aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls/tls_client.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Merge master into this branch, resolving conflicts with #457/#576Jack Lloyd2016-08-311-17/+36
|\ | | | | | | which recently landed on master.
| * Changes to TLS::Callbacks for GH PR #457Jack Lloyd2016-08-161-6/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make TLS::Channel::m_callbacks a reference, so deriving from TLS::Callbacks works Split out the compat (std::function) based interface to Compat_Callbacks. This avoids the overhead of empty std::functions when using the virtual interface, and ensures the virtual interface works since there is no callback path that does not involve a vtable lookup. Rename the TLS::Callback functions. Since the idea is that often an owning class will pass *this as the callbacks argument, it is good to namespace the virtual functions so as not to conflict with other names chosen by the class. Specifically, prefixes all cb functions with tls_ Revert changes to use the old style alert callback (with no longer used data/len params) so no API changes are required for old code. The new Callbacks interface continues to just receive the alert code itself. Switch to virtual function interface in CLI tls_client for testing. Inline tls_server_handshake_state.h - only used in tls_server.cpp Fix tests - test looked like it was creating a new client object but it was not actually being used. And when enabled, it failed because the queues were not being emptied in between. So, fix that.
| * Removed Handshake_Info class.Matthias Gierlings2016-06-191-9/+7
| | | | | | | | | | - Undid changes replacing Hanshake_IO, Handshake_Hash with Handshake_Info.
| * Removed TLS::Session::PropertiesMatthias Gierlings2016-06-191-13/+13
| | | | | | | | | | - Removed proposed wrapper class to logically group TLS session properties.
| * Compatibility patch for TLS::Callback interfaceMatthias Gierlings2016-06-191-7/+53
| | | | | | | | | | - Added legacy constructor support for TLS::Channel, TLS::Client, TLS::Server.
| * Added virtual Callback InterfaceMatthias Gierlings2016-06-191-1/+4
| | | | | | | | | | | | | | | | | | - extracted inner class TLS::Channel::Callbacks to stand-alone class TLS::Callbacks. - provided default implementations for TLS::Callbacks members executing calls to std::function members for backward compatibility. - applied changes to cli, tests and TLS::Channel related classes to be compatible with new interface.
| * Implemented Feedback on GH #457Matthias Gierlings2016-06-191-2/+2
| | | | | | | | | | | | - Removed deprecated TLS-Alert-Callback parameters. - Fixed improper naming of accessor for ALPN-Strings in tls_client.h - Fixed erroneous indentation on Ciphersuite Constructor.
| * Reduction of code complexity in TLS classes.Matthias Gierlings2016-06-191-56/+31
| | | | | | | | | | | | | | -reduced number of parameters in various methods -reduced cyclomatic complexity (McCabe-Metric) -removed "TLSEXT_HEARTBEAT_SUPPORT" from tls_extensions.h (leftover from heartbeat extension removal?)
* | Address some issues with PR 492Jack Lloyd2016-08-131-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds copyright notices for Juraj Somorovsky and Christian Mainka of Hackmanit for the changes in 7c7fcecbe6a and 6d327f879c Add Policy::check_peer_key_acceptable which lets the app set an arbitrary callback for examining keys - both the end entity signature keys from certificates and the peer PFS public keys. Default impl checks that the algorithm size matches the min keylength. This centralizes this logic and lets the application do interesting things. Adds a policy for ECDSA group size checks. Increases default policy minimums to 2048 RSA and 256 ECC. (Maybe I'm an optimist after all.)
* | Encrypt-then-MAC extension (RFC 7366)Juraj Somorovsky2016-05-111-0/+2
| | | | | | | | | | | | Introduced a countermeasure against the logjam attack Short TLS records (AES-CBC) now return BAD_RECORD_MAC Fixed a compatibility problem with OpenSSL and TLS 1.0 (BEAST countermeasure)
* | TLS Policy supportChristian Mainka2016-05-031-1/+1
|/ | | | | | | * --policy works for TLS Server and TLS Client * Example policy BSI_TR-02102-2.txt * Fine granular configuration for TLS 1.0, 1.1, 1.2 and DTLS 1.0 and 1.2 * Minimum ecdh and rsa group size
* Check that TLS signature type is accepted by the policy.Jack Lloyd2016-03-061-1/+1
| | | | | | Previously the signature hashes and algos info was used to set the v1.2 signature_algorithms extension, but if the counterparty ignored the extension and sent something else, we wouldn't notice.
* Remaining cppcheck fixes that are not covered by GH #444Daniel Neus2016-03-051-2/+2
|
* Remove support for the TLS min fragment length extension.Jack Lloyd2016-02-071-1/+0
|
* Add extended master secret extension (RFC 7627) to TLSJack Lloyd2016-01-031-1/+2
| | | | Interop tested with mbed TLS
* TLS improvementsJack Lloyd2015-10-251-15/+38
| | | | | | | | | | | | | | Use constant time operations when checking CBC padding in TLS decryption Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes from working: on decode the session id and hello cookie would be swapped, causing confusion between client and server. Various changes in the service of finding the above DTLS bug that should have been done before now anyway - better control of handshake timeouts (via TLS::Policy), better reporting of handshake state in the case of an error, and finally expose the facility for per-message application callbacks.
* Fix invalid iterator use in TLS clientJack Lloyd2015-07-051-1/+1
|
* Add ALPN (RFC 7301) and remove NPNlloyd2015-03-201-51/+12
|
* Remove algo factory, engines, global RNG, global state, etc.lloyd2015-02-041-4/+9
| | | | | | | | | | | | | | | Convert all uses of Algorithm_Factory and the engines to using Algo_Registry The shared pool of entropy sources remains but is moved to EntropySource. With that and few remaining initializations (default OIDs and aliases) moved elsewhere, the global state is empty and init and shutdown are no-ops. Remove almost all of the headers and code for handling the global state, except LibraryInitializer which remains as a compatability stub. Update seeding for blinding so only one hacky almost-global RNG instance needs to be setup instead of across all pubkey uses (it uses either the system RNG or an AutoSeeded_RNG if the system RNG is not available).
* Add typedefs for function signatures/types used in TLS for easier readinglloyd2015-01-271-18/+19
|
* Ensure all files have copyright and license info.lloyd2015-01-101-1/+1
| | | | | Update license header line to specify the terms and refer to the file, neither of which it included before.
* Add DTLS-SRTP key establishment from RFC 5764 (required for WebRTC).lloyd2015-01-041-1/+9
| | | | | | | | | | | | | | Github issue 27. Refactor server hello handling to make it easier to handle other extensions. The manual specified that 224 bit NIST primes were disabled by default for TLS but they were not. Additionaly disable the 256k1 curve and reorder the remaining curves by size. Rewrite the max fragment length extension code to roughly what an ideal compiler would have turned the original code into, using a switch instead of a lookup into a small constant std::map.
* A TLS Server can now process either TLS or DTLS but not either,lloyd2014-11-151-1/+2
| | | | | with the setting set in the constructor. This prevents various surprising things from happening to applications and simplifies record processing.
* Let TLS policy disable putting the timestamp in the hello random fieldslloyd2014-11-041-1/+1
|
* Fix various warnings from VC++ 2014 and add missing includelloyd2014-10-311-0/+1
|
* If the server offers us a SCSV instead of a real ciphersuite send a fatal alertlloyd2014-10-301-0/+6
|
* Specify version number in message when we reject due to policylloyd2014-10-061-1/+2
|
* Verify that the server did not send any extension that the client didn'tlloyd2014-04-111-10/+12
| | | | offer. Previously the client only checked a couple of special cases.
* Guess I won't be needing theselloyd2014-01-181-1/+0
|
* Move lib into srclloyd2014-01-101-0/+530