aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* The messages for assertion checks were done both ways, both "assertionlloyd2012-07-0915-25/+29
| | | | | | X is true" and "assertion X is false". Convert all of them to the form "assertion X is true" thus making it clear what it is that we are attempting to assert by testing the expression provided.
* Fix for bug 209. Required some reworking of the ASN.1 bytestringlloyd2012-07-095-47/+50
| | | | decoding code but seems an improvement.
* Remove BOTAN_ASSERT_FUNCTION, use __func__ which is now standard in C++11lloyd2012-07-092-41/+35
|
* Add a comment so I remember how to get warningslloyd2012-07-061-1/+3
|
* Doxygen commentslloyd2012-07-067-11/+133
|
* Disable generating LaTeX Doxygen output as we don't really need it andlloyd2012-07-061-0/+8
| | | | it is very slow to generate.
* More Doxygen commentslloyd2012-07-062-3/+12
|
* Correct Doxygen commentslloyd2012-07-062-5/+5
|
* Record_Writer needs a PRNG for the IV generation. Share the referencelloyd2012-07-056-16/+22
| | | | with the channel object instead of calling the global object.
* Pull the TLS padding checks out to an anon function.lloyd2012-07-051-32/+59
|
* Default to just `g++`. Check GCC version and warn if we are compilinglloyd2012-07-011-1/+1
| | | | under something before 4.7.0
* Split TLS::Policy::allowed_hashes into allowed_signature_hashes andlloyd2012-06-298-29/+41
| | | | | | | | | | | | | allowed_macs. This allows someone to turn on MD5 for message auth, which is a little sketchy but probably OK, without also (likely unintentionally) enabling MD5 for TLS v1.2 signatures, which would be a big problem. Prioritize RC4 over 3DES in default policy. Disable ECC curves smaller than 224 bits by default. More updates to the TLS policy documentation.
* Add TLS::Session_Manager_Noop which just ignores all save requests.lloyd2012-06-297-17/+42
| | | | | | | Rename the sqlite module to sqlite3 as sometimes plain 'sqlite' is used to refer to sqlite2. Reduce the password check bits to 16 which is plenty.
* Avoid unused argument warninglloyd2012-06-261-1/+1
|
* Reorder Credentials_Manager with cert stuff first, then SRP, then PSKlloyd2012-06-261-66/+69
|
* Increase default Miller-Rabin nonce to 192 bitslloyd2012-06-261-2/+2
|
* Be explicit about swap template specializationlloyd2012-06-261-1/+1
|
* Set poolsize to zero on failure. Set m_pool to null if mmap failslloyd2012-06-261-0/+6
|
* Add TLS::Policy::minimum_dh_group_size, default 1024. Send anlloyd2012-06-255-2/+30
| | | | | | | | insufficient_security alert if the server tries to give us a DH group smaller than that. Also check to make sure the key isn't obviously bogus (<=1 || >= p-1), though as the key is purely ephemeral it doesn't seem like a small subgroup attack would provide much advantage anyway.
* Add missing headers, triggered errors under minimal buildslloyd2012-06-192-0/+2
|
* Remove BOTAN_MEM_POOL_CHUNK_SIZE macro from build.h, no longer used.lloyd2012-06-192-10/+12
| | | | | Move Karatsuba cutoffs to mp_karat.cpp as that is the only place that uses them and I doubt these get tweaked much (ever).
* In Karatsuba multiplication, we would avoid recursing in cases wherelloyd2012-06-191-48/+10
| | | | | | | | | we know one of the sub values was going to be zero. Avoid doing this as it exposes a timing channel. Some bn_asm code was manually inlined into the Karatsuba for doing additions. Just call the normal functions - if these are too slow that should be fixed.
* Make TLS::Channel::send non-virtual as neither Client nor Serverlloyd2012-06-189-21/+58
| | | | | | | | | | | | | | | | | | | needed to derive from it. Add a new overload of send taking a std::string for convenience (eg client.send("GET / HTTP/1.0\n\r")). Let Channel::renegotiatate's force_full_renegotiation argument default to false. Fix a bug where if we negotiated TLS v1.2 and our Policy was configured to only use MD5 we would send an empty allowed signatures which is maybe bogus or maybe just ambigious (RFC is unclear, though we reject in this case). To fix this, support putting MD5 in the signature algorithms extension, and then in choose_sig_format order first by our hash preference, and only allow hashes that are allowed by policy. Thus is a client claims to support both SHA-2 and MD5 we'll choose SHA-2 even if the client put MD5 first (some versions of GnuTLS ordered the list backwards due to a bug, so this is actually a useful behavior).
* Patch name changedlloyd2012-06-172-46/+15
|
* Update to rev 924b482d25 from https://github.com/OlivierJG/botansqlite3lloyd2012-06-174-24/+28
|
* Use the extended Euclidean algorithm for computing the inverse forlloyd2012-06-171-10/+57
| | | | | | | Montgomery exponentiation as except for the very first division all operands are single words and thus we can assume we have a relatively fast division operation (and additionally working only with words avoids dynamic allocation).
* Commented out entry for anon in default policy:lloyd2012-06-171-0/+1
|
* We would never negotiate anon DH/ECDH even if policy allowed it andlloyd2012-06-171-1/+1
| | | | | the client requested because we wouldn't have a cert chain set for anon.
* Use a special case for odd moduli in inverse_mod with close to doublelloyd2012-06-171-1/+51
| | | | performance.
* inverse_mod - avoid mutable zero_bits, avoid making needless copies oflloyd2012-06-171-11/+12
| | | | the arguments
* Put an upper bound on the blinding value to 160 bits. This seems to belloyd2012-06-174-4/+4
| | | | | | plenty sufficient, and reduces the overhead of setting up the blinder (in terms of exponent size and the cost of computing modular inverses).
* m_ namespace member varslloyd2012-06-152-44/+42
|
* Index, comments, name vars in headerslloyd2012-06-153-5/+15
|
* Computing the Montgomery parameter can be done much cheaper because welloyd2012-06-151-3/+4
| | | | | | | only need the low word of the result. Credits to HAC, somehow I missed that this was possible. This helps especially when a program does a lot of setups, so the improvement is only minor on the benchmark but fairly huge for asio_tls_server.
* Fix X509_Certificate::operator<. It was comparing by calling to_stringlloyd2012-06-142-6/+28
| | | | | | | | | | on each and comparing that. However that is very expensive (lots of formatting) and doesn't even work that well because to_string skips over a lot of information. Instead, compare the tbs bits directly which is both much faster and more accurate. Add a new X509_Certificate::fingerprint which returns a fingerprint compatible at least with what OpenSSL does.
* Profiling with valgrind shows that the 2**16 iteration for findinglloyd2012-06-145-116/+139
| | | | | | ciphersuites was actually a substantial hit on handshakes. Add a new function TLS::Ciphersuite::all_known_ciphersuites which will do this once and cache it for future use.
* Add support (decoding only) for the CRL Distribution Point extension.lloyd2012-06-138-32/+156
|
* Truncate passwords to 55 characters instead of throwing an exception.lloyd2012-06-131-2/+2
| | | | This matches the behavior of other bcrypt implementations.
* We would fail in the case where we connected to a server that did notlloyd2012-06-131-1/+1
| | | | | | | | | | | support secure renegotiation, and then a renegotiation occured (either due to explicit request by a call to renegotiate, or if the counterparty send a hello request and our policy allowed insecure renegotiations), because supported() would be false but our client hello would still contain the renegotion extension. Instead, only break if the client hello doesn't support it but supported() == true, which indicates that at one point in the past both parties supported the extension.
* Fix westmere GCC buildslloyd2012-06-131-1/+1
|
* Allow x86-32 asm with clang. Compiles fine, though I cannot test as Illoyd2012-06-121-0/+1
| | | | only have a 64-bit libc++.
* Update what() signature on exception typeslloyd2012-06-123-3/+3
|
* Fixes for the change to using std::vector in x86-32 specific codelloyd2012-06-124-7/+11
| | | | | | | (relying on implicit pointer conversions). Also, change Serpent::set_round_keys (used by the x86-32 asm version) to assign() the values instead of copying, as we rely on the key schedule to allocate the key values now to minimize memory waste.
* Compile fixlloyd2012-06-111-1/+1
|
* Avoid integer overflows in calls to the mlock allocator, changing thelloyd2012-06-113-20/+44
| | | | | | | interface to more of a calloc style. Alignment remains set to the underlying type size. Increase the maximum mlock size to 512 KB.
* Generate new session IDs in the same format as hello randoms, with thelloyd2012-06-102-3/+3
| | | | | | first 4 bytes a timestamp. Conveniently this means removing the lexicographically first session id from a cache is removing the oldest session.
* Add Handshake_Type codes for RFC 6066 handshake types.lloyd2012-06-102-19/+27
| | | | | | Change the switch in bitmask_for_handshake_type to not have a default: branch, so GCC can warn if we are missing a type. Instead throw if the switch failed to return.
* A fix for bug 191, that we were not preventing resumption of sessions in thelloyd2012-06-096-63/+85
| | | | | | | | | | | | | | | | | | | | case of a fatal alert, as required by section 7.2.2 of RFC 5246. Resolve this by storing the currently active session in Channel. Whenever we send or receive a fatal alert, tell the session manager to forget about that session. This still doesn't strictly meet the requirement for servers, as a session ticket is not invalidated and could later be reused. A conforming client would forget the whole session including the ticket, but that is assuming the attacker wouldn't prevent delivery of the alert message. However it would be difficult for the server to meet this requirement without per-ticket keys or keeping state about which tickets should not be resumable, both of which are stupid given the whole point of session tickets is that it allows resumption without server side state. OpenSSL also seems to allow resumption of sessions ending in a fatal alert when resumed though a ticket.
* Avoid a spurious unrecognized_name alert when a server is running inlloyd2012-06-091-1/+10
| | | | pure anon mode and the client sent a SNI extension.
* m_ namespace Channel, Client, and Server.lloyd2012-06-096-378/+378
| | | | Fix printing of Camellia ciphersuites.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-22 19:18:51 +0000