aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls/msg_client_hello.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Make exceptions easier to translate to error codesJack Lloyd2018-11-231-1/+1
| | | | | | | | | | | Avoid throwing base Botan::Exception type, as it is difficult to determine what the error is in that case. Add Exception::error_code and Exception::error_type which allows (for error code) more information about the error and (for error type) allows knowing the error type without requiring a sequence of catches. See GH #1742
* Use enums for TLS key exchange group paramsJack Lloyd2018-02-131-10/+14
|
* Use enums to represent TLS signature and kex algorithms.Jack Lloyd2018-01-281-18/+9
| | | | Adds support for PSS signatures (currently verifying only).
* Add an examine callback alsoJack Lloyd2018-01-271-2/+2
|
* Add ability for application to control which TLS extensions are usedJack Lloyd2018-01-271-0/+7
| | | | GH #1186
* Remove vestigial support for TLS compressionJack Lloyd2018-01-211-5/+2
| | | | | It was never supported and never will be. Removing negotiation entirely simplifies the code a bit.
* Add copyright statements to files modified in the preceding 2 commitsHarry Reimann2017-12-041-0/+1
|
* Make support for certificate status messages optional via policyHarry Reimann2017-12-041-1/+2
| | | | | | | | Don't postpone the verification of a server certificate if certificate status messages are not expected in client handshake. When using an external crypto device it may be necessary to verify the certificate before using the public key for verification of the signature in the server key exchange message.
* Run TLS hello random fields through SHA-256Jack Lloyd2017-11-281-1/+7
| | | | Avoids exposing RNG output on the wire. Cheap precaution.
* Avoid sending OCSP status request on resumption client helloJack Lloyd2017-10-251-2/+0
| | | | | | | Causes the connection to break for some servers. Fixes GH #1276 Also avoid setting the same extension twice in the initial connection case. The extensions code dedups it so this wasn't a problem, but confusing.
* Add supported groups TLS extension (RFC 7919)René Korthaus2017-10-171-4/+12
|
* More include header cleanupsJack Lloyd2017-09-211-0/+1
|
* De-inline accessor functions in Client_Hello typeJack Lloyd2017-09-011-0/+111
| | | | | This class is exposed but the extension types aren't, so calls to these functions from outside the library would not link.
* Export tls_messages.h as a public headerRené Korthaus2016-12-231-1/+4
| | | | | | | TLS::Callbacks::inspect_handshake_message() allows applications to inspect all handshake messages, but this requires access to the types in tls_messages.h. As a matter of fact, this also exports tls_extensions.h as a public header.
* Convert to using standard uintN_t integer typesJack Lloyd2016-12-181-21/+21
| | | | | | Renames a couple of functions for somewhat better name consistency, eg make_u32bit becomes make_uint32. The old typedefs remain for now since probably lots of application code uses them.
* Add OCSP stapling support to TLS clientJack Lloyd2016-11-261-2/+6
|
* Fix incompatability with (some) common TLS stackJack Lloyd2016-11-161-8/+8
| | | | | | | | Several sites including oracle.com seem to send extension 11 (point format) even if we (the client) did not send it. Then the handshake fails. To workaround this problem, simply always send this extension as the client, instead of only sending it if we wished to support compressed points.
* Fix TLS resumption bugsJack Lloyd2016-10-271-9/+9
| | | | | | | | | | | | | | | | | | | | | The client would attempt to resume a session, even if the session was for a version other than what it wanted to offer. If the server resumed with the original version, the client would then reject the 'incorrect' version. Instead, if the session is for a version other than what we want to offer, just start a fresh handshake. Fix resuming in the EtM case - even if the policy says otherwise, always resume EtM sessions as EtM. Servers are required to reject a MtE resumption on an EtM session. The new client hello already ordered extensions to prevent an empty extension from ever being last (working around a bug in some dumb stack somewhere), but this was not true for the resume case. Fix that. Beef up tests a bit - test ECDSA suites, alerts, and sqlite3 session db. Sharing the session state across all the tests is what tipped me off on the resumption bugs in the first place - as usual, what is not tested does not work correctly.
* Support encoding of supported point formats extensionRené Korthaus2016-10-031-1/+15
|
* Removed redundant check in ClientHello parserJuraj Somorovsky2016-09-301-3/+0
|
* TLS Server should respect client signature_algorithms. Stricter TLS hello ↵Jack Lloyd2016-09-211-13/+27
| | | | | | | | | | | | | | | | | | | | decoding. If the client sent a signature_algorithms extension, we should negotiate a ciphersuite in the shared union of the ciphersuite list and the extension, instead of ignoring it. Found by Juraj Somorovsky GH #619 The TLS v1.2 spec says that clients should only send the signature_algorithms extension in a hello for that version. Enforce that when decoding client hellos to prevent this extension from confusing a v1.0 negotiation. TLS v1.2 spec says ANON signature type is prohibited in the signature_algorithms extension in the client hello. Prohibit it. Reorder the TLS extensions in the client hello so there is no chance an empty extension is the last extension in the list. Some implementations apparently reject such hellos, even (perhaps especially) when they do not recognize the extension, this bug was mentioned on the ietf-tls mailing list a while back.
* Merge GH #578/#492: TLS EtM extension and new policy togglesJack Lloyd2016-08-311-0/+6
|\
| * Merge master into this branch, resolving conflicts with #457/#576Jack Lloyd2016-08-311-11/+10
| |\ | | | | | | | | | which recently landed on master.
| * | Encrypt-then-MAC extension (RFC 7366)Juraj Somorovsky2016-05-111-0/+6
| | | | | | | | | | | | | | | | | | Introduced a countermeasure against the logjam attack Short TLS records (AES-CBC) now return BAD_RECORD_MAC Fixed a compatibility problem with OpenSSL and TLS 1.0 (BEAST countermeasure)
* | | Fix TLS build with SRP6 disabledJack Lloyd2016-08-311-1/+1
| |/ |/|
* | Removed Handshake_Info class.Matthias Gierlings2016-06-191-4/+6
| | | | | | | | | | - Undid changes replacing Hanshake_IO, Handshake_Hash with Handshake_Info.
* | Reduction of code complexity in TLS classes.Matthias Gierlings2016-06-191-17/+14
|/ | | | | | | -reduced number of parameters in various methods -reduced cyclomatic complexity (McCabe-Metric) -removed "TLSEXT_HEARTBEAT_SUPPORT" from tls_extensions.h (leftover from heartbeat extension removal?)
* Make SRP6 support optional in TLSJack Lloyd2016-02-071-2/+19
| | | | | | | | Remove SRP_SHA from the default policy, since normal applications do not need it. Removes nullptr initializers of unique_ptrs in the Server_Key_Exchange constructor, that's the default unique_ptr already.
* Remove support for the TLS min fragment length extension.Jack Lloyd2016-02-071-3/+0
|
* Remove TLS heartbeat support.Jack Lloyd2016-02-071-6/+0
| | | | | The signature of the alert callback remains unchanged to avoid breaking applications, though now the buffer parameter is never set.
* Add extended master secret extension (RFC 7627) to TLSJack Lloyd2016-01-031-1/+9
| | | | Interop tested with mbed TLS
* Reroot the exception hierarchy into a toplevel Exception classJack Lloyd2015-12-111-1/+1
| | | | | | | | As the alternatives are unfortunate for applications trying to catch all library errors, and it seems deriving from std::runtime_error causes problems with MSVC DLLs (GH #340) Effectively reverts 2837e915d82e43
* TLS improvementsJack Lloyd2015-10-251-3/+3
| | | | | | | | | | | | | | Use constant time operations when checking CBC padding in TLS decryption Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes from working: on decode the session id and hello cookie would be swapped, causing confusion between client and server. Various changes in the service of finding the above DTLS bug that should have been done before now anyway - better control of handshake timeouts (via TLS::Policy), better reporting of handshake state in the case of an error, and finally expose the facility for per-message application callbacks.
* lib/tls: Convert &vec[0] to vec.data()Simon Warta2015-06-231-2/+2
|
* Add ALPN (RFC 7301) and remove NPNlloyd2015-03-201-6/+6
|
* Remove SSLv3 and handling of SSLv2 client hellos.lloyd2015-01-111-51/+2
|
* Ensure all files have copyright and license info.lloyd2015-01-101-1/+1
| | | | | Update license header line to specify the terms and refer to the file, neither of which it included before.
* Add DTLS-SRTP key establishment from RFC 5764 (required for WebRTC).lloyd2015-01-041-0/+3
| | | | | | | | | | | | | | Github issue 27. Refactor server hello handling to make it easier to handle other extensions. The manual specified that 224 bit NIST primes were disabled by default for TLS but they were not. Additionaly disable the 256k1 curve and reorder the remaining curves by size. Rewrite the max fragment length extension code to roughly what an ideal compiler would have turned the original code into, using a switch instead of a lookup into a small constant std::map.
* Let TLS policy disable putting the timestamp in the hello random fieldslloyd2014-11-041-7/+12
|
* Typolloyd2014-11-041-1/+1
|
* Add TLS fallback signalling (draft-ietf-tls-downgrade-scsv-00)lloyd2014-10-311-1/+13
|
* Have TLS_Data_Reader decoding errors include the actual msg type namelloyd2014-04-121-1/+1
|
* Move lib into srclloyd2014-01-101-0/+287