aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls/tls_policy.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Add TLS_PSK testsJack Lloyd2015-11-131-5/+2
| | | | | | | | | | | Fix a bug which rejected any short server key exchanges. These can occur with a plain PSK with short or empty identity hints. Disable SHA-224 by default. Remove some vestigal RC4 cruft. Push more on the TLS corruption tests.
* TLS improvementsJack Lloyd2015-10-251-2/+11
| | | | | | | | | | | | | | Use constant time operations when checking CBC padding in TLS decryption Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes from working: on decode the session id and hello cookie would be swapped, causing confusion between client and server. Various changes in the service of finding the above DTLS bug that should have been done before now anyway - better control of handshake timeouts (via TLS::Policy), better reporting of handshake state in the case of an error, and finally expose the facility for per-message application callbacks.
* Add a runtime map of string->func() which when called returnlloyd2015-01-281-14/+42
| | | | | | | | | | | | | | | | | Transforms and BlockCiphers. Registration for all types is done at startup but is very cheap as just a std::function and a std::map entry are created, no actual objects are created until needed. This is a huge improvement over Algorithm_Factory which used T::clone() as the function and thus kept a prototype object of each type in memory. Replace existing lookup mechanisms for ciphers, AEADs, and compression to use the transform lookup. The existing Engine framework remains in place for BlockCipher, but the engines now just call to the registry instead of having hardcoded lookups. s/Transformation/Transform/ with typedefs for compatability. Remove lib/selftest code (for runtime selftesting): not the right approach.
* Add Strict_Policy. Disable server initiated renegotiation by default.lloyd2015-01-231-9/+6
|
* Add support for configuring a TLS::Policy by text filelloyd2015-01-231-2/+46
|
* Update TLS OCB ciphersuites to match draft-zauner-tls-aes-ocb-00lloyd2015-01-211-0/+2
| | | | | and enable them in the default build, though still not enabled in the runtime policy.
* Ensure all files have copyright and license info.lloyd2015-01-101-1/+1
| | | | | Update license header line to specify the terms and refer to the file, neither of which it included before.
* Remove config used for testing DTLS-SRTPlloyd2015-01-041-3/+2
|
* Add DTLS-SRTP key establishment from RFC 5764 (required for WebRTC).lloyd2015-01-041-9/+16
| | | | | | | | | | | | | | Github issue 27. Refactor server hello handling to make it easier to handle other extensions. The manual specified that 224 bit NIST primes were disabled by default for TLS but they were not. Additionaly disable the 256k1 curve and reorder the remaining curves by size. Rewrite the max fragment length extension code to roughly what an ideal compiler would have turned the original code into, using a switch instead of a lookup into a small constant std::map.
* Add ChaCha20Poly1305 TLS ciphersuites compatible with Google's implementationlloyd2014-12-311-0/+1
|
* A TLS Server can now process either TLS or DTLS but not either,lloyd2014-11-151-3/+1
| | | | | with the setting set in the constructor. This prevents various surprising things from happening to applications and simplifies record processing.
* No need to pass version by referencelloyd2014-10-311-1/+1
|
* Add TLS fallback signalling (draft-ietf-tls-downgrade-scsv-00)lloyd2014-10-311-1/+14
|
* Verify that the server did not send any extension that the client didn'tlloyd2014-04-111-0/+10
| | | | offer. Previously the client only checked a couple of special cases.
* Move lib into srclloyd2014-01-101-0/+286
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-21 05:09:38 +0000