| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
| |
Closes GH #1833
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- BoGo sends unparseable OCSP responses, so we have to accomodate for
this by delaying decoding until verification and simply ignoring
OCSP responses that we can't parse.
- Check that there is no trailing garbage at the end of various messages.
- Don't send empty SNI
- Check the TLS record header versions (previously ignored)
- For CBC 1/n-1 splitting split every record instead of just first.
I think this is not a problem but it is what BoGo expects.
- New Channel::application_protocol virtual (previously was
implemented on both Client and Server but not shared).
- Changes to resumption version handling.
- Fix server version selection when newer versions are disabled.
New policy hooks added in service of BoGo:
- maximum_certificate_chain_size gives the maximum cert chain in bytes
that we'll accept.
- allow_resumption_for_renegotiation specifies if a renegotiation
attempt can be simply (re-)resumed instead.
- abort_handshake_on_undesired_renegotiation - previously we just
ignored it with a warning alert. Now behavior is configurable.
- request_client_certificate_authentication
- require_client_certificate_authentication
|
|
|
|
|
| |
It thinks the typedefs are "locals" that are being conflicted with,
which seems wrong to me but whatever.
|
|
|
|
| |
Adds support for PSS signatures (currently verifying only).
|
|
|
|
| |
Previously if the policy changed we'd continue to resume. #1431
|
|
|
|
| |
Fixes #1261
|
| |
|
|
|
|
| |
GH #1186
|
|
|
|
|
| |
It was never supported and never will be. Removing negotiation entirely
simplifies the code a bit.
|
| |
|
|
|
|
| |
GH #1303
|
| |
|
|
|
|
|
|
|
|
| |
Don't postpone the verification of a server certificate if certificate
status messages are not expected in client handshake. When using an
external crypto device it may be necessary to verify the certificate
before using the public key for verification of the signature in the
server key exchange message.
|
|
|
|
|
|
|
| |
This was already caught with the policy check later but it's better
to be explicit. (And in theory an application might implement their
policy version check to be "return true", which would lead to us
actually attempting to negotiate SSLv3).
|
|
|
|
|
| |
Done by a perl script which converted all classes to final, followed
by selective reversion where it caused compilation failures.
|
| |
|
|
|
|
|
|
|
| |
TLS::Callbacks::inspect_handshake_message() allows applications
to inspect all handshake messages, but this requires
access to the types in tls_messages.h. As a matter of fact,
this also exports tls_extensions.h as a public header.
|
|
|
|
|
|
| |
Renames a couple of functions for somewhat better name consistency,
eg make_u32bit becomes make_uint32. The old typedefs remain for now
since probably lots of application code uses them.
|
| |
|
|
|
|
|
|
| |
Changes TLS callback API for cert verify to accept Policy&
Sets default signature strength to 110 to force RSA ~2048.
|
|
|
|
|
|
| |
It is the only function in C_M which is called on to process session-specific
(and adversarially provided) inputs, rather than passively returning some credential
which is typically not session specific.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The client would attempt to resume a session, even if the session was
for a version other than what it wanted to offer. If the server
resumed with the original version, the client would then reject the
'incorrect' version. Instead, if the session is for a version other
than what we want to offer, just start a fresh handshake.
Fix resuming in the EtM case - even if the policy says otherwise,
always resume EtM sessions as EtM. Servers are required to reject a
MtE resumption on an EtM session.
The new client hello already ordered extensions to prevent an empty
extension from ever being last (working around a bug in some dumb
stack somewhere), but this was not true for the resume case. Fix that.
Beef up tests a bit - test ECDSA suites, alerts, and sqlite3 session db.
Sharing the session state across all the tests is what tipped me off
on the resumption bugs in the first place - as usual, what is not tested
does not work correctly.
|
|\
| |
| |
| | |
which recently landed on master.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make TLS::Channel::m_callbacks a reference, so deriving from TLS::Callbacks works
Split out the compat (std::function) based interface to Compat_Callbacks.
This avoids the overhead of empty std::functions when using the virtual
interface, and ensures the virtual interface works since there is no
callback path that does not involve a vtable lookup.
Rename the TLS::Callback functions. Since the idea is that often an owning
class will pass *this as the callbacks argument, it is good to namespace
the virtual functions so as not to conflict with other names chosen by
the class. Specifically, prefixes all cb functions with tls_
Revert changes to use the old style alert callback (with no longer used data/len
params) so no API changes are required for old code. The new Callbacks interface
continues to just receive the alert code itself.
Switch to virtual function interface in CLI tls_client for testing.
Inline tls_server_handshake_state.h - only used in tls_server.cpp
Fix tests - test looked like it was creating a new client object but it
was not actually being used. And when enabled, it failed because the queues
were not being emptied in between. So, fix that.
|
| |
| |
| |
| |
| | |
- Undid changes replacing Hanshake_IO, Handshake_Hash with
Handshake_Info.
|
| |
| |
| |
| |
| | |
- Removed proposed wrapper class to logically group TLS session
properties.
|
| |
| |
| |
| |
| | |
- Added legacy constructor support for TLS::Channel, TLS::Client,
TLS::Server.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- extracted inner class TLS::Channel::Callbacks to stand-alone class
TLS::Callbacks.
- provided default implementations for TLS::Callbacks members executing
calls to std::function members for backward compatibility.
- applied changes to cli, tests and TLS::Channel related classes to be
compatible with new interface.
|
| |
| |
| |
| |
| |
| | |
- Removed deprecated TLS-Alert-Callback parameters.
- Fixed improper naming of accessor for ALPN-Strings in tls_client.h
- Fixed erroneous indentation on Ciphersuite Constructor.
|
| |
| |
| |
| |
| |
| |
| | |
-reduced number of parameters in various methods
-reduced cyclomatic complexity (McCabe-Metric)
-removed "TLSEXT_HEARTBEAT_SUPPORT" from tls_extensions.h (leftover
from heartbeat extension removal?)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Adds copyright notices for Juraj Somorovsky and Christian Mainka of Hackmanit
for the changes in 7c7fcecbe6a and 6d327f879c
Add Policy::check_peer_key_acceptable which lets the app set an arbitrary
callback for examining keys - both the end entity signature keys from
certificates and the peer PFS public keys. Default impl checks that the
algorithm size matches the min keylength. This centralizes this logic
and lets the application do interesting things.
Adds a policy for ECDSA group size checks.
Increases default policy minimums to 2048 RSA and 256 ECC.
(Maybe I'm an optimist after all.)
|
| |
| |
| |
| |
| |
| | |
Introduced a countermeasure against the logjam attack
Short TLS records (AES-CBC) now return BAD_RECORD_MAC
Fixed a compatibility problem with OpenSSL and TLS 1.0 (BEAST countermeasure)
|
|/
|
|
|
|
|
| |
* --policy works for TLS Server and TLS Client
* Example policy BSI_TR-02102-2.txt
* Fine granular configuration for TLS 1.0, 1.1, 1.2 and DTLS 1.0 and 1.2
* Minimum ecdh and rsa group size
|
|
|
|
|
|
| |
Previously the signature hashes and algos info was used to set the v1.2
signature_algorithms extension, but if the counterparty ignored the
extension and sent something else, we wouldn't notice.
|
| |
|
| |
|
|
|
|
| |
Interop tested with mbed TLS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use constant time operations when checking CBC padding in TLS decryption
Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes
from working: on decode the session id and hello cookie would be
swapped, causing confusion between client and server.
Various changes in the service of finding the above DTLS bug that
should have been done before now anyway - better control of handshake
timeouts (via TLS::Policy), better reporting of handshake state in the
case of an error, and finally expose the facility for per-message
application callbacks.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Convert all uses of Algorithm_Factory and the engines to using Algo_Registry
The shared pool of entropy sources remains but is moved to EntropySource.
With that and few remaining initializations (default OIDs and aliases)
moved elsewhere, the global state is empty and init and shutdown are no-ops.
Remove almost all of the headers and code for handling the global
state, except LibraryInitializer which remains as a compatability stub.
Update seeding for blinding so only one hacky almost-global RNG
instance needs to be setup instead of across all pubkey uses (it uses
either the system RNG or an AutoSeeded_RNG if the system RNG is not
available).
|
| |
|
|
|
|
|
| |
Update license header line to specify the terms and refer to the file,
neither of which it included before.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Github issue 27.
Refactor server hello handling to make it easier to handle other extensions.
The manual specified that 224 bit NIST primes were disabled by default
for TLS but they were not. Additionaly disable the 256k1 curve and
reorder the remaining curves by size.
Rewrite the max fragment length extension code to roughly what an
ideal compiler would have turned the original code into, using a
switch instead of a lookup into a small constant std::map.
|
|
|
|
|
| |
with the setting set in the constructor. This prevents various surprising
things from happening to applications and simplifies record processing.
|
| |
|