| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
| |
Moves BSI policy file to test data dir where it can be compared with
what the hardcoded class outputs.
|
| | |
|
| |
|
|
|
|
| |
Renames a couple of functions for somewhat better name consistency,
eg make_u32bit becomes make_uint32. The old typedefs remain for now
since probably lots of application code uses them.
|
| | |
|
| | |
|
| |
|
|
| |
Also (unrelated) enable CECPQ1 in Strict_Policy
|
| |
|
|
|
|
| |
Changes TLS callback API for cert verify to accept Policy&
Sets default signature strength to 110 to force RSA ~2048.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Moves x25519 to the front for best by-default side channel resistance,
and orders remaining NIST/BP curves by performance rather than size.
That means putting P-521 before P-384, since P-521 is much faster at
least in Botan (due to much simpler modular reduction for P-521 prime),
and Brainpools to the end due to being quite slow (no fast reductions).
All of the supported curves seem strong enough, and if someone can break
P-256 they can probably break P-384 as well so there doesn't seem much
advantage in preferring slower curves by default.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Tested against BoringSSL (as client + server) and google.com (as client).
Fix a stupid crashing bug in NewHope's BoringSSL mode.
Remove unneeded error return from curve25519_donna - always returned 0.
Default policy prefers ChaChaPoly1305 over GCM and CECPQ1 over ECDH/DH, which
means the default no-extra-configuration ciphersuite (for Botan client speaking
to Botan server) is a ciphersuite which is both implemented in constant time
on all platforms and (hopefully) provides post quantum security. Good Things.
|
| |
|
|
|
|
|
|
|
|
| |
Add Public_Key::key_length usable for policy checking (as in
TLS::Policy::check_peer_key_acceptable)
Remove Public_Key::max_input_bits because it didn't make much sense
for most algorithms actually.
Remove message_parts and message_part_size from PK_Ops
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Disables static RSA by default. The advantage here is twofold: enforcing forward
security and protecting TLS servers from oracle attacks since by default they
will never negotiate a suite which forces them to act as a decryption
oracle. Some applications/users may be forced to enable RSA in order to speak
with old or misconfigured peers, but these can be the exception not the default.
Disable DSA and CCM-8 by default: if you need to enable these things, you know it.
Adds TLS policy hooks to enforce DSA key sizes, default 2048 bits.
Remove an incorrect warning about DTLS in the manual; the sequence number window
check prevents this scenario from occuring.
|
| |
|
|
|
| |
Client interops with google.com, server not tested against an
independent client yet.
|
| |
|
|
|
| |
Now record layer only deals with an AEAD, and the weird complications
of CBC modes mostly hidden in tls_cbc.cpp
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds copyright notices for Juraj Somorovsky and Christian Mainka of Hackmanit
for the changes in 7c7fcecbe6a and 6d327f879c
Add Policy::check_peer_key_acceptable which lets the app set an arbitrary
callback for examining keys - both the end entity signature keys from
certificates and the peer PFS public keys. Default impl checks that the
algorithm size matches the min keylength. This centralizes this logic
and lets the application do interesting things.
Adds a policy for ECDSA group size checks.
Increases default policy minimums to 2048 RSA and 256 ECC.
(Maybe I'm an optimist after all.)
|
| |
|
|
|
|
| |
Introduced a countermeasure against the logjam attack
Short TLS records (AES-CBC) now return BAD_RECORD_MAC
Fixed a compatibility problem with OpenSSL and TLS 1.0 (BEAST countermeasure)
|
| |
|
|
|
|
|
| |
* --policy works for TLS Server and TLS Client
* Example policy BSI_TR-02102-2.txt
* Fine granular configuration for TLS 1.0, 1.1, 1.2 and DTLS 1.0 and 1.2
* Minimum ecdh and rsa group size
|
| |
|
|
|
|
|
|
|
| |
Remove support for weak ECC curves (anything under P-256) from TLS.
This includes secp256k1 since we don't take advantage of the special
form for any performance advantage; might as well use P-256.
The manual still mentioned that it was possible to use MD5 in
Policy::allowed_macs, but all HMAC-MD5 suites are already removed.
|
| |
|
|
|
| |
Otherwise a MITM who can in real time break any supported ECC curve can
downgrade us.
|
| |
|
|
|
|
| |
Previously the signature hashes and algos info was used to set the v1.2
signature_algorithms extension, but if the counterparty ignored the
extension and sent something else, we wouldn't notice.
|
| |
|
|
|
|
|
|
| |
Remove SRP_SHA from the default policy, since normal applications do
not need it.
Removes nullptr initializers of unique_ptrs in the Server_Key_Exchange
constructor, that's the default unique_ptr already.
|
| |
|
|
|
| |
The signature of the alert callback remains unchanged to avoid
breaking applications, though now the buffer parameter is never set.
|
| |
|
|
| |
Works around a libstdc++ bug when fuzzing with libFuzzer
|
| |
|
|
| |
See GH #340 and 6b9a3a5 for background
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix a bug which rejected any short server key exchanges. These can
occur with a plain PSK with short or empty identity hints.
Disable SHA-224 by default.
Remove some vestigal RC4 cruft.
Push more on the TLS corruption tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use constant time operations when checking CBC padding in TLS decryption
Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes
from working: on decode the session id and hello cookie would be
swapped, causing confusion between client and server.
Various changes in the service of finding the above DTLS bug that
should have been done before now anyway - better control of handshake
timeouts (via TLS::Policy), better reporting of handshake state in the
case of an error, and finally expose the facility for per-message
application callbacks.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Transforms and BlockCiphers. Registration for all types is done at
startup but is very cheap as just a std::function and a std::map entry
are created, no actual objects are created until needed. This is a
huge improvement over Algorithm_Factory which used T::clone() as the
function and thus kept a prototype object of each type in memory.
Replace existing lookup mechanisms for ciphers, AEADs, and compression
to use the transform lookup. The existing Engine framework remains in
place for BlockCipher, but the engines now just call to the registry
instead of having hardcoded lookups.
s/Transformation/Transform/ with typedefs for compatability.
Remove lib/selftest code (for runtime selftesting): not the right approach.
|
| | |
|
| | |
|
| |
|
|
|
| |
and enable them in the default build, though still not enabled in the
runtime policy.
|
| |
|
|
|
| |
Update license header line to specify the terms and refer to the file,
neither of which it included before.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Github issue 27.
Refactor server hello handling to make it easier to handle other extensions.
The manual specified that 224 bit NIST primes were disabled by default
for TLS but they were not. Additionaly disable the 256k1 curve and
reorder the remaining curves by size.
Rewrite the max fragment length extension code to roughly what an
ideal compiler would have turned the original code into, using a
switch instead of a lookup into a small constant std::map.
|
| | |
|
| |
|
|
|
| |
with the setting set in the constructor. This prevents various surprising
things from happening to applications and simplifies record processing.
|
| | |
|
| | |
|
| |
|
|
| |
offer. Previously the client only checked a couple of special cases.
|
| |
|
