aboutsummaryrefslogtreecommitdiffstats
path: root/src/tls
Commit message (Collapse)AuthorAgeFilesLines
* In the in-memory session manager, choose a random key at startup andlloyd2012-08-053-10/+28
| | | | | | | | encrypt all of the sessions, decrypting before return. This minimizes load on the locked memory (48 bytes master secret per session, vs 32 bytes for a single master key). It might also make recovering session data from memory dumps a little bit harder though this isn't worth counting on IMO
* Remove Channel::read_handshake. Have the server set expected next msglloyd2012-08-054-43/+15
| | | | in new_handshake_state.
* If we're negotiating a datagram protocol, allow a hello verifylloyd2012-08-031-2/+20
| | | | message. Add client-side hello verify handling.
* Take the initial record version from the Handshake_IO instance insteadlloyd2012-08-035-3/+24
| | | | of hardcoding it to SSLv3.
* Add Handshake_Hash::resetlloyd2012-08-033-3/+24
| | | | Add cookie support in Client_Hello.
* Add preliminary IO handler for datagram handshakes. Does not fragmentlloyd2012-08-032-0/+184
| | | | | outbound messages to MTU. Reassembly likely doesn't work, and is very vulnerable to DoS attacks.
* Rename all the message source files to msg_lloyd2012-08-0311-10/+10
|
* Combine Handshake_Writer and Handshake_Reader into Handshake_IO.lloyd2012-08-0320-245/+170
| | | | | | | | This is mostly just a minor code savings for TLS, but it actually seems important for DTLS because getting a handshake message can be a trigger for retransmitting previously sent handshake messages in some circumstances. Having the reading and writing all in one layer makes it a bit easier to accomplish that.
* Move the code that pretends a CCS message is a handshake message fromlloyd2012-08-023-40/+32
| | | | Channel to the handshake reader.
* Use TLS v1.0 PRF unless the version supports a ciphersuite specific PRFlloyd2012-08-021-4/+5
|
* Add TLS::Protocol_Version::supports_ciphersuite_specific_prflloyd2012-08-024-14/+16
|
* Fix DTLS HelloVerify message decodinglloyd2012-08-021-3/+12
|
* Rename activate to more descriptive change_cipher_speclloyd2012-07-295-28/+41
|
* Use unique_ptr for handshake state, avoid lots of delete+nullptr assignlloyd2012-07-294-48/+43
|
* If we're going to reject an insecure renegotiation, do it immediately,lloyd2012-07-293-41/+63
| | | | | | | | | | | | | even before parsing the client hello, since there is nothing the client can say in the hello that will change our mind about it. Call Policy::acceptable_protocol_version on the final negotiated version, not what the client offered! Clean up the server version choosing logic a bit. Add Protocol_Version::best_known_match which returns the 'best' version we know of matching a particular version.
* Helper func for loading 24 bit valuelloyd2012-07-281-8/+15
|
* Pass protocol to initiate_handshakelloyd2012-07-282-5/+7
|
* Combine client initial handshake and renegotiation in initiate_handshake.lloyd2012-07-282-55/+39
| | | | | | One behavioral change is we now send SNI on renegotation hellos. This is probably harmless (?) and might be helpful for the server in finding the right certs.
* Fix DTLS version string.lloyd2012-07-285-15/+27
| | | | | | Pass version to ciphersuite_list, avoid negotiating RC4 with DTLS Disable ECC <= 192 bits.
* Make Handshake_Writer non-copyablelloyd2012-07-281-0/+6
|
* Add format() hook to Handshake_Writer, so that Handshake_Hash does notlloyd2012-07-286-39/+34
| | | | | | | | need to know what the handshake format is. Remove unused functions from Handshake_Hash and store all handshake data as a plain std::vector, since as handshake information it is not sensitive.
* Add helper for writing 24-bit integerlloyd2012-07-161-2/+12
|
* Add a class that handles writing handshake messages instead of pushinglloyd2012-07-1624-166/+248
| | | | that task to Record_Writer. Needed for DTLS work.
* Hook creating just the handshake reader vs the entire statelloyd2012-07-126-12/+12
|
* Add an optional parameter to TLS::Client specifying the port number.lloyd2012-07-126-35/+62
| | | | | | Pass this down into the session managers. Also document how to use session tickets with TLS servers.
* Changes to version handling in support of DTLS work.lloyd2012-07-1216-78/+114
| | | | | | | | | | | | | | | Add a few 'feature tests' to Protocol_Version which helps avoid some explicit comparisons. Additionally, remove the relational comparisons, except for operator> which is still used in a few locations. TLS::Policy has changed and no longer has min_version. The new hook that replaces it is acceptable_protocol_version, which should return true if and only if we are willing to negotiate the version returned. This leads to a somewhat cleaner result and additionally allows one to do maybe interesting though mostly useless things like allowing TLS 1.0 or 1.2 but not 1.1. Fix the version sent in the (unused) DTLS hello verify message.
* Add deleted copy constructors/assignment operators where appropriate.lloyd2012-07-102-0/+7
| | | | | Replace C++98 style private copy constructors/assignment ops with ones annotated with delete.
* Add TLS::Channel::new_handshake_state which abstracts creating thelloyd2012-07-096-11/+27
| | | | handshaking state.
* The messages for assertion checks were done both ways, both "assertionlloyd2012-07-093-5/+5
| | | | | | X is true" and "assertion X is false". Convert all of them to the form "assertion X is true" thus making it clear what it is that we are attempting to assert by testing the expression provided.
* Doxygen commentslloyd2012-07-065-6/+109
|
* Correct Doxygen commentslloyd2012-07-062-5/+5
|
* Record_Writer needs a PRNG for the IV generation. Share the referencelloyd2012-07-056-16/+22
| | | | with the channel object instead of calling the global object.
* Pull the TLS padding checks out to an anon function.lloyd2012-07-051-32/+59
|
* Split TLS::Policy::allowed_hashes into allowed_signature_hashes andlloyd2012-06-298-29/+41
| | | | | | | | | | | | | allowed_macs. This allows someone to turn on MD5 for message auth, which is a little sketchy but probably OK, without also (likely unintentionally) enabling MD5 for TLS v1.2 signatures, which would be a big problem. Prioritize RC4 over 3DES in default policy. Disable ECC curves smaller than 224 bits by default. More updates to the TLS policy documentation.
* Add TLS::Session_Manager_Noop which just ignores all save requests.lloyd2012-06-294-14/+39
| | | | | | | Rename the sqlite module to sqlite3 as sometimes plain 'sqlite' is used to refer to sqlite2. Reduce the password check bits to 16 which is plenty.
* Add TLS::Policy::minimum_dh_group_size, default 1024. Send anlloyd2012-06-255-2/+30
| | | | | | | | insufficient_security alert if the server tries to give us a DH group smaller than that. Also check to make sure the key isn't obviously bogus (<=1 || >= p-1), though as the key is purely ephemeral it doesn't seem like a small subgroup attack would provide much advantage anyway.
* Make TLS::Channel::send non-virtual as neither Client nor Serverlloyd2012-06-189-21/+58
| | | | | | | | | | | | | | | | | | | needed to derive from it. Add a new overload of send taking a std::string for convenience (eg client.send("GET / HTTP/1.0\n\r")). Let Channel::renegotiatate's force_full_renegotiation argument default to false. Fix a bug where if we negotiated TLS v1.2 and our Policy was configured to only use MD5 we would send an empty allowed signatures which is maybe bogus or maybe just ambigious (RFC is unclear, though we reject in this case). To fix this, support putting MD5 in the signature algorithms extension, and then in choose_sig_format order first by our hash preference, and only allow hashes that are allowed by policy. Thus is a client claims to support both SHA-2 and MD5 we'll choose SHA-2 even if the client put MD5 first (some versions of GnuTLS ordered the list backwards due to a bug, so this is actually a useful behavior).
* Commented out entry for anon in default policy:lloyd2012-06-171-0/+1
|
* We would never negotiate anon DH/ECDH even if policy allowed it andlloyd2012-06-171-1/+1
| | | | | the client requested because we wouldn't have a cert chain set for anon.
* Profiling with valgrind shows that the 2**16 iteration for findinglloyd2012-06-145-116/+139
| | | | | | ciphersuites was actually a substantial hit on handshakes. Add a new function TLS::Ciphersuite::all_known_ciphersuites which will do this once and cache it for future use.
* We would fail in the case where we connected to a server that did notlloyd2012-06-131-1/+1
| | | | | | | | | | | support secure renegotiation, and then a renegotiation occured (either due to explicit request by a call to renegotiate, or if the counterparty send a hello request and our policy allowed insecure renegotiations), because supported() would be false but our client hello would still contain the renegotion extension. Instead, only break if the client hello doesn't support it but supported() == true, which indicates that at one point in the past both parties supported the extension.
* Update what() signature on exception typeslloyd2012-06-121-1/+1
|
* Generate new session IDs in the same format as hello randoms, with thelloyd2012-06-102-3/+3
| | | | | | first 4 bytes a timestamp. Conveniently this means removing the lexicographically first session id from a cache is removing the oldest session.
* Add Handshake_Type codes for RFC 6066 handshake types.lloyd2012-06-102-19/+27
| | | | | | Change the switch in bitmask_for_handshake_type to not have a default: branch, so GCC can warn if we are missing a type. Instead throw if the switch failed to return.
* A fix for bug 191, that we were not preventing resumption of sessions in thelloyd2012-06-096-63/+85
| | | | | | | | | | | | | | | | | | | | case of a fatal alert, as required by section 7.2.2 of RFC 5246. Resolve this by storing the currently active session in Channel. Whenever we send or receive a fatal alert, tell the session manager to forget about that session. This still doesn't strictly meet the requirement for servers, as a session ticket is not invalidated and could later be reused. A conforming client would forget the whole session including the ticket, but that is assuming the attacker wouldn't prevent delivery of the alert message. However it would be difficult for the server to meet this requirement without per-ticket keys or keeping state about which tickets should not be resumable, both of which are stupid given the whole point of session tickets is that it allows resumption without server side state. OpenSSL also seems to allow resumption of sessions ending in a fatal alert when resumed though a ticket.
* Avoid a spurious unrecognized_name alert when a server is running inlloyd2012-06-091-1/+10
| | | | pure anon mode and the client sent a SNI extension.
* m_ namespace Channel, Client, and Server.lloyd2012-06-096-378/+378
| | | | Fix printing of Camellia ciphersuites.
* Use initialize lists here, much cleanerlloyd2012-06-091-53/+44
|
* A fix for bug 192. First, when renegotiating in the client, attempt tolloyd2012-06-0911-72/+99
| | | | | | | | | | | | | | | | | | | renegotiate using our currently negotiated version instead of our preferred version. It turns out that neither OpenSSL nor GnuTLS like clients changing the version between negotiations, both send a protocol_version alert. So we probably want to avoid doing that. On the server side, handle a client sending inconsistent versions as best we can. If the client attmepts to renegotiate a session using a later version, return a server hello with their original version (this is what OpenSSL does). If they attempt to renegotiate using an earlier version, send a fatal alert and close the connection, since this seems like a dubious thing to do. Also, fix the situation where we as a TLS v1.0 server (because of configuration) are talking to a TLS v1.2 client. We would still use their signature_algorithms extension and send a SHA-256 (or whatever) signature!
* Make a proper wrapper in util for SQLite3, update the TLS sessionlloyd2012-06-083-167/+33
| | | | manager to use it. Add --with-sqlite to configure.py
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-26 16:58:49 +0000