aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Remove the PRIVATE ASN.1 tag. Not being used outside of the prettylloyd2012-05-274-5/+6
| | | | | | | | | | | | | | printer example, and really is just CONSTRUCTED | CONTEXT_SPECIFIC. Extend the ASN.1 printer to recurse into OCTET STRINGS that contain DER, and to print enumeration values. BOTAN_DLL export some OID operators (+, !=, <) Add an OID entry for 1.3.6.1.5.5.7.48.1.1 OCSP basic response. Correct the Certificate_Policies code, it was dumping policy OIDs into the extended key usage!
* Several new hooks in X509_Certificate to get raw (from the certlloyd2012-05-272-9/+39
| | | | binary) values which we need for OCSP.
* No reason to use secure_vector herelloyd2012-05-262-2/+2
|
* Use std::deque instead of SecureQueue in TLS::Stream_Handshake_Readerlloyd2012-05-263-16/+18
| | | | | | | as after all we are reading things that we received over a network connection so there certainly is no reason to try to mlock them. Also remove unneeded include in tls_record.h
* Plain hex_decode now returns a std::vector, use hex_decode_locked tolloyd2012-05-265-18/+66
| | | | get a secure_vector.
* Only build the mlock allocator on Linux, *BSD, or Solaris.lloyd2012-05-261-0/+8
| | | | | As best I can tell those are the only Unix kernels that allow unprivledged users to mlock memory.
* Some post merge fixups.lloyd2012-05-2512-69/+33
| | | | | Fix some bugs that triggered if DEFAULT_BUFFERSIZE was either too small or an odd size.
* propagate from branch 'net.randombit.botan.x509-path-validation' (head ↵lloyd2012-05-25541-9386/+14284
|\ | | | | | | | | | | 63b5a20eab129ca13287fda33d2d02eec329708f) to branch 'net.randombit.botan' (head 8b8150f09c55184f028f2929c4e7f7cd0d46d96e)
| * Two more locking_allocator bugs. In allocate, we did not setlloyd2012-05-251-5/+9
| | | | | | | | | | | | | | | | | | | | | | best_fit->first in cases where we had an almost exact match (exact fit but with some alignment bytes at the start), meaning that not only would we lose those bytes forever, but that we might later hand out a range overlapping with what we handed to our current caller. Also, in deallocate, lower_bound on the freelist might return end() (for instance if the freelist is entirely empty). Avoid trying to update the iterator in that case.
| * Use std::async for parallel CRT in Rabin Williams signature generation.lloyd2012-05-251-6/+7
| |
| * Remove targets clang doesn't actually supportlloyd2012-05-251-6/+0
| |
| * Always use -pthread with clang, matching gcc behaviorlloyd2012-05-251-5/+3
| |
| * Include <string> in buf_comp.h and filter.h as we used std::string butlloyd2012-05-253-16/+2
| | | | | | | | | | | | | | were not including it in the header chain. Caused compilation failures using Clang 3.1 using libc++. Remove the 3-argument version of hash_seq in SRP6, was not being used.
| * Resize key arrays in HMAC and SSL3_MAC when the key is set.lloyd2012-05-255-18/+19
| | | | | | | | Plus a few minor cleanups.
| * Fix alignment again and add assert checks so we don't mess up again.lloyd2012-05-251-4/+30
| | | | | | | | | | | | We previously ignored a block that was exactly the right size for the allocation and the needed alignment. If we find such a block prefer it over any other (non-exact) blocks to minimize fragmentation.
| * For block and stream ciphers, don't set the size of the key vectorslloyd2012-05-2558-193/+205
| | | | | | | | | | | | | | | | | | | | | | until we are actually setting a key. This avoids the problem of prototype objects consuming not just memory but the precious few bytes of mlock'able memory that we're given by Linux. Use clear_mem instead of a loop in BigInt::mask_bits If OS2ECP encounters an invalid format type, include what type it was in the exception message.
| * Instead of a map of start->length for recording the free list use alloyd2012-05-242-33/+44
| | | | | | | | | | | | vector of (start,length) where we are careful to maintain the correct ordering. Much much faster than the map version as it mostly avoids allocations and copies.
| * Properly align return values of mlock_allocator. Be more careful aboutlloyd2012-05-226-108/+35
| | | | | | | | | | | | | | | | | | | | | | pointer checks as a sufficiently smart compiler might optimize way pointer comparisons otherwise. Avoid using an iterator value after we have released it from the map. Reduce the default buffer size to 1K to reduce pressure on mlock memory. Drop the old mlock wrapper code.
| * Remove a debug call in secmem.h.lloyd2012-05-224-4/+220
| | | | | | | | | | | | | | | | | | Add a new mlock allocator which is far superior to the previous one both in terms of behavior (will lock exactly as much memory as we can actually mlock and will fall back to new/delete in all other cases), and much better and much simpler freelist than the old mem_pool code. Currently we only support systems with mmap+mlock, however it should be easy to extend to also support Windows VirtualLock if desired.
| * Replace 0 and NULL pointer constants with nullptr. Also fix an oldlloyd2012-05-1863-176/+179
| | | | | | | | style cast in secmem.h
| * Fairly huge update that replaces the old secmem types with std::vectorlloyd2012-05-18379-2834/+2047
| | | | | | | | | | | | using a custom allocator. Currently our allocator just does new/delete with a memset before deletion, and the mmap and mlock allocators have been removed.
| * propagate from branch 'net.randombit.botan' (head ↵lloyd2012-05-1812-99/+793
| |\ | | | | | | | | | | | | | | | 6332543aa5a8a4cc13662008ff9ac0f0016d9a4d) to branch 'net.randombit.botan.cxx11' (head 5517c9f8f6d1990f269afb94f569a97a80c5a5f4)
| | * NR_Verification_Operation::verify_mr would return false if the inputlloyd2012-05-182-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | was not the right size for a signature (following DSA). This would silently convert to an empty vector which we would treat as a valid message on the return. However the EMSA checks will always fail so not a huge problem. While checking this out I noticed that an empty value for EMSA4 would result in us reading memory we didn't own.
| | * Pipe::reset's requirement that a message be completed meant thatlloyd2012-05-181-2/+0
| | | | | | | | | | | | | | | | | | exceptions thrown in end_msg (for instance in CBC decryption when the padding is bad) more or less screwed up the pipe completely. Allowing reset here at least allows an escape hatch.
| | * We were checking the wrong bit for rdrand support. Found using SDE'slloyd2012-05-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | -ivb_rdrnd_cpuid option to toggle the bit off and on. Fortunately on Intel processors the bit we were actually checking is also enabled by Ivy Bridge. However it is also used on AMD Bulldozer processors to signal half-precision floating point support so we could false positive there.
| | * Markus Wanner pointed out on the mailing list that using rdrand opcodelloyd2012-05-071-3/+8
| | | | | | | | | | | | | | | | | | | | | didn't work on older GCC/binutils. Instead hardcode the expression for rdrand %eax, which should work everywhere. Also, avoid including immintrin.h unless we're going to use it, to avoid problems with older compilers that lack that header (this caused build failures under GCC 3.4.6).
| | * Padding wasn't set for DSA keys. Irrelevant for cert verify as thatlloyd2012-05-022-3/+3
| | | | | | | | | | | | isn't working here anyway, but also broke DSA servers.
| | * Partially roll back b2aef16225863cef27cdee4b91703966b3ed1458, itlloyd2012-04-281-2/+2
| | | | | | | | | | | | caused huge performance issues with DSA/ECDSA signing performance.
| | * For all but the first and last rounds, use a set of 64 bit tables tolloyd2012-04-273-92/+669
| | | | | | | | | | | | implement Camellia's F function. Roughtly 60 - 80% speedup on Nehalem.
| | * Add support for the rdrand instruction, added in Intel's Ivy Bridgelloyd2012-04-264-0/+111
| | | | | | | | | | | | | | | | | | | | | processors. Tested using SDE on Linux with GCC 4.6, Intel C++ 11.1, and Clang 3.0, all using the inline asm variant. I do not know if current Visual C++ has the intrinsics available or not, so it's only marked as available for those compilers at the moment.
| * | Remove all uses of MemoryRegion::copy outside of internal uses inlloyd2012-05-1818-42/+39
| | | | | | | | | | | | secmem.h. Mostly replaced by assign or copy_mem.
| * | First step towards replacing the existing containers with std::vectorlloyd2012-05-1821-53/+73
| | | | | | | | | | | | | | | | | | with a custom allocator; remove the 3 argument version of MemoryRegion::copy, replacing with freestanding buffer_insert function.
| * | Remove OctetString::change, only allow construction. Turns out nothinglloyd2012-05-172-26/+11
| | | | | | | | | | | | was using this, so no other changes needed.
| * | Huge pile of post merge fixups, mtn really fucked that mergelloyd2012-04-2528-157/+117
| | |
| * | propagate from branch 'net.randombit.botan.tls-state-machine' (head ↵lloyd2012-04-2560-1009/+1751
| |\ \ | | | | | | | | | | | | | | | | | | | | a4741cd07f50a9e1b29b0dd97c6fb8697c038ade) to branch 'net.randombit.botan.cxx11' (head 116e5ff139c07000be431e07d3472cc8f3919b91)
| | * | Camellia is now split by key lengthlloyd2012-04-241-26/+26
| | | |
| | * | propagate from branch 'net.randombit.botan' (head ↵lloyd2012-04-24102-4517/+10024
| | |\ \ | | | |/ | | |/| | | | | | | | | | | | | 494c5d548ce3f370c2b771ca6b11e5f41e720da2) to branch 'net.randombit.botan.tls-state-machine' (head b2cd26ff6f093caa79aecb2d674205f45b6aadff)
| | | * propagate from branch 'net.randombit.botan' (head ↵lloyd2012-04-205-11/+21
| | | |\ | | | | | | | | | | | | | | | | | | | | | | | | | 50fa70d871f837c3c3338fabf5fb45649669aabf) to branch 'net.randombit.botan.tls-state-machine' (head 2358daac57db0411e62da2ef5a484468cb9307b7)
| | | * | Compile fixlloyd2012-04-201-1/+1
| | | | |
| | | * | Put the implementation of Policy::dh_group in source so it's easier tolloyd2012-04-192-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | update. Increase DHE group size from 1536 to 2048 bits, which per NIST/ECRYPT should be good to 2030 or so.
| | | * | Various dependency/amalgamation fixeslloyd2012-04-195-6/+13
| | | | |
| | | * | Add a bool param to renegotiate on if we should force a fulllloyd2012-04-189-28/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | renegotiation or not. Save the hostname in the client so we can pull the session from the session manager.
| | | * | Send almost all of the extensions on a renegotiation on an existinglloyd2012-04-181-14/+12
| | | | | | | | | | | | | | | | | | | | | | | | | channel, except NPN which is strictly a per-connection extension. Makes life easier for servers. OpenSSL seems to behave the same way.
| | | * | The secure renegotiation state was not updated on a sessionlloyd2012-04-181-9/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | resumption, which would cause failures if doing a renegotiation under the same session (eg to refresh keys). The peer_certs variable was not set until after the Session object was created, meaning the session (or session ticket) would not include client certs. Worse, they would be included in the next session saved, so if a client presented one cert, then renegotiated and presented another one, the first cert would be associated with the second session!
| | | * | Add very basic wildcarding in X509_Certificate::matches_dns_namelloyd2012-04-181-2/+18
| | | | |
| | | * | Only do the hostname/DNS comparison if it is set. Otherwise, we havelloyd2012-04-171-1/+1
| | | | | | | | | | | | | | | | | | | | nothing meaningful to compare to.
| | | * | As best I can tell the client is allowed to send a certificate chainlloyd2012-04-161-5/+0
| | | | | | | | | | | | | | | | | | | | in response to a certificate request.
| | | * | The encoding of Certificate Request messages was wrong, each DERlloyd2012-04-161-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | encoded CA DN has a length field but also the entire block has one. This caused decoding errors if we requested a certificate and sent one or more DNs to request particular CAs. The decoding side had it correct.
| | | * | Add support for TLS heartbeats (RFC 6520). Heartbeat initiations fromlloyd2012-04-1617-38/+282
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the peer are automatically responded to. TLS::Channel::heartbeat can initiate a new heartbeat if the peer allows it. Heartbeat replies are passed back to the application processing function with an Alert value of HEARTBEAT_PAYLOAD (a 'fake' value, 256, which is out of range of the valid TLS alert space), along with the sent payload. The RFC requires us to have no more than one heartbeat 'in flight' at a time, ie without getting a response (or a timeout in the case of DTLS). Currently we do not prevent an application from requesting more.
| | | * | Add support for the 3 alert types we didn't have codes for.lloyd2012-04-092-32/+38
| | | | |