| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
Closes GH #1833
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
generating callback's signature
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- BoGo sends unparseable OCSP responses, so we have to accomodate for
this by delaying decoding until verification and simply ignoring
OCSP responses that we can't parse.
- Check that there is no trailing garbage at the end of various messages.
- Don't send empty SNI
- Check the TLS record header versions (previously ignored)
- For CBC 1/n-1 splitting split every record instead of just first.
I think this is not a problem but it is what BoGo expects.
- New Channel::application_protocol virtual (previously was
implemented on both Client and Server but not shared).
- Changes to resumption version handling.
- Fix server version selection when newer versions are disabled.
New policy hooks added in service of BoGo:
- maximum_certificate_chain_size gives the maximum cert chain in bytes
that we'll accept.
- allow_resumption_for_renegotiation specifies if a renegotiation
attempt can be simply (re-)resumed instead.
- abort_handshake_on_undesired_renegotiation - previously we just
ignored it with a warning alert. Now behavior is configurable.
- request_client_certificate_authentication
- require_client_certificate_authentication
|
|
|
|
|
| |
It thinks the typedefs are "locals" that are being conflicted with,
which seems wrong to me but whatever.
|
|
|
|
|
| |
The connection would fail if the client advertised any signature
algorithm we did not support (eg RSA/SHA-224)
|
| |
|
|
|
|
| |
Adds support for PSS signatures (currently verifying only).
|
| |
|
|
|
|
| |
GH #1186
|
|
|
|
|
| |
It was never supported and never will be. Removing negotiation entirely
simplifies the code a bit.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Due to an oversight in the logic, previously a client attempt to
negotiate SSLv3 would result in the server trying to negotiate
TLS v1.2. Now instead they get a protocol_error alert.
Similarly, detect the the (invalid) case of a major number <= 2,
which does not coorespond to any real TLS version. The server
would again reply as a TLS v1.2 server in that case, and now
just closes the connection with an alert.
|
|
|
|
|
|
|
|
|
|
|
| |
Don't send EC point format extension in server hello unless an EC
suite was negotiated *and* the client sent the extension.
Fix server FFDHE logic, this effectively disabled DHE ciphersuites
for clients without FFDHE extension.
Use unexpected_message alert in case of an unexpected message.
(Previously an internal_error alert was sent.)
|
| |
|
| |
|
|
|
|
|
| |
Done by a perl script which converted all classes to final, followed
by selective reversion where it caused compilation failures.
|
|\ |
|
| |
| |
| |
| |
| |
| | |
Turning the policy off broke the server entirely.
Expose the new flag to Text_Policy
|
| |
| |
| |
| | |
Parallel of the server policy flag.
|
| |
| |
| |
| | |
Since we don't end up signing anything in any case.
|
|/
|
|
|
|
|
|
| |
Previously if the client did not send signature_algorithms, or if
it only included algos not in the policy, we would just fallback to
the hardcoded SHA-1 default of TLS v1.2
Instead check the policy before accepting anything.
|
|
|
|
|
|
|
| |
TLS::Callbacks::inspect_handshake_message() allows applications
to inspect all handshake messages, but this requires
access to the types in tls_messages.h. As a matter of fact,
this also exports tls_extensions.h as a public header.
|
|
|
|
|
|
| |
Renames a couple of functions for somewhat better name consistency,
eg make_u32bit becomes make_uint32. The old typedefs remain for now
since probably lots of application code uses them.
|
| |
|
|
|
|
|
|
| |
Changes TLS callback API for cert verify to accept Policy&
Sets default signature strength to 110 to force RSA ~2048.
|
|
|
|
|
|
| |
It is the only function in C_M which is called on to process session-specific
(and adversarially provided) inputs, rather than passively returning some credential
which is typically not session specific.
|
|
|
|
|
|
|
|
|
| |
Previously client was allowed to omit the Certificate message, a
leftover from supporting SSLv3. In all versions of TLS, an empty
message must be sent if the client does not want to use a cert.
No known security impact, but nothing we need to allow anymore.
Clean up the handshake switch a bit by using return statements.
|
|
|
|
|
|
|
| |
Verification is deterministic and public, so really no RNG is ever needed.
Change provider handling - accepts "base", "openssl", or empty, otherwise
throws a Provider_Not_Found exception.
|
|
|
|
|
|
|
|
| |
Instead the key types exposes operations like `create_encryption_op`
which will return the relevant operation if the algorithm supports it.
Changes pubkey.h interface, now RNG is passed at init time.
Blinder previous created its own RNG, now it takes it from app.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
decoding.
If the client sent a signature_algorithms extension, we should negotiate a ciphersuite in
the shared union of the ciphersuite list and the extension, instead of ignoring it.
Found by Juraj Somorovsky GH #619
The TLS v1.2 spec says that clients should only send the signature_algorithms
extension in a hello for that version. Enforce that when decoding client hellos
to prevent this extension from confusing a v1.0 negotiation.
TLS v1.2 spec says ANON signature type is prohibited in the signature_algorithms extension
in the client hello. Prohibit it.
Reorder the TLS extensions in the client hello so there is no chance an empty extension is
the last extension in the list. Some implementations apparently reject such hellos, even
(perhaps especially) when they do not recognize the extension, this bug was mentioned on
the ietf-tls mailing list a while back.
|
|\
| |
| |
| | |
which recently landed on master.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make TLS::Channel::m_callbacks a reference, so deriving from TLS::Callbacks works
Split out the compat (std::function) based interface to Compat_Callbacks.
This avoids the overhead of empty std::functions when using the virtual
interface, and ensures the virtual interface works since there is no
callback path that does not involve a vtable lookup.
Rename the TLS::Callback functions. Since the idea is that often an owning
class will pass *this as the callbacks argument, it is good to namespace
the virtual functions so as not to conflict with other names chosen by
the class. Specifically, prefixes all cb functions with tls_
Revert changes to use the old style alert callback (with no longer used data/len
params) so no API changes are required for old code. The new Callbacks interface
continues to just receive the alert code itself.
Switch to virtual function interface in CLI tls_client for testing.
Inline tls_server_handshake_state.h - only used in tls_server.cpp
Fix tests - test looked like it was creating a new client object but it
was not actually being used. And when enabled, it failed because the queues
were not being emptied in between. So, fix that.
|
| |
| |
| |
| |
| | |
- Undid changes replacing Hanshake_IO, Handshake_Hash with
Handshake_Info.
|
| |
| |
| |
| |
| | |
- Removed proposed wrapper class to logically group TLS session
properties.
|
| |
| |
| |
| |
| | |
- Added legacy constructor support for TLS::Channel, TLS::Client,
TLS::Server.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- extracted inner class TLS::Channel::Callbacks to stand-alone class
TLS::Callbacks.
- provided default implementations for TLS::Callbacks members executing
calls to std::function members for backward compatibility.
- applied changes to cli, tests and TLS::Channel related classes to be
compatible with new interface.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- fixed broken tls_magic.h include
- added forward declarations for Handshake_IO and Handshake_Hash in
tls_handshake_msg.h
- comment after #endif in tls_server_handshake.h caused surplus #endif
in botan_all_internal.h
- removed unnecessary semicolons causing -Wpedantic warnings.
|
| |
| |
| |
| |
| |
| |
| | |
-reduced number of parameters in various methods
-reduced cyclomatic complexity (McCabe-Metric)
-removed "TLSEXT_HEARTBEAT_SUPPORT" from tls_extensions.h (leftover
from heartbeat extension removal?)
|
| |
| |
| |
| |
| |
| | |
Introduced a countermeasure against the logjam attack
Short TLS records (AES-CBC) now return BAD_RECORD_MAC
Fixed a compatibility problem with OpenSSL and TLS 1.0 (BEAST countermeasure)
|
|/
|
|
|
|
|
| |
* --policy works for TLS Server and TLS Client
* Example policy BSI_TR-02102-2.txt
* Fine granular configuration for TLS 1.0, 1.1, 1.2 and DTLS 1.0 and 1.2
* Minimum ecdh and rsa group size
|