| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Add cookie support in Client_Hello.
|
| |
|
|
|
|
|
|
| |
This is mostly just a minor code savings for TLS, but it actually
seems important for DTLS because getting a handshake message can be a
trigger for retransmitting previously sent handshake messages in some
circumstances. Having the reading and writing all in one layer makes
it a bit easier to accomplish that.
|
| |
|
|
| |
that task to Record_Writer. Needed for DTLS work.
|
| |
|
|
|
|
|
|
| |
insufficient_security alert if the server tries to give us a DH group
smaller than that. Also check to make sure the key isn't obviously
bogus (<=1 || >= p-1), though as the key is purely ephemeral it
doesn't seem like a small subgroup attack would provide much advantage
anyway.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
needed to derive from it. Add a new overload of send taking a
std::string for convenience (eg client.send("GET / HTTP/1.0\n\r")).
Let Channel::renegotiatate's force_full_renegotiation argument default
to false.
Fix a bug where if we negotiated TLS v1.2 and our Policy was
configured to only use MD5 we would send an empty allowed signatures
which is maybe bogus or maybe just ambigious (RFC is unclear, though
we reject in this case). To fix this, support putting MD5 in the
signature algorithms extension, and then in choose_sig_format order
first by our hash preference, and only allow hashes that are allowed
by policy. Thus is a client claims to support both SHA-2 and MD5 we'll
choose SHA-2 even if the client put MD5 first (some versions of GnuTLS
ordered the list backwards due to a bug, so this is actually a useful
behavior).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
renegotiate using our currently negotiated version instead of our
preferred version. It turns out that neither OpenSSL nor GnuTLS like
clients changing the version between negotiations, both send a
protocol_version alert. So we probably want to avoid doing that.
On the server side, handle a client sending inconsistent versions as
best we can. If the client attmepts to renegotiate a session using a
later version, return a server hello with their original version (this
is what OpenSSL does). If they attempt to renegotiate using an earlier
version, send a fatal alert and close the connection, since this seems
like a dubious thing to do.
Also, fix the situation where we as a TLS v1.0 server (because of
configuration) are talking to a TLS v1.2 client. We would still use
their signature_algorithms extension and send a SHA-256 (or whatever)
signature!
|
| |
|
|
| |
style cast in secmem.h
|
| |
|
|
|
|
| |
using a custom allocator. Currently our allocator just does new/delete
with a memset before deletion, and the mmap and mlock allocators have
been removed.
|
| |
|
|
|
|
|
| |
renegotiation or not.
Save the hostname in the client so we can pull the session from the
session manager.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
the peer are automatically responded to. TLS::Channel::heartbeat can
initiate a new heartbeat if the peer allows it. Heartbeat replies are
passed back to the application processing function with an Alert value
of HEARTBEAT_PAYLOAD (a 'fake' value, 256, which is out of range of
the valid TLS alert space), along with the sent payload.
The RFC requires us to have no more than one heartbeat 'in flight' at
a time, ie without getting a response (or a timeout in the case of
DTLS). Currently we do not prevent an application from requesting
more.
|
| |
|
|
|
|
| |
Add SRP hooks in the examples
Fix next protocol support in the tls_server example.
|
| |
|
|
|
| |
1.0.1, only the certificate versions tested currently as OpenSSL
doesn't support anon SRP.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
seconds and report that value to the client in the NewSessionTicket
message. After that point, a session ticket is ignored and a full
renegotiation is forced.
Only send a new session ticket on a new session, or on a resumed
session where the client indicated it supports session tickets but for
whatever reason didn't send one in the hello. Perhaps in this case, we
should also remove the session from the session manager?
Clean up server selection of the ciphersuite a bit, all in an anon
function in tls_server instead of scattered over Server, Policy, and
Server_Hello.
Add Session::session_age and Session_Manager::session_lifetime
|
| |
|
|
|
|
|
|
|
|
|
| |
manager is being used, it could be easily used for session tickets as
well, and if it's not the generate-on-first-call technique is easy to
write.
Avoid offering the session ticket extension if we know we don't have a
key. For one thing it will cause us to avoid using stateful sessions,
but additionally OpenSSL 1.0.1 is very intolerant of empty
NewSessionTicket messages so definitely worth avoiding when we can.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
hello. Also include a full list of ciphersuites, ensuring that our
original session ciphersuite is in the list regardless of policy
(maybe it would be better to just not resume in that case, though?).
Otherwise, if the server doesn't remember our session (or the session
ticket key), it might not be capable of negotiating using the single
ciphersuite we sent due to lack of information (allowed curves was a
particular issue here). Including the full ciphersuite list also
allows for rengotiating the ciphersuite if, for instance, the session
can't be resumed because the server used to have an RSA cert but has
since replaced it with an ECDSA cert.
|
| |
|
|
| |
hard-coded key.
|
| | |
|
| |
|
|
|
| |
Use AES-256 so we don't encrypt session tickets with a weaker algo
than the ciphersuites.
|
| |\
| |
| |
| |
| |
| | |
c24b5d6b012131b177d38bddb8b06d73f81f70c4)
to branch 'net.randombit.botan.tls-session-ticket' (head 9977d4c118e1ac26425cef676ebf26cd5b2a470e)
|
| | |
| |
| |
| |
| |
| | |
Hide the handshake reader behind a function.
Add pieces for DTLS hello verify request message
|
| | |
| |
| |
| |
| |
| |
| |
| | |
quite differently).
Avoid using a queue for reading certificates.
Hide the version code in the handshake state with a getter and setter.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
server handshake flow and into the server and client key exchange
message types. It already was hidden from the client handshake code.
|
| | | |
|
| | |
| |
| |
| |
| | |
and will choose one depending on which ciphersuites the client
offered.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
the values let policy specify them. Also choose an ECC curve for
server kex from the client hello. Choice is via policy, default
implementation is to choose the first curve the client supports out of
the server's preference list.
|
| | |
| |
| |
| |
| | |
avoid negotiating an ECDH key exchange if the client didn't send any
curves that we know about.
|
| | |
| |
| |
| |
| |
| |
| | |
there.
Only named curves supported, likely won't ever support explicit curves
cause that's just asking for problems.
|
| | |
| |
| |
| |
| |
| | |
That happens to be true for DH and export RSA key exchanges but isn't
true for ECDH or SRP. (It's almost true for SRP, but if the salt had a
leading zero byte it would be lost in the conversion).
|
| | |
| |
| |
| | |
for such a minor change.
|
| | |
| |
| |
| |
| | |
everything into a new namespace (Botan::TLS), removing the TLS_
prefixes on everything.
|
| | |
| |
| |
| |
| | |
the client key exchange object to interpret the message on the basis
of the chosen ciphersuite.
|
| | |
| |
| |
| |
| |
| |
| | |
directly (if it was sent), so that the client implementation doesn't
have to know what key exchange mechanisms we actually support.
Return a value in ECC curves extension serialization method.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
counterparty by using the highest preference hash they have available
for the signature type we are generating. This does mean we will do
stupid things, if the counterparty is stupid (for instance some
versions of GnuTLS will prefer SHA-1 over the SHA-2s - likely someone
misread the spec and ordered the list backwards). But because we
filter out MD5 we'll never use that; even in the worst case, if
someone requests only MD5, we'll skip over it and use SHA-1 as the
fallback algorithm. Theoretically this is against the spec because we
"MUST" send something compatible, but seriously, fuck em. Right in the
eye.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
policy. Only functional change here from before is we now send DSA
with SHA-2. This is fine, OpenSSL does it as well and while the spec
says to wait until NIST comes up with a way to prevent hash
impersonation, it doesn't really make sense to avoid possible hash
substitution attacks by using the weakest available hash...
|
| | |
| |
| |
| |
| |
| |
| |
| | |
the ciphersuite code and a set of strings specifying the underlying
suite algorithms. Remove it entirely.
Some things are likely broken. One I know about is that we always send
the hash/signature type indicator but should only do so for TLS >= 1.2
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
remain broken.
New interface for querying the TLS extensions, much cleaner.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
basic connection with a GnuTLS server does work. Currently we don't
respect the signature_algorithms extension at all, and using SHA-256
with a 12-byte finished value is hardcoded though the spec is that it
can depend on the ciphersuite (likely relevant for GOST ciphersuites
in particular).
|
| | |
| |
| |
| |
| |
| | |
Instead deserialize directly in the constructors that are passed the
raw message data. This makes it easier to pass contextual information
needed for decoding (eg, version numbers) where necessary.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
entire handshake state in many cases makes things simpler to update,
in that each message type already knows what it needs depending on the
version, params, etc, and this way a) that knowledge doesn't need to
percolate up the the actual client and server handshake code and b)
each message type can be updated for new formats/version without
having to change its callers. Downside is it hides the dependency
information away, and makes it non-obvious what needs to be created
beforehand for each message to work correctly. However this is
(almost) entirely predicated on the handshake message flows, and these
we control with the next expected message scheme, so this should be
fairly safe to do.
This checkin only updates the ones where it was immediately relevant
but for consistency probably all of them should be updated in the same
way.
|
| | |
| |
| |
| |
| |
| | |
Add getters for major and minor protocoll version on TLS_Session.
Add Certificate_Type code points for ECC certs.
|
| | | |
|
