aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls
Commit message (Collapse)AuthorAgeFilesLines
* Accept PKCS1v15 as an alias for EMSA3Jack Lloyd2018-08-021-2/+2
| | | | Not sure why it didn't have this already
* Correct Doxygen errorsJack Lloyd2018-07-021-2/+2
|
* TLS would try to negotiate x25519 even if disabledJack Lloyd2018-06-151-2/+6
| | | | | | | | Also reorder ECC groups to actually match performance characteristics. I'm not sure when P-384 was slower than P-521 but it certainly isn't anymore. Fixes #1607
* Add 192-bit Suite B policyJack Lloyd2018-06-141-0/+36
| | | | Since 128-bit policy is actually not even allowed since 2015.
* Add message to BOTAN_ARG_CHECK and use it more widelyJack Lloyd2018-05-131-0/+1
|
* Slight refactoring to avoid GCC signed overflow warnings. [ci skip]Jack Lloyd2018-05-081-4/+4
| | | | Couldn't occur since length is 24 bits but GCC couldn't figure that out.
* Fix some warnings new in GCC 8.1Jack Lloyd2018-05-076-43/+49
| | | | | It thinks the typedefs are "locals" that are being conflicted with, which seems wrong to me but whatever.
* Use bad_record_mac instead of decode_error for short TLS packetsJack Lloyd2018-04-161-1/+8
| | | | | Decode error seems more appropriate but it confuses some automated tools including older versions of TLS-Attacker.
* Fix bug that broke session decryption (and thus resumption)Jack Lloyd2018-04-091-1/+1
| | | | Introduced in 3657639ab. Add a test that would have caught this
* Fix off by one when decoding TLS-CBC ciphertextsJack Lloyd2018-04-093-27/+30
|
* Fix interop bug in TLS serverJack Lloyd2018-04-083-0/+33
| | | | | The connection would fail if the client advertised any signature algorithm we did not support (eg RSA/SHA-224)
* Add RAII versions of get_cipher_mode and get_aeadJack Lloyd2018-04-072-4/+3
| | | | See also #1526
* Export TLS::ExtensionJack Lloyd2018-03-311-1/+1
| | | | Needed to avoid UbSan issue
* Catch exceptions by reference not valueJack Lloyd2018-03-161-1/+1
| | | | Fixes a new warning in GCC 8
* Avoid std::bind in Channel::received_dataJack Lloyd2018-03-051-2/+1
| | | | | | Lambda works just as well here. GH #493
* Add missing overrides [ci skip]Jack Lloyd2018-02-191-1/+1
|
* Fix server use of EC point format extensionJack Lloyd2018-02-131-1/+1
| | | | | In the resumption case it would use that extension for any ECC ciphersuite, but is only allowed to do so if the client sent the extension.
* Remove house curve supportJack Lloyd2018-02-132-9/+0
|
* Add a test of TLS handshake with custom curve (secp112r1 in this case)Jack Lloyd2018-02-131-4/+21
|
* Add callback for decoding TLS group paramsJack Lloyd2018-02-134-3/+20
|
* Remove cruftJack Lloyd2018-02-134-114/+16
|
* Use enums for TLS key exchange group paramsJack Lloyd2018-02-1312-224/+246
|
* Use shared representation of EC_GroupJack Lloyd2018-01-311-1/+1
| | | | Hide CurveGFp with an eye for eventual removal
* Move generic TLS tests to test_tls.cppJack Lloyd2018-01-282-5/+7
| | | | | | Leaves unit_tls.cpp for the handshake level tests. Add some basic tests of the string<->enum conversions in tls_algos.h
* Reorder signature scheme listJack Lloyd2018-01-281-12/+20
| | | | Now PSS shows up first and we negotiate it by default ;)
* Use enums to represent TLS signature and kex algorithms.Jack Lloyd2018-01-2822-716/+1144
| | | | Adds support for PSS signatures (currently verifying only).
* Avoid resuming a session if policy doesn't allow itJack Lloyd2018-01-282-3/+4
| | | | Previously if the policy changed we'd continue to resume. #1431
* For TLS client auth add callback giving list of trusted CA namesJack Lloyd2018-01-274-5/+40
| | | | Fixes #1261
* Fix a few warningsJack Lloyd2018-01-271-2/+2
|
* Make it possible to test custom extensionsJack Lloyd2018-01-273-13/+59
|
* Add an examine callback alsoJack Lloyd2018-01-277-11/+45
|
* Add ability for application to control which TLS extensions are usedJack Lloyd2018-01-279-1/+56
| | | | GH #1186
* Remove vestigial support for TLS compressionJack Lloyd2018-01-2111-118/+60
| | | | | It was never supported and never will be. Removing negotiation entirely simplifies the code a bit.
* Avoid saving a resumed session multiple timesJack Lloyd2017-12-071-1/+3
|
* Handle #1303 on the server sideJack Lloyd2017-12-071-1/+13
|
* On resuming a client session, save the certificates that were used.Jack Lloyd2017-12-073-3/+17
| | | | GH #1303
* Fix formatting in TLS server code [ci skip]Jack Lloyd2017-12-071-193/+179
|
* Add copyright statements to files modified in the preceding 2 commitsHarry Reimann2017-12-0413-0/+13
|
* Move TLS signature and key exchange code into callbacksHarry Reimann2017-12-047-96/+237
| | | | | | | Give applications using an external crypto device for signature generation and/or verification and/or (ec)dh key exchange while establishing a TLS session hooks to implement the corresponding functionality.
* Make support for certificate status messages optional via policyHarry Reimann2017-12-046-10/+40
| | | | | | | | Don't postpone the verification of a server certificate if certificate status messages are not expected in client handshake. When using an external crypto device it may be necessary to verify the certificate before using the public key for verification of the signature in the server key exchange message.
* Merge GH #1316 Various TLS fixesJack Lloyd2017-11-284-9/+24
|\
| * Add an explicit catch for a server trying to negotiate SSLv3Jack Lloyd2017-11-281-1/+7
| | | | | | | | | | | | | | This was already caught with the policy check later but it's better to be explicit. (And in theory an application might implement their policy version check to be "return true", which would lead to us actually attempting to negotiate SSLv3).
| * Correct version selection logic in TLS serverJack Lloyd2017-11-281-0/+5
| | | | | | | | | | | | | | | | | | | | | | Due to an oversight in the logic, previously a client attempt to negotiate SSLv3 would result in the server trying to negotiate TLS v1.2. Now instead they get a protocol_error alert. Similarly, detect the the (invalid) case of a major number <= 2, which does not coorespond to any real TLS version. The server would again reply as a TLS v1.2 server in that case, and now just closes the connection with an alert.
| * Tighten up checks on signature key exchange messageJack Lloyd2017-11-281-1/+1
| | | | | | | | An empty extension is not allowed, but was previously accepted.
| * Return correct alert type on malformed DH/ECDH messages.Jack Lloyd2017-11-281-7/+11
| | | | | | | | | | | | | | | | In the client key exchange if the message was malformed (eg an completely empty ECDH share) a Decoding_Error would be thrown, then caught and a fake pre master secret generated. Move the parsing of the message out of the try/catch block, so the correct error is reported.
* | Run TLS hello random fields through SHA-256Jack Lloyd2017-11-281-1/+7
|/ | | | Avoids exposing RNG output on the wire. Cheap precaution.
* Throw a Decoding_Error if TLS AEAD packet is shorter than the tag.Jack Lloyd2017-11-261-0/+3
| | | | | Otherwise this ended up as an assertion failure which translated to internal_error alert.
* Fix errors caught with tlsfuzzerJack Lloyd2017-11-263-10/+5
| | | | | | | | | | | Don't send EC point format extension in server hello unless an EC suite was negotiated *and* the client sent the extension. Fix server FFDHE logic, this effectively disabled DHE ciphersuites for clients without FFDHE extension. Use unexpected_message alert in case of an unexpected message. (Previously an internal_error alert was sent.)
* Add <functional> include to TLS headers which use std::functionJack Lloyd2017-11-142-0/+2
|
* Remove final on TLS policy objects (GH #1292)Jack Lloyd2017-11-131-4/+4
|