| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Test assumed EME was always there and would fail. This caused
failures with BSI policy which disables PKCS1v1.5
|
| | |
|
| |\ |
|
| | |
| |
| |
| | |
Remove bogus includes for TLS tests
|
| | | |
|
| | |
| |
| |
| |
| | |
This is lame but I still cannot repro and random CI failures suck.
Eventually I will fix the API.
|
| | |
| |
| |
| |
| | |
Previously it created a new AutoSeeded_RNG in each function, sometimes
without even using it.
|
| |\ \
| |/
|/| |
|
| | | |
|
| | |
| |
| |
| | |
Some fixes for missing system_rng in ECIES and tests.
|
| | |
| |
| |
| | |
Document that create_*_op is public but not for public consumption.
|
| | |
| |
| |
| |
| |
| |
| | |
Verification is deterministic and public, so really no RNG is ever needed.
Change provider handling - accepts "base", "openssl", or empty, otherwise
throws a Provider_Not_Found exception.
|
| |/
|
|
|
|
|
|
| |
Instead the key types exposes operations like `create_encryption_op`
which will return the relevant operation if the algorithm supports it.
Changes pubkey.h interface, now RNG is passed at init time.
Blinder previous created its own RNG, now it takes it from app.
|
| |
|
|
|
| |
Now record layer only deals with an AEAD, and the weird complications
of CBC modes mostly hidden in tls_cbc.cpp
|
| |\ |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TLS message parsing:
- CertificateVerify
- HelloVerify
- ClientHello (with extensions)
- ServerHello (with extensions)
- NewSessionTicket
- Alert
TLS message processing:
- HelloVerify
TLS Policy tests
Unit tests with TLS client authentication
Added test_throws method that checks the correct exception message.
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Self-issued certificates are certificates where subject_dn == issuer_dn,
but the signature is from a different key (ca key). Chains with such a
certificate could not be verified, because self-issued certificates
(1) would be taken for a self-signed certificate and
(2) find_issuing_cert() would find the same self-issued certificate
that we want to verify, generating a signature error during signature
verification.
To fix, we now first identify a certificate as self-signed only if
subject_dn == issuer_dn AND if we can verify the cert signature
with it's own key. Verification will bring some extra costs, but we
only do it once, in X509_Certificate's constructor. Second, we make
sure find_issuing_cert() does not return the very same certificate
we want to verify. This should be no problem, since path validation
currently does not seem to support validating a self-signed certificate.
|
| | |
| |
| |
| | |
When adding these to the .vec file, some unnecessary spaces were included.
|
| |/
|
|
|
|
| |
Mostly unused args and missing override notations.
Fix DH - load_check calls were commented out for debugging.
|
| | |
|
| |
|
|
|
| |
For block ciphers, stream ciphers, hashes, MACs, and cipher modes.
Cipher_Mode already had it, with a slightly different usage.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Self-generated vectors, just a basic smoke test right now.
|
| |\ |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Provides conjectured 200-bit security against a quantum attacker.
Based on the public domain reference implementation at
https://github.com/tpoeppelmann/newhope and bit-for-bit
compatible with that version.
Test vectors generated by the reference testvector.c
|
| | | |
|
| |\ \ |
|
| | | |
| | |
| | |
| | | |
But not any ChaCha20 tests due to no long test inputs. Add one.
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
XTEA was also deprecated but has been spared, it does seem to be somewhat
common (eg, included in the Go x/crypto library)
|
| |/ /
| |
| |
| |
| |
| | |
If ommitted, assume an all zero input.
Remove some In = 0000... from test files.
|
| |\ \
| | |
| | |
| | | |
which recently landed on master.
|
| | |\ \
| | |/
| |/| |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Make TLS::Channel::m_callbacks a reference, so deriving from TLS::Callbacks works
Split out the compat (std::function) based interface to Compat_Callbacks.
This avoids the overhead of empty std::functions when using the virtual
interface, and ensures the virtual interface works since there is no
callback path that does not involve a vtable lookup.
Rename the TLS::Callback functions. Since the idea is that often an owning
class will pass *this as the callbacks argument, it is good to namespace
the virtual functions so as not to conflict with other names chosen by
the class. Specifically, prefixes all cb functions with tls_
Revert changes to use the old style alert callback (with no longer used data/len
params) so no API changes are required for old code. The new Callbacks interface
continues to just receive the alert code itself.
Switch to virtual function interface in CLI tls_client for testing.
Inline tls_server_handshake_state.h - only used in tls_server.cpp
Fix tests - test looked like it was creating a new client object but it
was not actually being used. And when enabled, it failed because the queues
were not being emptied in between. So, fix that.
|
| | | |
| | |
| | |
| | |
| | | |
- Removed proposed wrapper class to logically group TLS session
properties.
|
| | | |
| | |
| | |
| | |
| | | |
- Modified TLS & DTLS tests to use both, legacy constructor and new
virtual callback interface based constructors.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- extracted inner class TLS::Channel::Callbacks to stand-alone class
TLS::Callbacks.
- provided default implementations for TLS::Callbacks members executing
calls to std::function members for backward compatibility.
- applied changes to cli, tests and TLS::Channel related classes to be
compatible with new interface.
|
