| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Sun CC for whatever reason becomes very confused by this.
|
|\ |
|
| | |
|
|/
|
|
|
|
|
| |
Currently untested by TLS crosstalk tests because it is not
supported on the server side.
Exposes the rest of TLS message types to application.
|
|
|
|
|
| |
Moves BSI policy file to test data dir where it can be compared with
what the hardcoded class outputs.
|
|
|
|
|
|
| |
Clean up the ciphersuite generation script a bit.
[ci skip]
|
| |
|
|
|
|
|
|
|
| |
TLS::Callbacks::inspect_handshake_message() allows applications
to inspect all handshake messages, but this requires
access to the types in tls_messages.h. As a matter of fact,
this also exports tls_extensions.h as a public header.
|
|
|
|
|
|
| |
Renames a couple of functions for somewhat better name consistency,
eg make_u32bit becomes make_uint32. The old typedefs remain for now
since probably lots of application code uses them.
|
|
|
|
|
| |
Also use a const time comparison for the finished message, though
I don't see any real way of exploiting that timing channel.
|
|
|
|
| |
Reported by @neverhub in GH #758 found by libFuzzer
|
| |
|
|\ |
|
| | |
|
| | |
|
|/ |
|
|\
| |
| |
| |
| |
| | |
Splits up path validation into several sub-functions for easier testing
and creating customized validation code. Much improved OCSP handling
and OCSP tests.
|
| | |
|
| |
| |
| |
| | |
Also (unrelated) enable CECPQ1 in Strict_Policy
|
| |
| |
| |
| |
| |
| | |
Changes TLS callback API for cert verify to accept Policy&
Sets default signature strength to 110 to force RSA ~2048.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Primarily doc updates but also expose some more logic in PKIX namespace,
overall_status and merge_revocation_status. This allows calling more or less all
of the logic used by the monolitic x509_path_validate in any way needed by an
application.
Add Certificate_Store_In_Memory::add_crl variant taking shared_ptr
Add optional Certificate_Store_In_Memory* pointer to check_crl_online,
valid CRLs are saved there.
|
| | |
|
| |
| |
| |
| |
| |
| | |
It is the only function in C_M which is called on to process session-specific
(and adversarially provided) inputs, rather than passively returning some credential
which is typically not session specific.
|
| |
| |
| |
| | |
With RC4 removed, anything that is not AEAD is CBC
|
|/
|
|
| |
The lambda here wasn't really required.
|
|
|
|
|
|
| |
direct TLS CBC testing.
CLI TLS server now catches an exception if an invalid connection is received (Otherwise, the server always stopped working)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Moves x25519 to the front for best by-default side channel resistance,
and orders remaining NIST/BP curves by performance rather than size.
That means putting P-521 before P-384, since P-521 is much faster at
least in Botan (due to much simpler modular reduction for P-521 prime),
and Brainpools to the end due to being quite slow (no fast reductions).
All of the supported curves seem strong enough, and if someone can break
P-256 they can probably break P-384 as well so there doesn't seem much
advantage in preferring slower curves by default.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tested against BoringSSL (as client + server) and google.com (as client).
Fix a stupid crashing bug in NewHope's BoringSSL mode.
Remove unneeded error return from curve25519_donna - always returned 0.
Default policy prefers ChaChaPoly1305 over GCM and CECPQ1 over ECDH/DH, which
means the default no-extra-configuration ciphersuite (for Botan client speaking
to Botan server) is a ciphersuite which is both implemented in constant time
on all platforms and (hopefully) provides post quantum security. Good Things.
|
|
|
|
|
|
|
|
| |
Several sites including oracle.com seem to send extension 11
(point format) even if we (the client) did not send it. Then the
handshake fails. To workaround this problem, simply always send this
extension as the client, instead of only sending it if we wished to
support compressed points.
|
|
|
|
|
|
| |
The current session established cb happens before the session is
activated, so it is not possible to send application data in
response to the connection being made.
|
|
|
|
|
|
|
|
|
|
| |
Add Public_Key::key_length usable for policy checking (as in
TLS::Policy::check_peer_key_acceptable)
Remove Public_Key::max_input_bits because it didn't make much sense
for most algorithms actually.
Remove message_parts and message_part_size from PK_Ops
|
|
|
|
|
|
|
|
|
|
|
|
| |
See PR #552
- Add Cipher_Mode::reset() which resets just the message specific state and allows encrypting again under the existing key
- In Cipher_Mode::clear() (at some planes) use cipher->clear() instead of resetting the pointer which would make the cipher object unusable
- EAX_Decryption::output_length() bugfix?! Now its possible to decrypt an empty ciphertext (just a tag)
- Bugfix for GCM_Decryption::finish()
- set tag length in GCM_Mode::name()
- Cipher_Mode tests: add tests for reset()and process()
- AEAD_Mode tests: add tests for reset(), clear(), update() and process()
|
|
|
|
|
|
| |
One additional, application-specific curve can be added
at compile time, using the new
configure.py --house-curve=curve.pem,funky311,1.2.3.4,FEFF.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Disables static RSA by default. The advantage here is twofold: enforcing forward
security and protecting TLS servers from oracle attacks since by default they
will never negotiate a suite which forces them to act as a decryption
oracle. Some applications/users may be forced to enable RSA in order to speak
with old or misconfigured peers, but these can be the exception not the default.
Disable DSA and CCM-8 by default: if you need to enable these things, you know it.
Adds TLS policy hooks to enforce DSA key sizes, default 2048 bits.
Remove an incorrect warning about DTLS in the manual; the sequence number window
check prevents this scenario from occuring.
|
|
|
|
|
| |
Not currently called but leaves us the opening to use them in the future
without breaking ABI.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The client would attempt to resume a session, even if the session was
for a version other than what it wanted to offer. If the server
resumed with the original version, the client would then reject the
'incorrect' version. Instead, if the session is for a version other
than what we want to offer, just start a fresh handshake.
Fix resuming in the EtM case - even if the policy says otherwise,
always resume EtM sessions as EtM. Servers are required to reject a
MtE resumption on an EtM session.
The new client hello already ordered extensions to prevent an empty
extension from ever being last (working around a bug in some dumb
stack somewhere), but this was not true for the resume case. Fix that.
Beef up tests a bit - test ECDSA suites, alerts, and sqlite3 session db.
Sharing the session state across all the tests is what tipped me off
on the resumption bugs in the first place - as usual, what is not tested
does not work correctly.
|
| |
|
|\ |
|
| |
| |
| |
| |
| | |
Client interops with google.com, server not tested against an
independent client yet.
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | | |
(or a countermeasure that is very similar to it).
Timing differences in the test suite show at most 120 clock cycle difference (SHA-1/256/384).
|
| | | |
|
| | | |
|
| |/
|/|
| |
| | |
Nothing exciting.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously client was allowed to omit the Certificate message, a
leftover from supporting SSLv3. In all versions of TLS, an empty
message must be sent if the client does not want to use a cert.
No known security impact, but nothing we need to allow anymore.
Clean up the handshake switch a bit by using return statements.
|
| | |
|
| | |
|
| | |
|
| | |
|