fix extension testing (bug 193)lloyd2012-06-081-1/+1
|
* Update cms, cvc, zlib, bzip2, openssl, and gnump modules for the newlloyd2012-06-0730-179/+209
| | | | | | | | allocator interface. The compression filters now just use malloc/free with a memset. Add a new info.txt field <warning>, like comment but warns. Use for CMS which is pretty broken (doesn't even compile anymore), and for TLS.
* Report what we have already received on an unexpected statelloyd2012-06-073-9/+11
| | | | | | | | | transition. That will come in handy someday. Allow the server to skip sending a session ticket. GnuTLS seems prone to offering it even if it doesn't have a key handy. Fix vector/secure_vector conversions in the SQLite session manager.
* Cleanup, m_ namespace Secure_Renegotiation_Statelloyd2012-06-073-26/+28
|
* Clients sending a SSLv2 hello would cause an internal failure becauselloyd2012-06-072-2/+25
| | | | | | | | | | | | choose_sig_format assumed Client_Hello::supported_algos would always return something. For SSLv2 hellos, always set it to the default values. Noticed with OpenSSL 0.9.7m If a client attempts renegotiation but does not have a secure renegotiation, only continue if policy allows it. Otherwise send a no_renegotition alert (what exactly servers are supposed to do is not really made obvious by the RFC but this seems like reasonable behavior).
* Fix for DHE, strip_leading_zeros always took off the last bytelloyd2012-06-061-1/+1
|
* Modify DL_Group::PEM_decode and BER_decode to take values instead oflloyd2012-06-056-21/+19
| | | | | | | | DataSource&. Remove spurious DataSource_Memory from ec_group.cpp Some indent fixes
* Add assert_done checks here to help avoid interesting substitutionlloyd2012-06-052-0/+4
| | | | attacks and in general detect invalid messages.
* Always print the include dir as we are never in the default pathlloyd2012-06-051-4/+1
| | | | anymore.
* Wrong OID namelloyd2012-06-011-1/+1
|
* Missing source file from d8021f3e5aa8812a2843d6afd27bbe56d04af734lloyd2012-06-011-0/+44
|
* Drop some deprecated functionslloyd2012-06-017-224/+0
|
* Various examples fixes, most notable updating cert_verify to the new APIlloyd2012-05-315-16/+26
|
* Allow arbitrary ciphers and hashes with PKCS #5 v2.0. The onlylloyd2012-05-318-61/+45
| | | | | | | | | | | | | | | | | | requirement is that OIDS for "<cipher>/CBC" and "HMAC(<hash>)" are defined. This does assume the normal parameter set of just the IV, so doesn't work right for (IIRC) RC5, but we don't have an OID set for RC5/CBC anyway. Continue to default to SHA-1 plus AES-256 as prior versions of the library can't handle any hashes other than SHA-1 or any ciphers other than AES or DES. OpenSSL 1.0.0j seems to understand SHA-256 + AES-256, though. BER_Decoder::decode_optional was assuming optional values were explicitly tagged. Now, only take that behavior if the input class tag was for a context specific tagging. Remove abort call for debugging from BER_Decoder Add a new version of DER_Encoder::encode_if for single objects.
* Add new PBKDF interface that takes a std::chrono::milliseconds andlloyd2012-05-3119-455/+373
| | | | | | | | | | | | | | | | | | | | runs the KDF until at least that much time has passed, then returns the number of interations used. New parameter to the PKCS8 encryption routines which tells how long to run the PBKDF. Defaults to 200 milliseconds, which is short enough that it is unlikely to bother anyone but long enough to provide quite reasonable security against cracking attacks. On a Core i7-860, 200 ms with PBKDF2/SHA-1 runs about 180K to 220K iterations (compare with previous default of 10K). New PBE interface, remove new_params/set_key and require all inputs including the passphrase to be passed to the constructor. Drop the PGP S2K as it is pretty weird and not really useful outside of a full PGP implementation. Drop the deprecated PKCS8::encrypt_key and PKCS8::encode functions.
* Fix examples buildinglloyd2012-05-301-2/+2
|
* Target GCC 4.7.0 by defaultlloyd2012-05-301-2/+2
|
* Use libc++ with Clang by default as libstdc++ and Clang don't playlloyd2012-05-301-1/+1
| | | | well together in C++11 mode.
* Call clear_mem instead of memset directlylloyd2012-05-302-6/+7
|
* Support for the authority information access extension, limited tolloyd2012-05-275-1/+86
| | | | | | only grabbing type 6 (URL) values for OCSP which is likely the only thing it's ever used for. Expose the value with new function X509_Certificate::ocsp_responder
* Add an X509_Certificate::allowed_usage for extended constraints.lloyd2012-05-275-51/+64
| | | | | | Check that whatever certificate we got is allowed to sign OCSP responses. Add another helper function BER_Decoder to try to handle the ASN.1 mess.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-16 14:41:42 +0000