| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
This class is exposed but the extension types aren't, so calls to
these functions from outside the library would not link.
|
|
|
|
| |
Since we don't end up signing anything in any case.
|
|
|
|
|
|
|
|
| |
Previously if the client did not send signature_algorithms, or if
it only included algos not in the policy, we would just fallback to
the hardcoded SHA-1 default of TLS v1.2
Instead check the policy before accepting anything.
|
| |
|
|
|
|
| |
Based on VC2017 output
|
|
|
|
|
|
| |
We poisoned the record before decrypting it, which caused failures
with Camellia ciphersuites (or AES, on platforms that use T-tables).
Instead poison it right after decrypting.
|
|
|
|
| |
From draft-ietf-tls-ecdhe-psk-aead-05, now with official codepoints.
|
|
|
|
|
| |
This var is only used when encoding so was never read from, but
leaving it uninitialized is bad news. Flagged by Coverity.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When renegotiating the client checks that the server hasn't
changed its mind about supporting the renegotiation extension
(this is a likely indicator of an attack).
However due to a typo the client was actually comparing the
value in the client hello of the first handshake against the
server hello in the renegotiation handshake. Since Botan always
sends the renegotiation extension, this would cause the check to
fail when renegotiating with an old server that doesn't support
the renegotiation extension.
Reported on mailing list by Falko Strenzke. Tested patch against
OpenSSL 0.9.8k
|
|
|
|
|
|
| |
This way, the library user can improve the class by adding missing functions
or some other tweak they may find useful. Without any access to m_kv this is
impossible.
|
| |
|
|
|
|
|
| |
just to verify the implementation works fine across platforms and
compilers
|
|
|
|
|
|
|
|
|
| |
* fixes for deprecated constructions in c++11 and later (explicit rule of 3/5 or implicit rule of 0 and other violations)
* `default` specifier instead of `{}` in some places(probably all)
* removal of unreachable code (for example `return` after `throw`)
* removal of compilation unit only visible, but not used functions
* fix for `throw()` specifier - used instead `BOTAN_NOEXCEPT`
* removed not needed semicolons
|
| |
|
|
|
|
| |
Sun CC for whatever reason becomes very confused by this.
|
|\ |
|
| | |
|
|/
|
|
|
|
|
| |
Currently untested by TLS crosstalk tests because it is not
supported on the server side.
Exposes the rest of TLS message types to application.
|
|
|
|
|
| |
Moves BSI policy file to test data dir where it can be compared with
what the hardcoded class outputs.
|
|
|
|
|
|
| |
Clean up the ciphersuite generation script a bit.
[ci skip]
|
| |
|
|
|
|
|
|
|
| |
TLS::Callbacks::inspect_handshake_message() allows applications
to inspect all handshake messages, but this requires
access to the types in tls_messages.h. As a matter of fact,
this also exports tls_extensions.h as a public header.
|
|
|
|
|
|
| |
Renames a couple of functions for somewhat better name consistency,
eg make_u32bit becomes make_uint32. The old typedefs remain for now
since probably lots of application code uses them.
|
|
|
|
|
| |
Also use a const time comparison for the finished message, though
I don't see any real way of exploiting that timing channel.
|
|
|
|
| |
Reported by @neverhub in GH #758 found by libFuzzer
|
| |
|
|\ |
|
| | |
|
| | |
|
|/ |
|
|\
| |
| |
| |
| |
| | |
Splits up path validation into several sub-functions for easier testing
and creating customized validation code. Much improved OCSP handling
and OCSP tests.
|
| | |
|
| |
| |
| |
| | |
Also (unrelated) enable CECPQ1 in Strict_Policy
|
| |
| |
| |
| |
| |
| | |
Changes TLS callback API for cert verify to accept Policy&
Sets default signature strength to 110 to force RSA ~2048.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Primarily doc updates but also expose some more logic in PKIX namespace,
overall_status and merge_revocation_status. This allows calling more or less all
of the logic used by the monolitic x509_path_validate in any way needed by an
application.
Add Certificate_Store_In_Memory::add_crl variant taking shared_ptr
Add optional Certificate_Store_In_Memory* pointer to check_crl_online,
valid CRLs are saved there.
|
| | |
|
| |
| |
| |
| |
| |
| | |
It is the only function in C_M which is called on to process session-specific
(and adversarially provided) inputs, rather than passively returning some credential
which is typically not session specific.
|
| |
| |
| |
| | |
With RC4 removed, anything that is not AEAD is CBC
|
|/
|
|
| |
The lambda here wasn't really required.
|
|
|
|
|
|
| |
direct TLS CBC testing.
CLI TLS server now catches an exception if an invalid connection is received (Otherwise, the server always stopped working)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Moves x25519 to the front for best by-default side channel resistance,
and orders remaining NIST/BP curves by performance rather than size.
That means putting P-521 before P-384, since P-521 is much faster at
least in Botan (due to much simpler modular reduction for P-521 prime),
and Brainpools to the end due to being quite slow (no fast reductions).
All of the supported curves seem strong enough, and if someone can break
P-256 they can probably break P-384 as well so there doesn't seem much
advantage in preferring slower curves by default.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tested against BoringSSL (as client + server) and google.com (as client).
Fix a stupid crashing bug in NewHope's BoringSSL mode.
Remove unneeded error return from curve25519_donna - always returned 0.
Default policy prefers ChaChaPoly1305 over GCM and CECPQ1 over ECDH/DH, which
means the default no-extra-configuration ciphersuite (for Botan client speaking
to Botan server) is a ciphersuite which is both implemented in constant time
on all platforms and (hopefully) provides post quantum security. Good Things.
|
|
|
|
|
|
|
|
| |
Several sites including oracle.com seem to send extension 11
(point format) even if we (the client) did not send it. Then the
handshake fails. To workaround this problem, simply always send this
extension as the client, instead of only sending it if we wished to
support compressed points.
|
|
|
|
|
|
| |
The current session established cb happens before the session is
activated, so it is not possible to send application data in
response to the connection being made.
|
|
|
|
|
|
|
|
|
|
| |
Add Public_Key::key_length usable for policy checking (as in
TLS::Policy::check_peer_key_acceptable)
Remove Public_Key::max_input_bits because it didn't make much sense
for most algorithms actually.
Remove message_parts and message_part_size from PK_Ops
|
|
|
|
|
|
|
|
|
|
|
|
| |
See PR #552
- Add Cipher_Mode::reset() which resets just the message specific state and allows encrypting again under the existing key
- In Cipher_Mode::clear() (at some planes) use cipher->clear() instead of resetting the pointer which would make the cipher object unusable
- EAX_Decryption::output_length() bugfix?! Now its possible to decrypt an empty ciphertext (just a tag)
- Bugfix for GCM_Decryption::finish()
- set tag length in GCM_Mode::name()
- Cipher_Mode tests: add tests for reset()and process()
- AEAD_Mode tests: add tests for reset(), clear(), update() and process()
|
|
|
|
|
|
| |
One additional, application-specific curve can be added
at compile time, using the new
configure.py --house-curve=curve.pem,funky311,1.2.3.4,FEFF.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Disables static RSA by default. The advantage here is twofold: enforcing forward
security and protecting TLS servers from oracle attacks since by default they
will never negotiate a suite which forces them to act as a decryption
oracle. Some applications/users may be forced to enable RSA in order to speak
with old or misconfigured peers, but these can be the exception not the default.
Disable DSA and CCM-8 by default: if you need to enable these things, you know it.
Adds TLS policy hooks to enforce DSA key sizes, default 2048 bits.
Remove an incorrect warning about DTLS in the manual; the sequence number window
check prevents this scenario from occuring.
|
|
|
|
|
| |
Not currently called but leaves us the opening to use them in the future
without breaking ABI.
|