aboutsummaryrefslogtreecommitdiffstats
path: root/src/tls/s_kex.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Rename all the message source files to msg_lloyd2012-08-031-294/+0
|
* Combine Handshake_Writer and Handshake_Reader into Handshake_IO.lloyd2012-08-031-3/+3
| | | | | | | | This is mostly just a minor code savings for TLS, but it actually seems important for DTLS because getting a handshake message can be a trigger for retransmitting previously sent handshake messages in some circumstances. Having the reading and writing all in one layer makes it a bit easier to accomplish that.
* Add a class that handles writing handshake messages instead of pushinglloyd2012-07-161-2/+2
| | | | that task to Record_Writer. Needed for DTLS work.
* Changes to version handling in support of DTLS work.lloyd2012-07-121-1/+1
| | | | | | | | | | | | | | | Add a few 'feature tests' to Protocol_Version which helps avoid some explicit comparisons. Additionally, remove the relational comparisons, except for operator> which is still used in a few locations. TLS::Policy has changed and no longer has min_version. The new hook that replaces it is acceptable_protocol_version, which should return true if and only if we are willing to negotiate the version returned. This leads to a somewhat cleaner result and additionally allows one to do maybe interesting though mostly useless things like allowing TLS 1.0 or 1.2 but not 1.1. Fix the version sent in the (unused) DTLS hello verify message.
* The messages for assertion checks were done both ways, both "assertionlloyd2012-07-091-3/+3
| | | | | | X is true" and "assertion X is false". Convert all of them to the form "assertion X is true" thus making it clear what it is that we are attempting to assert by testing the expression provided.
* Make TLS::Channel::send non-virtual as neither Client nor Serverlloyd2012-06-181-1/+1
| | | | | | | | | | | | | | | | | | | needed to derive from it. Add a new overload of send taking a std::string for convenience (eg client.send("GET / HTTP/1.0\n\r")). Let Channel::renegotiatate's force_full_renegotiation argument default to false. Fix a bug where if we negotiated TLS v1.2 and our Policy was configured to only use MD5 we would send an empty allowed signatures which is maybe bogus or maybe just ambigious (RFC is unclear, though we reject in this case). To fix this, support putting MD5 in the signature algorithms extension, and then in choose_sig_format order first by our hash preference, and only allow hashes that are allowed by policy. Thus is a client claims to support both SHA-2 and MD5 we'll choose SHA-2 even if the client put MD5 first (some versions of GnuTLS ordered the list backwards due to a bug, so this is actually a useful behavior).
* Add assert_done checks here to help avoid interesting substitutionlloyd2012-06-051-0/+2
| | | | attacks and in general detect invalid messages.
* Replace 0 and NULL pointer constants with nullptr. Also fix an oldlloyd2012-05-181-2/+2
| | | | style cast in secmem.h
* Fairly huge update that replaces the old secmem types with std::vectorlloyd2012-05-181-6/+6
| | | | | | using a custom allocator. Currently our allocator just does new/delete with a memset before deletion, and the mmap and mlock allocators have been removed.
* Huge pile of post merge fixups, mtn really fucked that mergelloyd2012-04-251-6/+4
|
* propagate from branch 'net.randombit.botan.tls-state-machine' (head ↵lloyd2012-04-251-8/+67
|\ | | | | | | | | | | a4741cd07f50a9e1b29b0dd97c6fb8697c038ade) to branch 'net.randombit.botan.cxx11' (head 116e5ff139c07000be431e07d3472cc8f3919b91)
| * Finish up server side SRP support, a little ugly but it works.lloyd2012-04-061-17/+26
| | | | | | | | | | | | Add SRP hooks in the examples Fix next protocol support in the tls_server example.
| * Re-enable TLS (was disabled by trunk merge), and require the srp6 modulelloyd2012-04-051-2/+36
| | | | | | | | | | | | | | | | | | | | Initial outline of server side SRP support. Need to figure out how to transfer the v, b, B params from the server key exchange message to the client key exchange. The DH variants do this by passing a Private_Key via server_kex_key call, but wrapping SRP params in a Private_Key really doesn't feel right. Not sure what to do here. Possibly both SRP and DH should return a Key_Exchange_Material* that a client key exchange knows how to dynamic cast on.
| * Initial client-side support for SRP (finally!). Tested against OpenSSLlloyd2012-04-051-0/+14
| | | | | | | | | | 1.0.1, only the certificate versions tested currently as OpenSSL doesn't support anon SRP.
* | propagate from branch 'net.randombit.botan.tls-state-machine' (head ↵lloyd2012-03-301-1/+2
|\| | | | | | | | | | | 63b88a65b699c95ef839bc18336bceccfbfabd2e) to branch 'net.randombit.botan.cxx11' (head 1adcc46808b403b8f6bf1669f022e65f9c30e8ea)
| * Move the handshake serialization code to Record_Writerlloyd2012-03-031-1/+2
| |
* | Merge fixups. Add locking to default session manager. Use chrono liblloyd2012-02-201-3/+3
| | | | | | | | and unique_ptr.
* | propagate from branch 'net.randombit.botan.tls-state-machine' (head ↵lloyd2012-02-201-1/+1
|/ | | | | | 0ceb9cde62a2b3614901ae85a53546d9fc641326) to branch 'net.randombit.botan.cxx11' (head 777e65950ef3706a82e5df20dcca7fcc999ca533)
* Change naming convention to match RFCslloyd2012-01-271-6/+6
|
* Server side PSKlloyd2012-01-271-7/+17
|
* Working though somewhat clumsy DHE_PSK and ECDHE_PSK. Tested against GnuTLSlloyd2012-01-271-8/+15
|
* Add client-side support for PSK kex. Tested against OpenSSL.lloyd2012-01-271-3/+7
|
* Make Alert a first class object ala Version. Move the alert codes intolloyd2012-01-261-1/+1
| | | | the Alert class for namespacing.
* Deleting the return of private_key_for in the TLS server forces thelloyd2012-01-261-2/+0
| | | | | | | | | | | | | credentials server to return a new copy each time which is slow and mostly pointless. Instead, specify that the key remains owned by the credentials manager. This is theoretically an issue if you have thousands of keys to manage; the credentials server doesn't actually know when they have gone out of scope until its destructor runs. So it could be forced to use a lot of memory in the meantime. I'm not sure that this is a case worth optimizing for, at least until someone comes along who actually has this as a problem.
* Move all key exchange mechanism code (eg DH/ECDH/SRP) out of thelloyd2012-01-251-33/+72
| | | | | server handshake flow and into the server and client key exchange message types. It already was hidden from the client handshake code.
* Working ECDH key exchange. Only tested on client side but seems goodlloyd2012-01-241-6/+47
| | | | | | | there. Only named curves supported, likely won't ever support explicit curves cause that's just asking for problems.
* Don't assume the server key exchange consists of a series of BigInts.lloyd2012-01-241-24/+15
| | | | | | That happens to be true for DH and export RSA key exchanges but isn't true for ECDH or SRP. (It's almost true for SRP, but if the salt had a leading zero byte it would be lost in the conversion).
* Make the version number a proper class, makes many things much easierlloyd2012-01-231-2/+2
| | | | for such a minor change.
* Since this branch is hugely API breaking already, go ahead and putlloyd2012-01-231-2/+6
| | | | | everything into a new namespace (Botan::TLS), removing the TLS_ prefixes on everything.
* Remove the key() method on server key exchange - instead leave it tolloyd2012-01-231-11/+0
| | | | | the client key exchange object to interpret the message on the basis of the chosen ciphersuite.
* When generating a signature in TLS 1.2, respect the request of thelloyd2012-01-201-1/+1
| | | | | | | | | | | | | counterparty by using the highest preference hash they have available for the signature type we are generating. This does mean we will do stupid things, if the counterparty is stupid (for instance some versions of GnuTLS will prefer SHA-1 over the SHA-2s - likely someone misread the spec and ordered the list backwards). But because we filter out MD5 we'll never use that; even in the worst case, if someone requests only MD5, we'll skip over it and use SHA-1 as the fallback algorithm. Theoretically this is against the spec because we "MUST" send something compatible, but seriously, fuck em. Right in the eye.
* Somewhat contorted, but fixes the issue with sending hash/sig ids withlloyd2012-01-201-1/+1
| | | | older versions.
* TLS_Ciphersuite_Algos was just a strange level of indirection betweenlloyd2012-01-201-31/+26
| | | | | | | | the ciphersuite code and a set of strings specifying the underlying suite algorithms. Remove it entirely. Some things are likely broken. One I know about is that we always send the hash/signature type indicator but should only do so for TLS >= 1.2
* Many fixes for TLS 1.2 though some things in particular client authlloyd2012-01-201-17/+3
| | | | | | remain broken. New interface for querying the TLS extensions, much cleaner.
* Various and sundry bug fixeslloyd2012-01-191-2/+20
|
* Kinda maybe working TLS 1.2 for clients. Not well tested at all, but alloyd2012-01-191-24/+34
| | | | | | | | basic connection with a GnuTLS server does work. Currently we don't respect the signature_algorithms extension at all, and using SHA-256 with a 12-byte finished value is hardcoded though the spec is that it can depend on the ciphersuite (likely relevant for GOST ciphersuites in particular).
* Remove Handshake_Message::deserialize which was an unnecessary hook.lloyd2012-01-191-1/+1
| | | | | | Instead deserialize directly in the constructors that are passed the raw message data. This makes it easier to pass contextual information needed for decoding (eg, version numbers) where necessary.
* I'm not sure if I like this asthetically, but passing around thelloyd2012-01-191-58/+19
| | | | | | | | | | | | | | | | | | entire handshake state in many cases makes things simpler to update, in that each message type already knows what it needs depending on the version, params, etc, and this way a) that knowledge doesn't need to percolate up the the actual client and server handshake code and b) each message type can be updated for new formats/version without having to change its callers. Downside is it hides the dependency information away, and makes it non-obvious what needs to be created beforehand for each message to work correctly. However this is (almost) entirely predicated on the handshake message flows, and these we control with the next expected message scheme, so this should be fairly safe to do. This checkin only updates the ones where it was immediately relevant but for consistency probably all of them should be updated in the same way.
* Clean up the ordering of constructor args to the various message typeslloyd2011-12-291-4/+4
|
* Fixes for DSA authlloyd2011-12-281-1/+1
|
* Working though hacking client verify (server side only). Only supportslloyd2011-12-281-2/+3
| | | | | TLS 1.0/1.1, SSLv3 uses a different hash format. Only RSA certs tested so far.
* Initial hooks for session resumptionlloyd2011-12-231-6/+6
|
* Rename ssl module to tlslloyd2011-12-231-0/+180