aboutsummaryrefslogtreecommitdiffstats
path: root/src/tls/tls_channel.cpp
Commit message (Collapse)AuthorAgeFilesLines
* propagate from branch 'net.randombit.botan.tls-state-machine' (head ↵lloyd2012-04-251-10/+48
|\ | | | | | | | | | | a4741cd07f50a9e1b29b0dd97c6fb8697c038ade) to branch 'net.randombit.botan.cxx11' (head 116e5ff139c07000be431e07d3472cc8f3919b91)
| * Add support for TLS heartbeats (RFC 6520). Heartbeat initiations fromlloyd2012-04-161-6/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | the peer are automatically responded to. TLS::Channel::heartbeat can initiate a new heartbeat if the peer allows it. Heartbeat replies are passed back to the application processing function with an Alert value of HEARTBEAT_PAYLOAD (a 'fake' value, 256, which is out of range of the valid TLS alert space), along with the sent payload. The RFC requires us to have no more than one heartbeat 'in flight' at a time, ie without getting a response (or a timeout in the case of DTLS). Currently we do not prevent an application from requesting more.
* | propagate from branch 'net.randombit.botan.tls-state-machine' (head ↵lloyd2012-03-301-24/+13
|\| | | | | | | | | | | 63b88a65b699c95ef839bc18336bceccfbfabd2e) to branch 'net.randombit.botan.cxx11' (head 1adcc46808b403b8f6bf1669f022e65f9c30e8ea)
| * Add SecureQueue::emptylloyd2012-03-071-5/+5
| | | | | | | | | | | | Hide the handshake reader behind a function. Add pieces for DTLS hello verify request message
| * Add an abstraction for reading handshake messages (as DTLS handles itlloyd2012-03-051-24/+13
| | | | | | | | | | | | | | | | quite differently). Avoid using a queue for reading certificates. Hide the version code in the handshake state with a getter and setter.
* | Merge fixups. Add locking to default session manager. Use chrono liblloyd2012-02-201-4/+4
|/ | | | and unique_ptr.
* Remove Alert::Level enum, replace with boollloyd2012-01-261-5/+5
|
* Change callback interface to pass the Alert object itself insteadlloyd2012-01-261-3/+3
| | | | | | of just the type code. Implement Alert::type_string
* Make Alert a first class object ala Version. Move the alert codes intolloyd2012-01-261-20/+18
| | | | the Alert class for namespacing.
* Convert Internal_Error exceptions into the cooresponding alert.lloyd2012-01-241-0/+5
|
* Make the version number a proper class, makes many things much easierlloyd2012-01-231-3/+3
| | | | for such a minor change.
* Since this branch is hugely API breaking already, go ahead and putlloyd2012-01-231-11/+15
| | | | | everything into a new namespace (Botan::TLS), removing the TLS_ prefixes on everything.
* I'm not sure if I like this asthetically, but passing around thelloyd2012-01-191-1/+2
| | | | | | | | | | | | | | | | | | entire handshake state in many cases makes things simpler to update, in that each message type already knows what it needs depending on the version, params, etc, and this way a) that knowledge doesn't need to percolate up the the actual client and server handshake code and b) each message type can be updated for new formats/version without having to change its callers. Downside is it hides the dependency information away, and makes it non-obvious what needs to be created beforehand for each message to work correctly. However this is (almost) entirely predicated on the handshake message flows, and these we control with the next expected message scheme, so this should be fairly safe to do. This checkin only updates the ones where it was immediately relevant but for consistency probably all of them should be updated in the same way.
* Rename queue_for_sending just sendlloyd2012-01-161-3/+3
|
* If we send the close notify alert, don't reset the reader because thelloyd2012-01-081-10/+16
| | | | | | | | | | | | | | | | | | | | counterparty might want to send us a matching close notify under the currently existing key state. New logic is if we send the alert our writer is reset (we will send nothing more), but leave the reader as is. The reader will then be reset if and when we get a close notify, or if the counterparty doesn't send one, we'll just end the connection normally. This will also deal with the case where there is some application data queued still in the recv buffer. Don't close in ~TLS_Channel: applications should do this explicitly when the application-level protocol is ended. Otherwise we'd send a close_notify upon, for instance, an uncaught exception unwinding the stack. Add an enum for the maximum size of any TLS ciphertext packet including header. Handy for apps. If we get a bad alert size report size we got.
* The server would incorrectly send a server key exchange message when alloyd2012-01-061-1/+2
| | | | | | | | | | | | | | | | | | pure RSA ciphersuite was negotiated. Detection of version rollback attacks with pure RSA ciphersuites was incorrect and would cause failures if the client supported a version we didn't (eg GnuTLS with TLS 1.2 enabled). Improve detection of SSLv2 client hellos. In particular, if a client that only supports SSLv2 connects, we will detect this case and send a protocol_version alert (which the SSLv2-only client will not understand, but a packet analyzer probably will) plus an exception with the message "Client claims to only support SSLv2, rejecting" instead of the previous much less helpful "Unknown record type" message. Remove vestigial support for RSA export ciphersuite key exchange.
* Remove the version getter in TLS_Channel - caller should use thelloyd2012-01-061-7/+2
| | | | | handshake callback info instead. Clean up the buffer consumption code in the record reader.
* Make record reading faster (less copying, no queue at all), at thelloyd2012-01-051-10/+16
| | | | | | expense of significant complexity. Needs careful testing for corner cases and malicious inputs, but seems to work well with randomly chosen segmentations in a correctly formatted stream at least.
* Add a hook in TLS_Channel that is called when an alert is received.lloyd2012-01-041-2/+4
| | | | | | | | | Currently has the same behavior in client and server; if we got a NO_RENEGOTIATION alert, and we appear to be renegotiating, delete the state if it exists. Noticed when talking to OpenSSL 0.9.8g which rejects all renegotiation requests.
* Compile fixlloyd2012-01-041-1/+1
|
* Remove the support for writing application data before the handshakelloyd2012-01-041-12/+3
| | | | | completes. The client gets a callback when the handshake is complete so they can know exactly when it's OK to send.
* As someone pointed out on the TLS list, NPN isn't really a negotiationlloyd2012-01-041-2/+2
| | | | per-se, it's a notification by the client. Rename accordingly.
* Make handshake completion function non-optional. Now returns a boollloyd2012-01-031-1/+1
| | | | specifying if the session should be saved to the session cache.
* Rename the session type to 'TLS_Session'. Split the manager out intolloyd2011-12-301-2/+2
| | | | its own file. Rename tls_state to tls_handshake_state.
* Add a function for getting the version number of an active connection.lloyd2011-12-301-1/+10
| | | | | | | | Add a new callback that is called with the session info when a handshake completes. Currently only called on the server side as the client doesn't have session resumption yet. Rename CipherSuite to TLS_Cipher_Suite.
* Prevent ping-ponging of close alerts by tracking both if a handshakelloyd2011-12-301-13/+20
| | | | | has been completed and if the connection has been definitely closed by a fatal alert or a close notify.
* Full support for renegotiation including RFC 5746 extensions forlloyd2011-12-301-5/+40
| | | | | | | | | | | | | client and server. Server side can handle SCSV values as well, client always sends the extension instead. Handle an empty SNI extension coming back from the server - this is used to indicate that it understood the name. Also add better checking for extensions by passing in what the supposed size of the extension is. Only send the secure negotiation extension in the server hello if the client indicated support for it.
* Many renegotiation fixes. Add support for the secure renegotiationlloyd2011-12-301-2/+46
| | | | | extension (client side only at the moment). Add an interface that allows applications to request renegotiation.
* About half an implementation of RFC 5746lloyd2011-12-291-1/+2
|
* Don't buffer in the record writer at all - we immediately process andlloyd2011-12-281-2/+0
| | | | | | | | send out inputs as they are available. Thus, flushing is never required, and we avoid some unnecessary copying. If we are using a CBC mode cipher in SSLv3/TLSv1.0, send a 1-byte fragment to start to prevent the adaptive plaintext attack.
* Working though hacking client verify (server side only). Only supportslloyd2011-12-281-8/+16
| | | | | TLS 1.0/1.1, SSLv3 uses a different hash format. Only RSA certs tested so far.
* We wouldn't send an alert before handshaking was complete becauselloyd2011-12-281-7/+4
| | | | | | active == false, which made debugging hard and caused timeouts/hangs in clients if (for instance) a ciphersuite couldn't be negotiated. Always send alerts.
* First rev of working session resumption (server side only). Only workslloyd2011-12-271-1/+7
| | | | with TLS at the moment, SessionKeys is a mess.
* Initial hooks for session resumptionlloyd2011-12-231-5/+3
|
* Centralize a lot of the handshaking and message parsing in TLS_Channellloyd2011-12-231-0/+188
Also delete the obsolete/never worked CMS examples
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-19 04:55:14 +0000