aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls
Commit message (Collapse)AuthorAgeFilesLines
* Change calls to 'get_byte' to explicitly cast parameters and eliminate ↵Dan Brown2016-04-275-25/+25
| | | | compiler warnings
* Fix return type of TLS_Reader::get_u32bitJack Lloyd2016-04-211-2/+2
| | | | | | Only affects decoding of session ticket lifetimes. GH #478
* Don't reject TLS packets with zero plaintext bytesJack Lloyd2016-04-151-13/+13
| | | | | | | | OpenSSL sends an empty record before each new data record in TLS v1.0 to randomize the IV, as a countermeasure to the BEAST attack. Most implementations use 1/(n-1) splitting for this instead. Bug introduced with the const time changes in 1.11.23
* Update OCB ciphersuites to follow new nonce scheme from -04 draftJack Lloyd2016-04-041-37/+37
|
* Add IETF standard ChaCha20Poly1305 ciphersuites to TLSJack Lloyd2016-03-233-23/+83
|
* Add PK_Decryptor::decrypt_or_randomJack Lloyd2016-03-201-30/+22
| | | | | Performs content checks on the value (expected length, expected bytes) and in constant time returns either the decrypted value or a random value.
* Remove support for TLS v1.2 MD5 and SHA-224 signatures.Jack Lloyd2016-03-172-53/+3
| | | | | | | | | Remove support for weak ECC curves (anything under P-256) from TLS. This includes secp256k1 since we don't take advantage of the special form for any performance advantage; might as well use P-256. The manual still mentioned that it was possible to use MD5 in Policy::allowed_macs, but all HMAC-MD5 suites are already removed.
* Client must verify that the server sent an ECC curve which policy accepts.Jack Lloyd2016-03-173-0/+13
| | | | | Otherwise a MITM who can in real time break any supported ECC curve can downgrade us.
* TLS client featuresJack Lloyd2016-03-161-0/+3
| | | | | | Add flags --policy, --print-certs, --tls1.0, --tls1.1, --tls1.2 Update todo
* Check that TLS signature type is accepted by the policy.Jack Lloyd2016-03-069-38/+106
| | | | | | Previously the signature hashes and algos info was used to set the v1.2 signature_algorithms extension, but if the counterparty ignored the extension and sent something else, we wouldn't notice.
* Remaining cppcheck fixes that are not covered by GH #444Daniel Neus2016-03-059-33/+20
|
* cppcheck fixes: Class 'X' has a constructor with 1 argument that is not ↵Daniel Neus2016-03-058-27/+27
| | | | explicit.
* Fix remaining Wshadow warnings and enable on gcc and clangRené Korthaus2016-02-181-2/+4
|
* Reject zero length TLS records out of hand.Jack Lloyd2016-02-161-4/+11
| | | | | | | | | | | | | | | | | Later checks on the record length in CCS and record handling already rejected a zero length record but when reading an empty record, readbuf.size() == TLS_HEADER_SIZE and so creating the pointer byte* record_contents = &readbuf[TLS_HEADER_SIZE]; would trigger when running under (at least) GCC'S iterator debugging, and likely other iterator checkers also. Since no completely empty record is defined, reject it immediately at the record layer. Found by Juraj Somorovsky Also correct DTLS record handling for large messages: a zero length or too-long packet should be dropped rather than an exception being thrown.
* Make SRP6 support optional in TLSJack Lloyd2016-02-0710-20/+72
| | | | | | | | Remove SRP_SHA from the default policy, since normal applications do not need it. Removes nullptr initializers of unique_ptrs in the Server_Key_Exchange constructor, that's the default unique_ptr already.
* Remove support for the TLS min fragment length extension.Jack Lloyd2016-02-0711-147/+18
|
* Remove TLS heartbeat support.Jack Lloyd2016-02-0715-290/+1
| | | | | The signature of the alert callback remains unchanged to avoid breaking applications, though now the buffer parameter is never set.
* Avoid set<Ciphersuite>Jack Lloyd2016-01-171-6/+7
| | | | Works around a libstdc++ bug when fuzzing with libFuzzer
* Add final attribute to many classesJack Lloyd2016-01-106-30/+30
| | | | | | | In some cases this can offer better optimization, via devirtualization. And it lets the user know the class is not intended for derivation. Some discussion in GH #402
* Mass-prefix member vars with m_René Korthaus2016-01-086-54/+54
|
* Precompile the list of TLS ciphersuitesJack Lloyd2016-01-063-294/+458
| | | | | | | | | | This avoids a scan over the entire 0 - 0xFFFF space which is mostly empty, by instead keeping a second list in tls_suite_info which is exactly the keys for which the switch statement has values. This scan is only ever done once (when first needed) but removing it is sufficient to increase AFL's throuhput by 4x since it goes through a full startup on each test.
* String comparision fixesDaniel Neus2016-01-048-14/+14
| | | | fix PVS-Studio perfomance warnings
* Add extended master secret extension (RFC 7627) to TLSJack Lloyd2016-01-0310-12/+118
| | | | Interop tested with mbed TLS
* Merge pull request #378 from neusdan/warning_fixesJack Lloyd2015-12-261-1/+1
|\ | | | | Some trivial compiler and PVS-Studio warning fixes
| * some trivial compiler/PVS-Studio warning fixesDaniel Neus2015-12-221-1/+1
| |
* | Fix a few clang warnings. Set clang sanitizer flagsJack Lloyd2015-12-241-1/+1
|/
* Remove debug printfJack Lloyd2015-12-211-1/+0
|
* Remove all remaining uses of throwing a std:: exception directlyJack Lloyd2015-12-191-1/+1
| | | | See GH #340 and 6b9a3a5 for background
* CLI rewriteJack Lloyd2015-12-191-2/+0
| | | | | | | | | | | | | | | | | | The command line tools' origin as a collection of examples and test programs glued together led to some unfortunate problems; lots of hardcoded values, missing parameters, and obsolete crypto. Adds a small library for writing command line programs of the sort needed here (cli.h), which cuts the length of many of the commands in half and makes commands more pleasant to write and extend. Generalizes a lot of the commands also, eg previously only signing/verification with DSA/SHA-1 was included! Removes the fuzzer entry point since that's fairly useless outside of an instrumented build. Removes the in-library API for benchmarking.
* Missing addsJack Lloyd2015-12-113-3/+0
|
* Reroot the exception hierarchy into a toplevel Exception classJack Lloyd2015-12-1110-19/+19
| | | | | | | | As the alternatives are unfortunate for applications trying to catch all library errors, and it seems deriving from std::runtime_error causes problems with MSVC DLLs (GH #340) Effectively reverts 2837e915d82e43
* Fix bug causing TLS client to sometimes reject DHE server kexJack Lloyd2015-11-132-35/+16
| | | | | | Re-encoding the server key exchange meant that any leading zeros in the values for DHE (or SRP) would be stripped out. This would cause the signature check to fail.
* Add remove_all to TLS session manager interfaceJack Lloyd2015-11-135-44/+57
| | | | DB::spin now returns the number of rows affected
* Drop the DH group check to a weaker version of the checksJack Lloyd2015-11-131-2/+3
| | | | since the primality tests are expensive in CPU time.
* Add TLS_PSK testsJack Lloyd2015-11-133-14/+5
| | | | | | | | | | | Fix a bug which rejected any short server key exchanges. These can occur with a plain PSK with short or empty identity hints. Disable SHA-224 by default. Remove some vestigal RC4 cruft. Push more on the TLS corruption tests.
* Add check for path validation result in Credentials_Manager. GH #324Jack Lloyd2015-11-041-5/+8
|
* Merge pull request #314 from randombit/ct-tls-cbc-paddingJack Lloyd2015-10-2617-190/+382
|\ | | | | TLS improvements
| * Asan fix - referencing &vec[vec.size()] instead of vec.end()Jack Lloyd2015-10-261-22/+3
| | | | | | | | Convert to a const time algo
| * TLS improvementsJack Lloyd2015-10-2516-168/+379
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Use constant time operations when checking CBC padding in TLS decryption Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes from working: on decode the session id and hello cookie would be swapped, causing confusion between client and server. Various changes in the service of finding the above DTLS bug that should have been done before now anyway - better control of handshake timeouts (via TLS::Policy), better reporting of handshake state in the case of an error, and finally expose the facility for per-message application callbacks.
* | Fix cert validation bugs found by x509test.Jack Lloyd2015-10-231-7/+14
|/ | | | Add test suite with certs from x509test
* Remove use of lookup.h in favor of new T::create API.Jack Lloyd2015-09-215-25/+14
|
* Internal header cleanupsJack Lloyd2015-09-192-2/+1
| | | | Only user-visible change is the removal of get_byte.h
* Move Credentials_Manager to TLSJack Lloyd2015-08-293-1/+325
|
* Avoid a crash in the TLS server if the client sends ALPN but no nextJack Lloyd2015-08-281-1/+1
| | | | protocol handler was specified to the Server constructor. GH #252
* Remove unused pkcs8 includesSimon Warta2015-08-031-1/+0
| | | | Only botan-cli, botan-tests and the FFI module depend on PKCS8
* tls: Add missing overridesDaniel Seither2015-07-301-30/+30
|
* Silence some extra ';' warningsSimon Warta2015-07-221-1/+1
|
* Fix invalid iterator use in TLS clientJack Lloyd2015-07-051-1/+1
|
* More changes for use with debug STLSimon Warta2015-06-303-6/+12
|
* lib/tls: Convert &vec[0] to vec.data()Simon Warta2015-06-2312-44/+44
|