aboutsummaryrefslogtreecommitdiffstats
path: root/src/cli
Commit message (Collapse)AuthorAgeFilesLines
* Add tls_ciphers commandJack Lloyd2016-12-281-0/+123
| | | | Lists ciphersuites that will be sent for a particular policy/version.
* Fix XMSS speed commandJack Lloyd2016-12-241-4/+6
|
* Add DL_Group testsJack Lloyd2016-12-231-1/+1
| | | | | | | | | Fix a bug in how the 6144 and 8192 IETF MODP groups were encoded; they have g and q values switched. Fixed by just switching the PEM header to match the actual encoded format. Rename DL_Group::X942_DH_PARAMETERS to ANSI_X9_42_DH_PARAMETERS to avoid a macro conflict with Windows cryptography headers (GH #482)
* Document TLS::Policy::require_cert_revocation_infoJack Lloyd2016-11-281-1/+2
|
* Add OCSP stapling support to TLS clientJack Lloyd2016-11-261-2/+5
|
* Merge GH #653 OCSP and X.509 path validation refactorJack Lloyd2016-11-253-21/+38
|\ | | | | | | | | | | Splits up path validation into several sub-functions for easier testing and creating customized validation code. Much improved OCSP handling and OCSP tests.
| * Add TLS::Policy::minimum_signature_strengthJack Lloyd2016-11-251-2/+3
| | | | | | | | | | | | Changes TLS callback API for cert verify to accept Policy& Sets default signature strength to 110 to force RSA ~2048.
| * Report OCSP status in tls_clientJack Lloyd2016-11-231-0/+7
| |
| * Move TLS cert verification callback from Credentials_Manager to TLS::CallbacksJack Lloyd2016-11-232-18/+26
| | | | | | | | | | | | It is the only function in C_M which is called on to process session-specific (and adversarially provided) inputs, rather than passively returning some credential which is typically not session specific.
| * Refactor X.509 path validationJack Lloyd2016-11-231-3/+4
| | | | | | | | | | | | | | | | | | Splits path building, path validation, CRL checks, and OCSP checks into distinct functions in namespace PKIX. The previous path validation APIs remain. Fixes to OCSP to store more information and to handle modern OCSP setups in at least some situations.
* | Make XMSS more friendly about invalid params.Jack Lloyd2016-11-251-1/+2
|/ | | | | | Previously just throw an exception from map.at Add an XMSS keygen test, and add default params for create_private_key
* TLS CBC functionality now exposed to the library developer. Useful for ↵Juraj Somorovsky2016-11-191-20/+31
| | | | | | direct TLS CBC testing. CLI TLS server now catches an exception if an invalid connection is received (Otherwise, the server always stopped working)
* Add CECPQ1 TLS ciphersuitesJack Lloyd2016-11-171-1/+1
| | | | | | | | | | | | | Tested against BoringSSL (as client + server) and google.com (as client). Fix a stupid crashing bug in NewHope's BoringSSL mode. Remove unneeded error return from curve25519_donna - always returned 0. Default policy prefers ChaChaPoly1305 over GCM and CECPQ1 over ECDH/DH, which means the default no-extra-configuration ciphersuite (for Botan client speaking to Botan server) is a ciphersuite which is both implemented in constant time on all platforms and (hopefully) provides post quantum security. Good Things.
* Fix TLS client next protocol handlingJack Lloyd2016-11-161-1/+2
| | | | [ci skip]
* Basic speed test for XMSSJack Lloyd2016-11-121-0/+34
|
* Add SHAKE-128 and SHAKE-256 as hash functionsJack Lloyd2016-11-101-7/+7
|
* Remove remaining old style casts.Jack Lloyd2016-11-092-6/+5
| | | | | | Still not a hard error even in maintainer mode because sometimes system headers pull in C style casts via macros (eg MAP_FAILED). But, it not being a hard error makes it easy to backslide.
* Add ec_group_info cmdletJack Lloyd2016-11-061-0/+35
|
* Merge GH #696 Add ECKCDSA and ECGDSA speed testsJack Lloyd2016-10-301-0/+62
|\
| * Add speedtests for ECKCDSA and ECGDSANever2016-10-301-0/+62
| |
* | Fix crash when default IV is empty. GH #697Jack Lloyd2016-10-301-1/+2
|/
* Remove HMAC_RNG, X9.31-RNG, BeOS stats, EGD reader, Unix process runnerJack Lloyd2016-10-281-17/+0
| | | | | Change AutoSeeded_RNG to use SHA-384, SHA-256, SHA-3(256), or SHA-1, whichever is available (in that order).
* Initialize member variable (Coverity find)Jack Lloyd2016-10-221-1/+1
|
* Add create_private_key, expose key loading functions in pk_algs.hJack Lloyd2016-10-202-84/+11
|
* cli: Add dl_group_info cmdletJack Lloyd2016-10-201-0/+24
|
* Add OS2ECP benchmark.Jack Lloyd2016-10-131-0/+36
| | | | | Turns out decompressing a point is ~50x slower than checking (x,y) is on the curve. Update relnote accordingly.
* Revert PK_Verifier change (don't require RNG there).Jack Lloyd2016-10-072-2/+2
| | | | | | | Verification is deterministic and public, so really no RNG is ever needed. Change provider handling - accepts "base", "openssl", or empty, otherwise throws a Provider_Not_Found exception.
* Remove Algo_Registry usage from public key code.Jack Lloyd2016-10-073-11/+11
| | | | | | | | Instead the key types exposes operations like `create_encryption_op` which will return the relevant operation if the algorithm supports it. Changes pubkey.h interface, now RNG is passed at init time. Blinder previous created its own RNG, now it takes it from app.
* Have cli cert_info parse multiple certs from fileJack Lloyd2016-10-021-3/+25
|
* Remove unused variableJack Lloyd2016-09-281-2/+0
| | | | [ci skip]
* Merge GH #634 Correctly detect self-signed certsJack Lloyd2016-09-241-4/+12
|\
| * Make cli sign_cert key pass param optionalRené Korthaus2016-09-231-4/+12
| |
* | Maintainer mode fixes.Jack Lloyd2016-09-211-1/+1
|/ | | | | | Mostly unused args and missing override notations. Fix DH - load_check calls were commented out for debugging.
* Merge GH #613 NewHope R-LWE key exchangeJack Lloyd2016-09-051-0/+77
|\
| * Newhope is really limited by RNG speed.Jack Lloyd2016-08-301-5/+33
| | | | | | | | 4x-8x overall speedup switching from HMAC_DRBG to ChaCha20
| * Add NEWHOPE KEM schemeJack Lloyd2016-08-301-0/+49
| | | | | | | | | | | | | | | | | | | | Provides conjectured 200-bit security against a quantum attacker. Based on the public domain reference implementation at https://github.com/tpoeppelmann/newhope and bit-for-bit compatible with that version. Test vectors generated by the reference testvector.c
* | Merge GH #616 ChaCha SSE2 optimizationsJack Lloyd2016-09-051-2/+3
|\ \
| * | 4x interleaved SSE2Jack Lloyd2016-09-011-2/+3
| | |
* | | Remove deprecated Nyberg-Rueppel and Rabin-Williams signaturesJack Lloyd2016-09-021-2/+0
|/ /
* | Merge master into this branch, resolving conflicts with #457/#576Jack Lloyd2016-08-316-67/+136
|\ \ | | | | | | | | | which recently landed on master.
| * | Maintainer mode fixesJack Lloyd2016-08-311-2/+2
| | |
| * | Fix another unused variable warningJack Lloyd2016-08-311-1/+1
| | |
| * | Merge GH #567/GH #457 TLS refactoring and Callbacks interfaceJack Lloyd2016-08-312-31/+25
| |\ \
| | * | Changes to TLS::Callbacks for GH PR #457Jack Lloyd2016-08-163-39/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make TLS::Channel::m_callbacks a reference, so deriving from TLS::Callbacks works Split out the compat (std::function) based interface to Compat_Callbacks. This avoids the overhead of empty std::functions when using the virtual interface, and ensures the virtual interface works since there is no callback path that does not involve a vtable lookup. Rename the TLS::Callback functions. Since the idea is that often an owning class will pass *this as the callbacks argument, it is good to namespace the virtual functions so as not to conflict with other names chosen by the class. Specifically, prefixes all cb functions with tls_ Revert changes to use the old style alert callback (with no longer used data/len params) so no API changes are required for old code. The new Callbacks interface continues to just receive the alert code itself. Switch to virtual function interface in CLI tls_client for testing. Inline tls_server_handshake_state.h - only used in tls_server.cpp Fix tests - test looked like it was creating a new client object but it was not actually being used. And when enabled, it failed because the queues were not being emptied in between. So, fix that.
| | * | Removed TLS::Session::PropertiesMatthias Gierlings2016-06-191-4/+3
| | | | | | | | | | | | | | | | | | | | - Removed proposed wrapper class to logically group TLS session properties.
| | * | Compatibility patch for TLS::Callback interfaceMatthias Gierlings2016-06-191-2/+2
| | | | | | | | | | | | | | | | | | | | - Added legacy constructor support for TLS::Channel, TLS::Client, TLS::Server.
| | * | Added virtual Callback InterfaceMatthias Gierlings2016-06-192-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - extracted inner class TLS::Channel::Callbacks to stand-alone class TLS::Callbacks. - provided default implementations for TLS::Callbacks members executing calls to std::function members for backward compatibility. - applied changes to cli, tests and TLS::Channel related classes to be compatible with new interface.
| | * | Implemented Feedback on GH #457Matthias Gierlings2016-06-193-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | - Removed deprecated TLS-Alert-Callback parameters. - Fixed improper naming of accessor for ALPN-Strings in tls_client.h - Fixed erroneous indentation on Ciphersuite Constructor.
| | * | Fix For Travis CI build errors on Mac-Systems.Matthias Gierlings2016-06-191-2/+2
| | | | | | | | | | | | | | | | - Corrected TLS::Server constructor call in CLI TLS-Proxy.
| | * | Reduction of code complexity in TLS classes.Matthias Gierlings2016-06-193-11/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | -reduced number of parameters in various methods -reduced cyclomatic complexity (McCabe-Metric) -removed "TLSEXT_HEARTBEAT_SUPPORT" from tls_extensions.h (leftover from heartbeat extension removal?)
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-13 07:37:27 +0000