| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Add cookie support in Client_Hello.
|
|
|
|
|
| |
outbound messages to MTU. Reassembly likely doesn't work, and is very
vulnerable to DoS attacks.
|
| |
|
|
|
|
|
|
|
|
| |
This is mostly just a minor code savings for TLS, but it actually
seems important for DTLS because getting a handshake message can be a
trigger for retransmitting previously sent handshake messages in some
circumstances. Having the reading and writing all in one layer makes
it a bit easier to accomplish that.
|
|
|
|
| |
Channel to the handshake reader.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
even before parsing the client hello, since there is nothing the
client can say in the hello that will change our mind about it.
Call Policy::acceptable_protocol_version on the final negotiated
version, not what the client offered!
Clean up the server version choosing logic a bit.
Add Protocol_Version::best_known_match which returns the 'best'
version we know of matching a particular version.
|
| |
|
| |
|
|
|
|
|
|
| |
One behavioral change is we now send SNI on renegotation hellos. This
is probably harmless (?) and might be helpful for the server in
finding the right certs.
|
|
|
|
|
|
| |
Pass version to ciphersuite_list, avoid negotiating RC4 with DTLS
Disable ECC <= 192 bits.
|
| |
|
|
|
|
|
|
|
|
| |
need to know what the handshake format is.
Remove unused functions from Handshake_Hash and store all handshake
data as a plain std::vector, since as handshake information it is not
sensitive.
|
| |
|
|
|
|
| |
that task to Record_Writer. Needed for DTLS work.
|
| |
|
|
|
|
|
|
| |
Pass this down into the session managers.
Also document how to use session tickets with TLS servers.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a few 'feature tests' to Protocol_Version which helps avoid some
explicit comparisons. Additionally, remove the relational comparisons,
except for operator> which is still used in a few locations.
TLS::Policy has changed and no longer has min_version. The new hook
that replaces it is acceptable_protocol_version, which should return
true if and only if we are willing to negotiate the version
returned. This leads to a somewhat cleaner result and additionally
allows one to do maybe interesting though mostly useless things like
allowing TLS 1.0 or 1.2 but not 1.1.
Fix the version sent in the (unused) DTLS hello verify message.
|
|
|
|
|
| |
Replace C++98 style private copy constructors/assignment ops with ones
annotated with delete.
|
|
|
|
| |
handshaking state.
|
|
|
|
|
|
| |
X is true" and "assertion X is false". Convert all of them to the form
"assertion X is true" thus making it clear what it is that we are
attempting to assert by testing the expression provided.
|
| |
|
| |
|
|
|
|
| |
with the channel object instead of calling the global object.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
allowed_macs. This allows someone to turn on MD5 for message auth,
which is a little sketchy but probably OK, without also (likely
unintentionally) enabling MD5 for TLS v1.2 signatures, which would be
a big problem.
Prioritize RC4 over 3DES in default policy.
Disable ECC curves smaller than 224 bits by default.
More updates to the TLS policy documentation.
|
|
|
|
|
|
|
| |
Rename the sqlite module to sqlite3 as sometimes plain 'sqlite' is
used to refer to sqlite2.
Reduce the password check bits to 16 which is plenty.
|
|
|
|
|
|
|
|
| |
insufficient_security alert if the server tries to give us a DH group
smaller than that. Also check to make sure the key isn't obviously
bogus (<=1 || >= p-1), though as the key is purely ephemeral it
doesn't seem like a small subgroup attack would provide much advantage
anyway.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
needed to derive from it. Add a new overload of send taking a
std::string for convenience (eg client.send("GET / HTTP/1.0\n\r")).
Let Channel::renegotiatate's force_full_renegotiation argument default
to false.
Fix a bug where if we negotiated TLS v1.2 and our Policy was
configured to only use MD5 we would send an empty allowed signatures
which is maybe bogus or maybe just ambigious (RFC is unclear, though
we reject in this case). To fix this, support putting MD5 in the
signature algorithms extension, and then in choose_sig_format order
first by our hash preference, and only allow hashes that are allowed
by policy. Thus is a client claims to support both SHA-2 and MD5 we'll
choose SHA-2 even if the client put MD5 first (some versions of GnuTLS
ordered the list backwards due to a bug, so this is actually a useful
behavior).
|
| |
|
|
|
|
|
| |
the client requested because we wouldn't have a cert chain set for
anon.
|
|
|
|
|
|
| |
ciphersuites was actually a substantial hit on handshakes. Add a new
function TLS::Ciphersuite::all_known_ciphersuites which will do this
once and cache it for future use.
|
|
|
|
|
|
|
|
|
|
|
| |
support secure renegotiation, and then a renegotiation occured (either
due to explicit request by a call to renegotiate, or if the
counterparty send a hello request and our policy allowed insecure
renegotiations), because supported() would be false but our client
hello would still contain the renegotion extension. Instead, only
break if the client hello doesn't support it but supported() == true,
which indicates that at one point in the past both parties supported
the extension.
|
| |
|
|
|
|
|
|
| |
first 4 bytes a timestamp. Conveniently this means removing the
lexicographically first session id from a cache is removing the oldest
session.
|
|
|
|
|
|
| |
Change the switch in bitmask_for_handshake_type to not have a default:
branch, so GCC can warn if we are missing a type. Instead throw if
the switch failed to return.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
case of a fatal alert, as required by section 7.2.2 of RFC 5246.
Resolve this by storing the currently active session in Channel. Whenever we
send or receive a fatal alert, tell the session manager to forget about that
session.
This still doesn't strictly meet the requirement for servers, as a session
ticket is not invalidated and could later be reused. A conforming client
would forget the whole session including the ticket, but that is assuming
the attacker wouldn't prevent delivery of the alert message.
However it would be difficult for the server to meet this requirement
without per-ticket keys or keeping state about which tickets should not be
resumable, both of which are stupid given the whole point of session tickets
is that it allows resumption without server side state. OpenSSL also seems
to allow resumption of sessions ending in a fatal alert when resumed though
a ticket.
|
|
|
|
| |
pure anon mode and the client sent a SNI extension.
|
|
|
|
| |
Fix printing of Camellia ciphersuites.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
renegotiate using our currently negotiated version instead of our
preferred version. It turns out that neither OpenSSL nor GnuTLS like
clients changing the version between negotiations, both send a
protocol_version alert. So we probably want to avoid doing that.
On the server side, handle a client sending inconsistent versions as
best we can. If the client attmepts to renegotiate a session using a
later version, return a server hello with their original version (this
is what OpenSSL does). If they attempt to renegotiate using an earlier
version, send a fatal alert and close the connection, since this seems
like a dubious thing to do.
Also, fix the situation where we as a TLS v1.0 server (because of
configuration) are talking to a TLS v1.2 client. We would still use
their signature_algorithms extension and send a SHA-256 (or whatever)
signature!
|
|
|
|
| |
manager to use it. Add --with-sqlite to configure.py
|
|
|
|
| |
enabling this is a bad idea.
|
|
|
|
|
|
|
|
| |
allocator interface. The compression filters now just use malloc/free
with a memset.
Add a new info.txt field <warning>, like comment but warns. Use for
CMS which is pretty broken (doesn't even compile anymore), and for TLS.
|
|
|
|
|
|
|
|
|
| |
transition. That will come in handy someday.
Allow the server to skip sending a session ticket. GnuTLS seems prone
to offering it even if it doesn't have a key handy.
Fix vector/secure_vector conversions in the SQLite session manager.
|
| |
|