| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | |
| |
| |
| | |
Parallel of the server policy flag.
|
| | |
| |
| |
| | |
server_info parameter of TLS::Client must not be an IP address.
|
| |/ |
|
| | |
|
| |
|
|
| |
[ci skip]
|
| |
|
|
|
|
| |
GH #755
[ci skip]
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Primarily doc updates but also expose some more logic in PKIX namespace,
overall_status and merge_revocation_status. This allows calling more or less all
of the logic used by the monolitic x509_path_validate in any way needed by an
application.
Add Certificate_Store_In_Memory::add_crl variant taking shared_ptr
Add optional Certificate_Store_In_Memory* pointer to check_crl_online,
valid CRLs are saved there.
|
| |
|
|
|
|
| |
It is the only function in C_M which is called on to process session-specific
(and adversarially provided) inputs, rather than passively returning some credential
which is typically not session specific.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Moves x25519 to the front for best by-default side channel resistance,
and orders remaining NIST/BP curves by performance rather than size.
That means putting P-521 before P-384, since P-521 is much faster at
least in Botan (due to much simpler modular reduction for P-521 prime),
and Brainpools to the end due to being quite slow (no fast reductions).
All of the supported curves seem strong enough, and if someone can break
P-256 they can probably break P-384 as well so there doesn't seem much
advantage in preferring slower curves by default.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Tested against BoringSSL (as client + server) and google.com (as client).
Fix a stupid crashing bug in NewHope's BoringSSL mode.
Remove unneeded error return from curve25519_donna - always returned 0.
Default policy prefers ChaChaPoly1305 over GCM and CECPQ1 over ECDH/DH, which
means the default no-extra-configuration ciphersuite (for Botan client speaking
to Botan server) is a ciphersuite which is both implemented in constant time
on all platforms and (hopefully) provides post quantum security. Good Things.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Disables static RSA by default. The advantage here is twofold: enforcing forward
security and protecting TLS servers from oracle attacks since by default they
will never negotiate a suite which forces them to act as a decryption
oracle. Some applications/users may be forced to enable RSA in order to speak
with old or misconfigured peers, but these can be the exception not the default.
Disable DSA and CCM-8 by default: if you need to enable these things, you know it.
Adds TLS policy hooks to enforce DSA key sizes, default 2048 bits.
Remove an incorrect warning about DTLS in the manual; the sequence number window
check prevents this scenario from occuring.
|
| |\ |
|
| | |
| |
| |
| |
| | |
Client interops with google.com, server not tested against an
independent client yet.
|
| |/
|
|
| |
Fix various doc building problems/warnings.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make TLS::Channel::m_callbacks a reference, so deriving from TLS::Callbacks works
Split out the compat (std::function) based interface to Compat_Callbacks.
This avoids the overhead of empty std::functions when using the virtual
interface, and ensures the virtual interface works since there is no
callback path that does not involve a vtable lookup.
Rename the TLS::Callback functions. Since the idea is that often an owning
class will pass *this as the callbacks argument, it is good to namespace
the virtual functions so as not to conflict with other names chosen by
the class. Specifically, prefixes all cb functions with tls_
Revert changes to use the old style alert callback (with no longer used data/len
params) so no API changes are required for old code. The new Callbacks interface
continues to just receive the alert code itself.
Switch to virtual function interface in CLI tls_client for testing.
Inline tls_server_handshake_state.h - only used in tls_server.cpp
Fix tests - test looked like it was creating a new client object but it
was not actually being used. And when enabled, it failed because the queues
were not being emptied in between. So, fix that.
|
| |
|
|
|
|
|
| |
Fixes GH #460
Closes GH #474
[ci skip]
|
| |
|
|
|
|
|
|
|
| |
Remove support for weak ECC curves (anything under P-256) from TLS.
This includes secp256k1 since we don't take advantage of the special
form for any performance advantage; might as well use P-256.
The manual still mentioned that it was possible to use MD5 in
Policy::allowed_macs, but all HMAC-MD5 suites are already removed.
|
| |
|
|
| |
[ci skip]
|
| |
|
|
|
|
| |
Closes #356.
[ci skip]
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix a bug which rejected any short server key exchanges. These can
occur with a plain PSK with short or empty identity hints.
Disable SHA-224 by default.
Remove some vestigal RC4 cruft.
Push more on the TLS corruption tests.
|
| |\
| |
| | |
TLS improvements
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use constant time operations when checking CBC padding in TLS decryption
Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes
from working: on decode the session id and hello cookie would be
swapped, causing confusion between client and server.
Various changes in the service of finding the above DTLS bug that
should have been done before now anyway - better control of handshake
timeouts (via TLS::Policy), better reporting of handshake state in the
case of an error, and finally expose the facility for per-message
application callbacks.
|
| | |
| |
| |
| | |
[ci skip]
|
| | |
| |
| |
| |
| |
| | |
Confirm http://sphinx-doc.org/domains.html#directive-cpp:enum-struct
[ci skip]
|
| | |
| |
| |
| | |
[ci skip]
|
| |/
|
|
| |
[ci skip]
|
| |
|
|
| |
Thanks to @vlajos https://github.com/vlajos/misspell_fixer
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
and enable them in the default build, though still not enabled in the
runtime policy.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Github issue 27.
Refactor server hello handling to make it easier to handle other extensions.
The manual specified that 224 bit NIST primes were disabled by default
for TLS but they were not. Additionaly disable the 256k1 curve and
reorder the remaining curves by size.
Rewrite the max fragment length extension code to roughly what an
ideal compiler would have turned the original code into, using a
switch instead of a lookup into a small constant std::map.
|
| | |
|
| | |
|
| |
|
|
| |
wire record being created more clear.
|
| |
|
|
|
| |
with the setting set in the constructor. This prevents various surprising
things from happening to applications and simplifies record processing.
|
| | |
|
| | |
|
|
|
Add `website` target to makefile.
Some progress towards fixing minimized builds.
TLS now hard requires ECDSA and GCM since otherwise a minimized build
has only insecure options.
Remove boost_thread dependency in command line tool
|
