aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls/tls_server.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Fix some LGTM issuesJack Lloyd2019-06-191-1/+1
|
* Add support for HelloVerifyRequest on server sideJack Lloyd2019-06-181-3/+39
| | | | Closes GH #1833
* Add support for supported versions extension from TLS 1.3Jack Lloyd2019-05-241-5/+29
|
* Allow servers to prohibit renegotiation with fatal alertJack Lloyd2019-05-241-1/+4
|
* Fix some issues with DTLS version intoleranceJack Lloyd2019-05-231-4/+12
|
* Shorten callback nameJack Lloyd2019-05-221-1/+1
|
* Add BoGo tests and fix resumption caseJack Lloyd2019-05-221-1/+8
|
* Formatting and post-rebase fixesJack Lloyd2019-05-221-13/+14
|
* added status_request extension and cert chain to the stapling-reponse ↵Falko Strenzke2019-05-221-7/+14
| | | | generating callback's signature
* implemented ocsp stapling (code not yet formatted properly)Falko Strenzke2019-05-221-0/+8
|
* Fix various issues in TLS found using BoGoJack Lloyd2019-05-201-65/+89
| | | | | | | | | | | | | | | | | | | | | | | | | - BoGo sends unparseable OCSP responses, so we have to accomodate for this by delaying decoding until verification and simply ignoring OCSP responses that we can't parse. - Check that there is no trailing garbage at the end of various messages. - Don't send empty SNI - Check the TLS record header versions (previously ignored) - For CBC 1/n-1 splitting split every record instead of just first. I think this is not a problem but it is what BoGo expects. - New Channel::application_protocol virtual (previously was implemented on both Client and Server but not shared). - Changes to resumption version handling. - Fix server version selection when newer versions are disabled. New policy hooks added in service of BoGo: - maximum_certificate_chain_size gives the maximum cert chain in bytes that we'll accept. - allow_resumption_for_renegotiation specifies if a renegotiation attempt can be simply (re-)resumed instead. - abort_handshake_on_undesired_renegotiation - previously we just ignored it with a warning alert. Now behavior is configurable. - request_client_certificate_authentication - require_client_certificate_authentication
* Fix some warnings new in GCC 8.1Jack Lloyd2018-05-071-8/+8
| | | | | It thinks the typedefs are "locals" that are being conflicted with, which seems wrong to me but whatever.
* Fix interop bug in TLS serverJack Lloyd2018-04-081-0/+3
| | | | | The connection would fail if the client advertised any signature algorithm we did not support (eg RSA/SHA-224)
* Use enums for TLS key exchange group paramsJack Lloyd2018-02-131-1/+1
|
* Use enums to represent TLS signature and kex algorithms.Jack Lloyd2018-01-281-41/+42
| | | | Adds support for PSS signatures (currently verifying only).
* Add an examine callback alsoJack Lloyd2018-01-271-0/+2
|
* Add ability for application to control which TLS extensions are usedJack Lloyd2018-01-271-0/+2
| | | | GH #1186
* Remove vestigial support for TLS compressionJack Lloyd2018-01-211-24/+0
| | | | | It was never supported and never will be. Removing negotiation entirely simplifies the code a bit.
* Handle #1303 on the server sideJack Lloyd2017-12-071-1/+13
|
* Fix formatting in TLS server code [ci skip]Jack Lloyd2017-12-071-193/+179
|
* Correct version selection logic in TLS serverJack Lloyd2017-11-281-0/+5
| | | | | | | | | | | Due to an oversight in the logic, previously a client attempt to negotiate SSLv3 would result in the server trying to negotiate TLS v1.2. Now instead they get a protocol_error alert. Similarly, detect the the (invalid) case of a major number <= 2, which does not coorespond to any real TLS version. The server would again reply as a TLS v1.2 server in that case, and now just closes the connection with an alert.
* Fix errors caught with tlsfuzzerJack Lloyd2017-11-261-7/+0
| | | | | | | | | | | Don't send EC point format extension in server hello unless an EC suite was negotiated *and* the client sent the extension. Fix server FFDHE logic, this effectively disabled DHE ciphersuites for clients without FFDHE extension. Use unexpected_message alert in case of an unexpected message. (Previously an internal_error alert was sent.)
* Fall back to default group if client does not send any DH groupsRené Korthaus2017-10-201-1/+0
|
* Add supported groups TLS extension (RFC 7919)René Korthaus2017-10-171-0/+7
|
* Apply final annotations to the library alsoJack Lloyd2017-09-221-1/+1
| | | | | Done by a perl script which converted all classes to final, followed by selective reversion where it caused compilation failures.
* Merge GH #872 Add ability for TLS servers to prohibit renegotiationJack Lloyd2017-09-191-1/+7
|\
| * Fix logic of renegotiation checkJack Lloyd2017-02-201-3/+3
| | | | | | | | | | | | Turning the policy off broke the server entirely. Expose the new flag to Text_Policy
| * Add TLS::Policy::allow_client_initiated_renegotiationJack Lloyd2017-02-191-1/+7
| | | | | | | | Parallel of the server policy flag.
* | Don't try enforcing the hash policy for PSK ciphersuitesJack Lloyd2017-09-011-1/+1
| | | | | | | | Since we don't end up signing anything in any case.
* | Enforce signature hash policy properlyJack Lloyd2017-08-311-0/+34
|/ | | | | | | | Previously if the client did not send signature_algorithms, or if it only included algos not in the policy, we would just fallback to the hardcoded SHA-1 default of TLS v1.2 Instead check the policy before accepting anything.
* Export tls_messages.h as a public headerRené Korthaus2016-12-231-1/+1
| | | | | | | TLS::Callbacks::inspect_handshake_message() allows applications to inspect all handshake messages, but this requires access to the types in tls_messages.h. As a matter of fact, this also exports tls_extensions.h as a public header.
* Convert to using standard uintN_t integer typesJack Lloyd2016-12-181-17/+17
| | | | | | Renames a couple of functions for somewhat better name consistency, eg make_u32bit becomes make_uint32. The old typedefs remain for now since probably lots of application code uses them.
* Add OCSP stapling support to TLS clientJack Lloyd2016-11-261-0/+1
|
* Add TLS::Policy::minimum_signature_strengthJack Lloyd2016-11-251-1/+2
| | | | | | Changes TLS callback API for cert verify to accept Policy& Sets default signature strength to 110 to force RSA ~2048.
* Move TLS cert verification callback from Credentials_Manager to TLS::CallbacksJack Lloyd2016-11-231-1/+7
| | | | | | It is the only function in C_M which is called on to process session-specific (and adversarially provided) inputs, rather than passively returning some credential which is typically not session specific.
* Tighten up TLS server handshake logic.Jack Lloyd2016-10-201-20/+15
| | | | | | | | | Previously client was allowed to omit the Certificate message, a leftover from supporting SSLv3. In all versions of TLS, an empty message must be sent if the client does not want to use a cert. No known security impact, but nothing we need to allow anymore. Clean up the handshake switch a bit by using return statements.
* Revert PK_Verifier change (don't require RNG there).Jack Lloyd2016-10-071-1/+1
| | | | | | | Verification is deterministic and public, so really no RNG is ever needed. Change provider handling - accepts "base", "openssl", or empty, otherwise throws a Provider_Not_Found exception.
* Remove Algo_Registry usage from public key code.Jack Lloyd2016-10-071-1/+1
| | | | | | | | Instead the key types exposes operations like `create_encryption_op` which will return the relevant operation if the algorithm supports it. Changes pubkey.h interface, now RNG is passed at init time. Blinder previous created its own RNG, now it takes it from app.
* TLS Server should respect client signature_algorithms. Stricter TLS hello ↵Jack Lloyd2016-09-211-9/+27
| | | | | | | | | | | | | | | | | | | | decoding. If the client sent a signature_algorithms extension, we should negotiate a ciphersuite in the shared union of the ciphersuite list and the extension, instead of ignoring it. Found by Juraj Somorovsky GH #619 The TLS v1.2 spec says that clients should only send the signature_algorithms extension in a hello for that version. Enforce that when decoding client hellos to prevent this extension from confusing a v1.0 negotiation. TLS v1.2 spec says ANON signature type is prohibited in the signature_algorithms extension in the client hello. Prohibit it. Reorder the TLS extensions in the client hello so there is no chance an empty extension is the last extension in the list. Some implementations apparently reject such hellos, even (perhaps especially) when they do not recognize the extension, this bug was mentioned on the ietf-tls mailing list a while back.
* Merge master into this branch, resolving conflicts with #457/#576Jack Lloyd2016-08-311-363/+463
|\ | | | | | | which recently landed on master.
| * Add a Callbacks function for ALPNJack Lloyd2016-08-161-5/+11
| |
| * Changes to TLS::Callbacks for GH PR #457Jack Lloyd2016-08-161-8/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make TLS::Channel::m_callbacks a reference, so deriving from TLS::Callbacks works Split out the compat (std::function) based interface to Compat_Callbacks. This avoids the overhead of empty std::functions when using the virtual interface, and ensures the virtual interface works since there is no callback path that does not involve a vtable lookup. Rename the TLS::Callback functions. Since the idea is that often an owning class will pass *this as the callbacks argument, it is good to namespace the virtual functions so as not to conflict with other names chosen by the class. Specifically, prefixes all cb functions with tls_ Revert changes to use the old style alert callback (with no longer used data/len params) so no API changes are required for old code. The new Callbacks interface continues to just receive the alert code itself. Switch to virtual function interface in CLI tls_client for testing. Inline tls_server_handshake_state.h - only used in tls_server.cpp Fix tests - test looked like it was creating a new client object but it was not actually being used. And when enabled, it failed because the queues were not being emptied in between. So, fix that.
| * Removed Handshake_Info class.Matthias Gierlings2016-06-191-13/+11
| | | | | | | | | | - Undid changes replacing Hanshake_IO, Handshake_Hash with Handshake_Info.
| * Removed TLS::Session::PropertiesMatthias Gierlings2016-06-191-10/+7
| | | | | | | | | | - Removed proposed wrapper class to logically group TLS session properties.
| * Compatibility patch for TLS::Callback interfaceMatthias Gierlings2016-06-191-0/+38
| | | | | | | | | | - Added legacy constructor support for TLS::Channel, TLS::Client, TLS::Server.
| * Added virtual Callback InterfaceMatthias Gierlings2016-06-191-1/+4
| | | | | | | | | | | | | | | | | | - extracted inner class TLS::Channel::Callbacks to stand-alone class TLS::Callbacks. - provided default implementations for TLS::Callbacks members executing calls to std::function members for backward compatibility. - applied changes to cli, tests and TLS::Channel related classes to be compatible with new interface.
| * Fix for amalgamation build problemsMatthias Gierlings2016-06-191-1/+2
| | | | | | | | | | | | | | | | | | - fixed broken tls_magic.h include - added forward declarations for Handshake_IO and Handshake_Hash in tls_handshake_msg.h - comment after #endif in tls_server_handshake.h caused surplus #endif in botan_all_internal.h - removed unnecessary semicolons causing -Wpedantic warnings.
| * Reduction of code complexity in TLS classes.Matthias Gierlings2016-06-191-392/+430
| | | | | | | | | | | | | | -reduced number of parameters in various methods -reduced cyclomatic complexity (McCabe-Metric) -removed "TLSEXT_HEARTBEAT_SUPPORT" from tls_extensions.h (leftover from heartbeat extension removal?)
* | Encrypt-then-MAC extension (RFC 7366)Juraj Somorovsky2016-05-111-0/+14
| | | | | | | | | | | | Introduced a countermeasure against the logjam attack Short TLS records (AES-CBC) now return BAD_RECORD_MAC Fixed a compatibility problem with OpenSSL and TLS 1.0 (BEAST countermeasure)
* | TLS Policy supportChristian Mainka2016-05-031-1/+1
|/ | | | | | | * --policy works for TLS Server and TLS Client * Example policy BSI_TR-02102-2.txt * Fine granular configuration for TLS 1.0, 1.1, 1.2 and DTLS 1.0 and 1.2 * Minimum ecdh and rsa group size