| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
compiler warnings
|
|
|
|
|
|
| |
Only affects decoding of session ticket lifetimes.
GH #478
|
|
|
|
|
|
|
|
| |
OpenSSL sends an empty record before each new data record in TLS v1.0
to randomize the IV, as a countermeasure to the BEAST attack. Most
implementations use 1/(n-1) splitting for this instead.
Bug introduced with the const time changes in 1.11.23
|
| |
|
| |
|
|
|
|
|
| |
Performs content checks on the value (expected length, expected bytes)
and in constant time returns either the decrypted value or a random value.
|
|
|
|
|
|
|
|
|
| |
Remove support for weak ECC curves (anything under P-256) from TLS.
This includes secp256k1 since we don't take advantage of the special
form for any performance advantage; might as well use P-256.
The manual still mentioned that it was possible to use MD5 in
Policy::allowed_macs, but all HMAC-MD5 suites are already removed.
|
|
|
|
|
| |
Otherwise a MITM who can in real time break any supported ECC curve can
downgrade us.
|
|
|
|
|
|
| |
Add flags --policy, --print-certs, --tls1.0, --tls1.1, --tls1.2
Update todo
|
|
|
|
|
|
| |
Previously the signature hashes and algos info was used to set the v1.2
signature_algorithms extension, but if the counterparty ignored the
extension and sent something else, we wouldn't notice.
|
| |
|
|
|
|
| |
explicit.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Later checks on the record length in CCS and record handling already
rejected a zero length record but when reading an empty record,
readbuf.size() == TLS_HEADER_SIZE and so creating the pointer
byte* record_contents = &readbuf[TLS_HEADER_SIZE];
would trigger when running under (at least) GCC'S iterator debugging,
and likely other iterator checkers also.
Since no completely empty record is defined, reject it immediately at
the record layer.
Found by Juraj Somorovsky
Also correct DTLS record handling for large messages: a zero length or
too-long packet should be dropped rather than an exception being thrown.
|
|
|
|
|
|
|
|
| |
Remove SRP_SHA from the default policy, since normal applications do
not need it.
Removes nullptr initializers of unique_ptrs in the Server_Key_Exchange
constructor, that's the default unique_ptr already.
|
| |
|
|
|
|
|
| |
The signature of the alert callback remains unchanged to avoid
breaking applications, though now the buffer parameter is never set.
|
|
|
|
| |
Works around a libstdc++ bug when fuzzing with libFuzzer
|
|
|
|
|
|
|
| |
In some cases this can offer better optimization, via devirtualization.
And it lets the user know the class is not intended for derivation.
Some discussion in GH #402
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This avoids a scan over the entire 0 - 0xFFFF space which is mostly
empty, by instead keeping a second list in tls_suite_info which is
exactly the keys for which the switch statement has values.
This scan is only ever done once (when first needed) but removing it
is sufficient to increase AFL's throuhput by 4x since it goes through
a full startup on each test.
|
|
|
|
| |
fix PVS-Studio perfomance warnings
|
|
|
|
| |
Interop tested with mbed TLS
|
|\
| |
| | |
Some trivial compiler and PVS-Studio warning fixes
|
| | |
|
|/ |
|
| |
|
|
|
|
| |
See GH #340 and 6b9a3a5 for background
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The command line tools' origin as a collection of examples and test
programs glued together led to some unfortunate problems; lots of
hardcoded values, missing parameters, and obsolete crypto.
Adds a small library for writing command line programs of the sort
needed here (cli.h), which cuts the length of many of the commands in
half and makes commands more pleasant to write and extend.
Generalizes a lot of the commands also, eg previously only
signing/verification with DSA/SHA-1 was included!
Removes the fuzzer entry point since that's fairly useless outside of
an instrumented build.
Removes the in-library API for benchmarking.
|
| |
|
|
|
|
|
|
|
|
| |
As the alternatives are unfortunate for applications trying to catch
all library errors, and it seems deriving from std::runtime_error
causes problems with MSVC DLLs (GH #340)
Effectively reverts 2837e915d82e43
|
|
|
|
|
|
| |
Re-encoding the server key exchange meant that any leading zeros
in the values for DHE (or SRP) would be stripped out. This would
cause the signature check to fail.
|
|
|
|
| |
DB::spin now returns the number of rows affected
|
|
|
|
| |
since the primality tests are expensive in CPU time.
|
|
|
|
|
|
|
|
|
|
|
| |
Fix a bug which rejected any short server key exchanges. These can
occur with a plain PSK with short or empty identity hints.
Disable SHA-224 by default.
Remove some vestigal RC4 cruft.
Push more on the TLS corruption tests.
|
| |
|
|\
| |
| | |
TLS improvements
|
| |
| |
| |
| | |
Convert to a const time algo
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use constant time operations when checking CBC padding in TLS decryption
Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes
from working: on decode the session id and hello cookie would be
swapped, causing confusion between client and server.
Various changes in the service of finding the above DTLS bug that
should have been done before now anyway - better control of handshake
timeouts (via TLS::Policy), better reporting of handshake state in the
case of an error, and finally expose the facility for per-message
application callbacks.
|
|/
|
|
| |
Add test suite with certs from x509test
|
| |
|
|
|
|
| |
Only user-visible change is the removal of get_byte.h
|
| |
|
|
|
|
| |
protocol handler was specified to the Server constructor. GH #252
|
|
|
|
| |
Only botan-cli, botan-tests and the FFI module depend on PKCS8
|
| |
|
| |
|
| |
|
| |
|
| |
|