aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Remove all uses of MemoryRegion::copy outside of internal uses inlloyd2012-05-1818-42/+39
| | | | secmem.h. Mostly replaced by assign or copy_mem.
* First step towards replacing the existing containers with std::vectorlloyd2012-05-1821-53/+73
| | | | | | with a custom allocator; remove the 3 argument version of MemoryRegion::copy, replacing with freestanding buffer_insert function.
* Remove OctetString::change, only allow construction. Turns out nothinglloyd2012-05-172-26/+11
| | | | was using this, so no other changes needed.
* Huge pile of post merge fixups, mtn really fucked that mergelloyd2012-04-2528-157/+117
|
* propagate from branch 'net.randombit.botan.tls-state-machine' (head ↵lloyd2012-04-2560-1009/+1751
|\ | | | | | | | | | | a4741cd07f50a9e1b29b0dd97c6fb8697c038ade) to branch 'net.randombit.botan.cxx11' (head 116e5ff139c07000be431e07d3472cc8f3919b91)
| * Camellia is now split by key lengthlloyd2012-04-241-26/+26
| |
| * propagate from branch 'net.randombit.botan' (head ↵lloyd2012-04-24102-4517/+10024
| |\ | | | | | | | | | | | | | | | 494c5d548ce3f370c2b771ca6b11e5f41e720da2) to branch 'net.randombit.botan.tls-state-machine' (head b2cd26ff6f093caa79aecb2d674205f45b6aadff)
| | * propagate from branch 'net.randombit.botan' (head ↵lloyd2012-04-205-11/+21
| | |\ | | | | | | | | | | | | | | | | | | | | 50fa70d871f837c3c3338fabf5fb45649669aabf) to branch 'net.randombit.botan.tls-state-machine' (head 2358daac57db0411e62da2ef5a484468cb9307b7)
| | * | Compile fixlloyd2012-04-201-1/+1
| | | |
| | * | Put the implementation of Policy::dh_group in source so it's easier tolloyd2012-04-192-1/+6
| | | | | | | | | | | | | | | | | | | | update. Increase DHE group size from 1536 to 2048 bits, which per NIST/ECRYPT should be good to 2030 or so.
| | * | Various dependency/amalgamation fixeslloyd2012-04-195-6/+13
| | | |
| | * | Add a bool param to renegotiate on if we should force a fulllloyd2012-04-189-28/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | | | renegotiation or not. Save the hostname in the client so we can pull the session from the session manager.
| | * | Send almost all of the extensions on a renegotiation on an existinglloyd2012-04-181-14/+12
| | | | | | | | | | | | | | | | | | | | channel, except NPN which is strictly a per-connection extension. Makes life easier for servers. OpenSSL seems to behave the same way.
| | * | The secure renegotiation state was not updated on a sessionlloyd2012-04-181-9/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | resumption, which would cause failures if doing a renegotiation under the same session (eg to refresh keys). The peer_certs variable was not set until after the Session object was created, meaning the session (or session ticket) would not include client certs. Worse, they would be included in the next session saved, so if a client presented one cert, then renegotiated and presented another one, the first cert would be associated with the second session!
| | * | Add very basic wildcarding in X509_Certificate::matches_dns_namelloyd2012-04-181-2/+18
| | | |
| | * | Only do the hostname/DNS comparison if it is set. Otherwise, we havelloyd2012-04-171-1/+1
| | | | | | | | | | | | | | | | nothing meaningful to compare to.
| | * | As best I can tell the client is allowed to send a certificate chainlloyd2012-04-161-5/+0
| | | | | | | | | | | | | | | | in response to a certificate request.
| | * | The encoding of Certificate Request messages was wrong, each DERlloyd2012-04-161-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | encoded CA DN has a length field but also the entire block has one. This caused decoding errors if we requested a certificate and sent one or more DNs to request particular CAs. The decoding side had it correct.
| | * | Add support for TLS heartbeats (RFC 6520). Heartbeat initiations fromlloyd2012-04-1617-38/+282
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the peer are automatically responded to. TLS::Channel::heartbeat can initiate a new heartbeat if the peer allows it. Heartbeat replies are passed back to the application processing function with an Alert value of HEARTBEAT_PAYLOAD (a 'fake' value, 256, which is out of range of the valid TLS alert space), along with the sent payload. The RFC requires us to have no more than one heartbeat 'in flight' at a time, ie without getting a response (or a timeout in the case of DTLS). Currently we do not prevent an application from requesting more.
| | * | Add support for the 3 alert types we didn't have codes for.lloyd2012-04-092-32/+38
| | | |
| | * | Finish up server side SRP support, a little ugly but it works.lloyd2012-04-069-55/+130
| | | | | | | | | | | | | | | | | | | | | | | | Add SRP hooks in the examples Fix next protocol support in the tls_server example.
| | * | propagate from branch 'net.randombit.botan' (head ↵lloyd2012-04-06101-4518/+9636
| | |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | 058444ec216dd9690938c82922d911df2da535b4) to branch 'net.randombit.botan.tls-state-machine' (head 54985e112aecb7b7c98a7dace924a2f704e6c9c1)
| | | * | Re-enable TLS (was disabled by trunk merge), and require the srp6 modulelloyd2012-04-053-3/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Initial outline of server side SRP support. Need to figure out how to transfer the v, b, B params from the server key exchange message to the client key exchange. The DH variants do this by passing a Private_Key via server_kex_key call, but wrapping SRP params in a Private_Key really doesn't feel right. Not sure what to do here. Possibly both SRP and DH should return a Key_Exchange_Material* that a client key exchange knows how to dynamic cast on.
| | | * | Initial client-side support for SRP (finally!). Tested against OpenSSLlloyd2012-04-054-0/+45
| | | | | | | | | | | | | | | | | | | | | | | | | 1.0.1, only the certificate versions tested currently as OpenSSL doesn't support anon SRP.
| | | * | propagate from branch 'net.randombit.botan' (head ↵lloyd2012-04-0520-291/+400
| | | |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 91305e3daaae9ea8a1786daf058d961991c68251) to branch 'net.randombit.botan.tls-state-machine' (head 474a00b316f5b21a4e56033d4d990d87d9d3eed6)
| | | * | | Remove Policy::choose_compression and move to tls_serverlloyd2012-04-044-62/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make ciphersuite_list a free standing function Now the Policy interface only contains actual policy hooks (no non-virtual functions). Though choose_curve is a little dubious.
| | | * | | Limit the lifetime of tickets to Policy::session_ticket_lifetime()lloyd2012-04-0415-178/+196
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | seconds and report that value to the client in the NewSessionTicket message. After that point, a session ticket is ignored and a full renegotiation is forced. Only send a new session ticket on a new session, or on a resumed session where the client indicated it supports session tickets but for whatever reason didn't send one in the hello. Perhaps in this case, we should also remove the session from the session manager? Clean up server selection of the ciphersuite a bit, all in an anon function in tls_server instead of scattered over Server, Policy, and Server_Hello. Add Session::session_age and Session_Manager::session_lifetime
| | | * | | Add anonymous DH/ECDH ciphersuites to the cipher list. Interop checkedlloyd2012-04-022-18/+62
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | against OpenSSL. One big issue that needs to be resolved is that with these ciphersuites available to be negotiated, we want to make sure they only are used when the application/user expects them to. Problem is that PSK and SRP are "anonymous" but authenticated via the shared secret. We need to be able to distinguish these on a policy level. Otherwise a MITM could simply offer anon DH, which would be somewhat unfortunate. A client could detect this in the handshake callback, but might not. In the short term to ensure this doesn't occur, disable both anon DH and PSK/SRP in the default policy.
| | | * | | Use SHA-256 when MD5 is negotiated as the HMAC hash in TLS 1.2,lloyd2012-04-022-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | previously negotiating any MD5-based ciphersuite in TLS 1.2 would cause MAC failures as the master secret would come out differently due to using the wrong PRF.
| | | * | | Remove the Ciphersuite_Code enum and move all ciphersuitelloyd2012-03-307-351/+298
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | integer->info mapping to tls_suite_info.cpp which is mostly autogenerated by a Python script from the IANA parameters file. The SRP method now uses kex "SRP_SHA" which is what the RFC calls it. (And hypothetically, SRP_SHA256 might be defined at some point and we'd need to be able to distinguish them). Remove IDEA ciphersuite; we don't want to require IDEA be available due to the European patent still being valid (IIRC), but I didn't want to have to hand-edit the autogenerated switch with an #if check. Not a huge issue though as most sites don't support it anyway.
| * | | | | Patrick Pelletier noted on the mailing list that the implementation oflloyd2012-04-243-99/+179
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Camellia exposed by the OpenSSL module is parameterized by the key length, much as AES is, while the version in the main source uses a single name/type for all variants. For consistency, convert to using a key length parameterized name in our version as well. In the future this might allow for better loop unrolling, etc but currently we don't make use of that.
| * | | | | Patrick Pelletier pointed out the hook for Qt_Mutex in libstate.cpplloyd2012-04-234-83/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | was broken, and after fixing that and trying to compile the module it becamse clear that the Qt mutex did not work at all with recent Qt versions. Taking this as a clear indicator that it is not being used, remove it.
| * | | | | Fix various typos, and remove an unused macro in checks/bench.cpplloyd2012-04-236-7/+7
| | |_|_|/ | |/| | | | | | | | | | | | | All reported by Patrick Pelletier.
| * | | | Avoid a few maintainer mode flag warnings. Remove -Weffc++ from thelloyd2012-04-206-8/+18
| | | | | | | | | | | | | | | | | | | | | | | | | list of maintainer mode flags. It produces some very useful warnings, but also a lot of noisy junk that I really don't care about.
| * | | | merge of '058444ec216dd9690938c82922d911df2da535b4'lloyd2012-04-091-4/+4
| |\ \ \ \ | | |/ / / | |/| | | | | | | | and 'bc49da394c675517b140a404c19094020d6e9d40'
| | * | | The comments incorrectly described end as returning the last element,lloyd2012-04-091-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | rather than one past the end. Reported by Stuart Maclean on the mailing list.
| * | | | Use just 256 bits of secret exponent (recomended value in RFC 5054).lloyd2012-04-064-21/+22
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | Much faster, especially when using 8192 bit groups as OpenSSL does by default. Use BOTAN_DLL symbol visibility macros.
| * | | Remove the client SRP6 class, really free standing functions are finelloyd2012-04-053-47/+152
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | for this. Add a new function that identifies a named SRP group from the N/g params - this is important as we need to verify the SRP groups, the easiest way to do that is to to force them to be a known/published value. Add the 1536, 3072, 4096, 6144, and 8192 bit groups from RFC 5054
| * | Add more comments explaining what is going on in dl_work_factorlloyd2012-03-302-28/+29
| | |
| * | Typo in commentlloyd2012-03-091-1/+1
| | |
| * | Allow the semi-standard but rarely used 1.3.132.1.12 OID for ECDH keyslloyd2012-02-211-1/+13
| | | | | | | | | | | | | | | on decoding by default, and add a comment showing how to enable it for encoding.
* | | Post merge fixes for using chrono lib for timeouts, unique_ptr,lloyd2012-03-303-25/+29
| | | | | | | | | | | | std::to_string, other minor things.
* | | propagate from branch 'net.randombit.botan.tls-state-machine' (head ↵lloyd2012-03-3040-250/+1370
|\ \ \ | | |/ | |/| | | | | | | | | | 63b88a65b699c95ef839bc18336bceccfbfabd2e) to branch 'net.randombit.botan.cxx11' (head 1adcc46808b403b8f6bf1669f022e65f9c30e8ea)
| * | Rework session crypto code. Drop the 4 bytes of zeros reserved forlloyd2012-03-282-38/+54
| | | | | | | | | | | | | | | | | | | | | | | | | | | flags; if params change just regen the magic value and drop old sessions. Check the magic value right from the start. Use constants for internal sizes. Increase default PBKDF2 iterations in the SQLite session manager to 64K.
| * | For unencrypted initial handshake records, copy them to the writebuflloyd2012-03-231-12/+12
| | | | | | | | | | | | | | | | | | | | | | | | anyway so we can output them with a single message. For some network approaches this won't make any difference but it might help with something doing direct writes on each callback. Additionally it seems important for DTLS, where each record must be contained in a single packet.
| * | Revert the session_ticket callback in credentials manager. If a PSKlloyd2012-03-235-56/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | manager is being used, it could be easily used for session tickets as well, and if it's not the generate-on-first-call technique is easy to write. Avoid offering the session ticket extension if we know we don't have a key. For one thing it will cause us to avoid using stateful sessions, but additionally OpenSSL 1.0.1 is very intolerant of empty NewSessionTicket messages so definitely worth avoiding when we can.
| * | Fix depslloyd2012-03-232-0/+6
| | |
| * | Add a special hook in credentials manager for the session ticket key,lloyd2012-03-233-17/+49
| | | | | | | | | | | | | | | with a default implementation that creates a new random key on the first call.
| * | Include the curves and sig algos list in a session resumption clientlloyd2012-03-233-5/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | hello. Also include a full list of ciphersuites, ensuring that our original session ciphersuite is in the list regardless of policy (maybe it would be better to just not resume in that case, though?). Otherwise, if the server doesn't remember our session (or the session ticket key), it might not be capable of negotiating using the single ciphersuite we sent due to lack of information (allowed curves was a particular issue here). Including the full ciphersuite list also allows for rengotiating the ciphersuite if, for instance, the session can't be resumed because the server used to have an RSA cert but has since replaced it with an ECDSA cert.
| * | Only claim we support session tickets if we actually have a key oflloyd2012-03-232-9/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | some kind. Fix New_Session_Ticket decoding. Apparently when the RFC says that a server that does not want to send a ticket sends "an empty ticket" that means a lifetime value plus an empty ticket, not an actually empty extension.