aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls
Commit message (Collapse)AuthorAgeFilesLines
* Content:Tomasz Frydrych2017-04-0314-68/+60
| | | | | | | | | * fixes for deprecated constructions in c++11 and later (explicit rule of 3/5 or implicit rule of 0 and other violations) * `default` specifier instead of `{}` in some places(probably all) * removal of unreachable code (for example `return` after `throw`) * removal of compilation unit only visible, but not used functions * fix for `throw()` specifier - used instead `BOTAN_NOEXCEPT` * removed not needed semicolons
* Remove "Dirty hack" for multiple defines in lex_me_harder()Simon Warta2017-04-024-4/+12
|
* Add static_cast in uint8_t vs enum comparison.Jack Lloyd2017-01-281-2/+2
| | | | Sun CC for whatever reason becomes very confused by this.
* Merge GH #814 Avoid negotiating CECPQ1 if x25519 ECC is disabledJack Lloyd2017-01-061-0/+10
|\
| * Avoid negotiating CECPQ1 if x25519 ECC is disabledJack Lloyd2017-01-051-0/+10
| |
* | Add tests for certificate status messageJack Lloyd2017-01-041-8/+8
|/ | | | | | | Currently untested by TLS crosstalk tests because it is not supported on the server side. Exposes the rest of TLS message types to application.
* Increase default TLS DH min to 2048 bits, and add BSI policy class.Jack Lloyd2016-12-302-2/+56
| | | | | Moves BSI policy file to test data dir where it can be compared with what the hardcoded class outputs.
* Add CECPQ1 OCB ciphersuitesJack Lloyd2016-12-301-1/+3
| | | | | | Clean up the ciphersuite generation script a bit. [ci skip]
* Prohibit SHA256/SHA384 ciphersuites in TLS 1.0/1.1 (GH #496)Jack Lloyd2016-12-281-3/+10
|
* Export tls_messages.h as a public headerRené Korthaus2016-12-2320-30/+43
| | | | | | | TLS::Callbacks::inspect_handshake_message() allows applications to inspect all handshake messages, but this requires access to the types in tls_messages.h. As a matter of fact, this also exports tls_extensions.h as a public header.
* Convert to using standard uintN_t integer typesJack Lloyd2016-12-1855-880/+881
| | | | | | Renames a couple of functions for somewhat better name consistency, eg make_u32bit becomes make_uint32. The old typedefs remain for now since probably lots of application code uses them.
* Disable TLS signature and finished message checks in fuzzer modeJack Lloyd2016-12-173-3/+23
| | | | | Also use a const time comparison for the finished message, though I don't see any real way of exploiting that timing channel.
* Fix bad deref when ciphersuite value is larger than largest known idJack Lloyd2016-12-051-1/+1
| | | | Reported by @neverhub in GH #758 found by libFuzzer
* Add TLS::Policy::require_cert_revocation_infoJack Lloyd2016-11-283-1/+14
|
* Merge GH #738 Add OCSP stapling to TLS clientJack Lloyd2016-11-2812-44/+291
|\
| * Add OCSP stapling support to TLS clientJack Lloyd2016-11-2612-44/+291
| |
* | No reason to deprecate this (only internally called) constructorJack Lloyd2016-11-261-1/+2
| |
* | Add TLS::Policy::to_stringJack Lloyd2016-11-262-0/+13
|/
* Merge GH #653 OCSP and X.509 path validation refactorJack Lloyd2016-11-259-86/+149
|\ | | | | | | | | | | Splits up path validation into several sub-functions for easier testing and creating customized validation code. Much improved OCSP handling and OCSP tests.
| * Add missing Doxygen param [ci skip]Jack Lloyd2016-11-251-0/+2
| |
| * Add minimum_signature_strenght to Text_PolicyJack Lloyd2016-11-252-3/+9
| | | | | | | | Also (unrelated) enable CECPQ1 in Strict_Policy
| * Add TLS::Policy::minimum_signature_strengthJack Lloyd2016-11-256-5/+25
| | | | | | | | | | | | Changes TLS callback API for cert verify to accept Policy& Sets default signature strength to 110 to force RSA ~2048.
| * Address review comments from @cordneyJack Lloyd2016-11-251-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | Primarily doc updates but also expose some more logic in PKIX namespace, overall_status and merge_revocation_status. This allows calling more or less all of the logic used by the monolitic x509_path_validate in any way needed by an application. Add Certificate_Store_In_Memory::add_crl variant taking shared_ptr Add optional Certificate_Store_In_Memory* pointer to check_crl_online, valid CRLs are saved there.
| * Add the documented function for OCSP timeoutsJack Lloyd2016-11-232-3/+10
| |
| * Move TLS cert verification callback from Credentials_Manager to TLS::CallbacksJack Lloyd2016-11-237-83/+110
| | | | | | | | | | | | It is the only function in C_M which is called on to process session-specific (and adversarially provided) inputs, rather than passively returning some credential which is typically not session specific.
* | Simplify TLS::Ciphersuite::cbc_ciphersuiteJack Lloyd2016-11-251-3/+1
| | | | | | | | With RC4 removed, anything that is not AEAD is CBC
* | Simplify TLS::Handshake_Hash::updateJack Lloyd2016-11-251-9/+5
|/ | | | The lambda here wasn't really required.
* TLS CBC functionality now exposed to the library developer. Useful for ↵Juraj Somorovsky2016-11-191-1/+1
| | | | | | direct TLS CBC testing. CLI TLS server now catches an exception if an invalid connection is received (Otherwise, the server always stopped working)
* Order default TLS ECC curve preferences by performanceJack Lloyd2016-11-191-4/+6
| | | | | | | | | | | | Moves x25519 to the front for best by-default side channel resistance, and orders remaining NIST/BP curves by performance rather than size. That means putting P-521 before P-384, since P-521 is much faster at least in Botan (due to much simpler modular reduction for P-521 prime), and Brainpools to the end due to being quite slow (no fast reductions). All of the supported curves seem strong enough, and if someone can break P-256 they can probably break P-384 as well so there doesn't seem much advantage in preferring slower curves by default.
* Add CECPQ1 TLS ciphersuitesJack Lloyd2016-11-176-14/+92
| | | | | | | | | | | | | Tested against BoringSSL (as client + server) and google.com (as client). Fix a stupid crashing bug in NewHope's BoringSSL mode. Remove unneeded error return from curve25519_donna - always returned 0. Default policy prefers ChaChaPoly1305 over GCM and CECPQ1 over ECDH/DH, which means the default no-extra-configuration ciphersuite (for Botan client speaking to Botan server) is a ciphersuite which is both implemented in constant time on all platforms and (hopefully) provides post quantum security. Good Things.
* Fix incompatability with (some) common TLS stackJack Lloyd2016-11-164-15/+26
| | | | | | | | Several sites including oracle.com seem to send extension 11 (point format) even if we (the client) did not send it. Then the handshake fails. To workaround this problem, simply always send this extension as the client, instead of only sending it if we wished to support compressed points.
* Add new TLS callback for when session is activatedJack Lloyd2016-11-162-0/+8
| | | | | | The current session established cb happens before the session is activated, so it is not possible to send application data in response to the connection being made.
* Pubkey cleanupsJack Lloyd2016-11-121-3/+1
| | | | | | | | | | Add Public_Key::key_length usable for policy checking (as in TLS::Policy::check_peer_key_acceptable) Remove Public_Key::max_input_bits because it didn't make much sense for most algorithms actually. Remove message_parts and message_part_size from PK_Ops
* Cipher_Mode and AEAD_Mode improvementsDaniel Neus2016-11-082-2/+13
| | | | | | | | | | | | See PR #552 - Add Cipher_Mode::reset() which resets just the message specific state and allows encrypting again under the existing key - In Cipher_Mode::clear() (at some planes) use cipher->clear() instead of resetting the pointer which would make the cipher object unusable - EAX_Decryption::output_length() bugfix?! Now its possible to decrypt an empty ciphertext (just a tag) - Bugfix for GCM_Decryption::finish() - set tag length in GCM_Mode::name() - Cipher_Mode tests: add tests for reset()and process() - AEAD_Mode tests: add tests for reset(), clear(), update() and process()
* Add an in-house EC curve for TLS at compile-timeRené Korthaus2016-11-031-0/+10
| | | | | | One additional, application-specific curve can be added at compile time, using the new configure.py --house-curve=curve.pem,funky311,1.2.3.4,FEFF.
* Simplify some code by using T::create_or_throwJack Lloyd2016-11-032-12/+3
|
* Change TLS default policy to disable DSA, CCM-8, and static RSAJack Lloyd2016-11-022-11/+32
| | | | | | | | | | | | | | | Disables static RSA by default. The advantage here is twofold: enforcing forward security and protecting TLS servers from oracle attacks since by default they will never negotiate a suite which forces them to act as a decryption oracle. Some applications/users may be forced to enable RSA in order to speak with old or misconfigured peers, but these can be the exception not the default. Disable DSA and CCM-8 by default: if you need to enable these things, you know it. Adds TLS policy hooks to enforce DSA key sizes, default 2048 bits. Remove an incorrect warning about DTLS in the manual; the sequence number window check prevents this scenario from occuring.
* Add TLS callbacks for debug and error logging.Jack Lloyd2016-10-281-2/+28
| | | | | Not currently called but leaves us the opening to use them in the future without breaking ABI.
* Fix TLS resumption bugsJack Lloyd2016-10-272-20/+27
| | | | | | | | | | | | | | | | | | | | | The client would attempt to resume a session, even if the session was for a version other than what it wanted to offer. If the server resumed with the original version, the client would then reject the 'incorrect' version. Instead, if the session is for a version other than what we want to offer, just start a fresh handshake. Fix resuming in the EtM case - even if the policy says otherwise, always resume EtM sessions as EtM. Servers are required to reject a MtE resumption on an EtM session. The new client hello already ordered extensions to prevent an empty extension from ever being last (working around a bug in some dumb stack somewhere), but this was not true for the resume case. Fix that. Beef up tests a bit - test ECDSA suites, alerts, and sqlite3 session db. Sharing the session state across all the tests is what tipped me off on the resumption bugs in the first place - as usual, what is not tested does not work correctly.
* Fixes for build without 25519Jack Lloyd2016-10-241-3/+3
|
* Merge GH #673 X25519 TLS key exchangeJack Lloyd2016-10-244-36/+92
|\
| * X25519 key exchange for TLSJack Lloyd2016-10-214-36/+92
| | | | | | | | | | Client interops with google.com, server not tested against an independent client yet.
* | Merge GH #675 Lucky13 countermeasuresJack Lloyd2016-10-242-0/+82
|\ \
| * | Final changes, now using the countermeasure from the Lucky 13 paper again ↵Juraj Somorovsky2016-10-231-36/+32
| | | | | | | | | | | | | | | | | | (or a countermeasure that is very similar to it). Timing differences in the test suite show at most 120 clock cycle difference (SHA-1/256/384).
| * | SHA384 countermeasure (not perfect, but makes the attack harder)Juraj Somorovsky2016-10-221-19/+27
| | |
| * | Lucky 13 patch for SHA-1 and SHA-256Juraj Somorovsky2016-10-162-0/+78
| | |
* | | Address some Coverity warningsJack Lloyd2016-10-221-7/+7
| |/ |/| | | | | Nothing exciting.
* | Tighten up TLS server handshake logic.Jack Lloyd2016-10-201-20/+15
| | | | | | | | | | | | | | | | | | Previously client was allowed to omit the Certificate message, a leftover from supporting SSLv3. In all versions of TLS, an empty message must be sent if the client does not want to use a cert. No known security impact, but nothing we need to allow anymore. Clean up the handshake switch a bit by using return statements.
* | Fix doxygen warnings [ci skip]René Korthaus2016-10-197-19/+25
| |
* | Improve tls doxygen [ci skip]René Korthaus2016-10-199-0/+99
| |