aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* In the string constructor of EC_Domain_Params, check if the PEM decodinglloyd2010-04-192-6/+16
| | | | failed. If so, assume the input string was an OID and try that.
* Add codes for SHA-1 based ECC suites (RFC 4492).lloyd2010-04-192-25/+81
|
* Add support for SEED ciphersuites. Tested against OpenSSL 0.9.8nlloyd2010-04-173-0/+24
|
* Add support for reading SSLv2 client helloslloyd2010-04-175-8/+86
|
* Clean up ciphersuite handlinglloyd2010-04-177-91/+273
|
* Add support for TLS 1.2 PRFlloyd2010-04-172-22/+63
|
* Add Comb4P hash combiner, as described in Anja Lehmann's thesis.lloyd2010-04-174-0/+167
|
* If the CBC padding is incorrect, then assume the pad size is zero andlloyd2010-04-091-4/+10
| | | | | | | | carry on with the procedure. This prevents a timing attack where an attacker could distinguish bad padding vs MAC failure. This timing channel used in the paper "Password Interception in a SSL/TLS Channel" by Vaudenay et. al. to attack SSL in certain fairly realistic use scenarios.
* Present requested hostname (SNI extn) to TLS_Server userlloyd2010-03-302-0/+6
|
* Remove bad filenamelloyd2010-03-301-1/+0
|
* Instead of just discarding the extension size, confirm that thelloyd2010-03-301-1/+4
| | | | | claimed length matches the length of the data left in the client hello packet.
* Support TLS Extensions, specifically SNIlloyd2010-03-301-35/+29
|
* Constify assert_at_least. Add some helperslloyd2010-03-301-1/+17
|
* Add some magic numbers for TLS extension codeslloyd2010-03-301-0/+11
|
* Add a class that knows how to decode a (very small subset of) TLS datalloyd2010-03-306-61/+249
| | | | | | formatting. Particularly useful in the ClientHello, but generally helps centralize the offset handling, which was particularly unreadable in the hello messages.
* Don't fail simply because the client sent a version code that we don'tlloyd2010-03-301-6/+0
| | | | | | | | know about; just continue and the server will choose either whatever the client supports, if it knows about it, or else the latest version it supports. So for instance if a client attempts to negotiate TLS 1.2, we'll not know about that version and return a ServerHello for 1.1 instead.
* Fix server handshake.lloyd2010-03-302-15/+14
| | | | Support TLS 1.1 servers
* Fix DSA TLS serverslloyd2010-03-301-1/+1
|
* Add support for TLS v1.1's per-record random IV. Tested against GnuTLS server.lloyd2010-03-307-12/+46
|
* Rename pad_amount to block_size, more accurate/descriptivelloyd2010-03-303-12/+20
|
* Also remove compression bits from record writerlloyd2010-03-251-14/+4
|
* Remove single byte versions of read and write - caused problems with overloadslloyd2010-03-251-3/+0
| | | | for bind/function
* Remove the bits for supporting compression - it was never actuallylloyd2010-03-252-19/+4
| | | | | supported, and compression can come later on when the overall architecture is more solid/stable.
* Use size_t for lengths in Socket interfacelloyd2010-03-253-9/+9
|
* Allow adding engines dynamicallylloyd2010-03-243-17/+20
|
* Remove printfslloyd2010-03-231-17/+0
|
* Make Record_Reader event driven. Callers (eg TLS_Client andlloyd2010-03-236-45/+132
| | | | | TLS_Server) are not; they instead loop blocking on the socket. Will move the event-driven behavior upwards as I go.
* Delete global RNG and the mutex in ~Library_Statelloyd2010-03-231-3/+5
|
* Don't delete the global RNG in AutoSeeded_RNG's destructorlloyd2010-03-231-1/+0
|
* Rename SecureVector::L param to INITIAL_LEN so as to be somewhat obvious as ↵lloyd2010-03-231-2/+3
| | | | to meaning
* Remove SecureBuffer, which is the fixed-size variant of SecureVector.lloyd2010-03-2363-137/+101
| | | | | | | | | | | | | | Add a second template param to SecureVector which specifies the initial length. Change all callers to be SecureVector instead of SecureBuffer. This can go away in C++0x, once compilers implement N2712 ("Non-static data member initializers"), and we can just write code as SecureVector<byte> P{18}; instead
* Remove reference to no-longer existing function in docslloyd2010-03-221-6/+2
|
* Fix Doxygen comment for grow_tolloyd2010-03-221-4/+6
|
* Move class decls togetherlloyd2010-03-211-10/+10
|
* Move where pk_ops is included, remove rng.h from dl_algo.hlloyd2010-03-214-5/+3
|
* KeyPair::check_key's behavior of throwing an exception upon failure waslloyd2010-03-219-112/+75
| | | | | | | | | | | | | | not useful; in all cases, we immediately caught it and then returned false. Modify as follows: - Create the pubkey objects inside the checking code, so calling code doesn't need to do it. - Return true/false for pass/fail Also add consistency checking for ECDSA keys
* In add_entropy(), additionally poll for 64 bits of system entropylloyd2010-03-191-15/+20
| | | | | | | | | | | | | to mix in with the user input. Check that the prf and extractor are compatible. For the initial PRF key, use all zeros of the appropriate size, and for the initial XTS key, use PRF("Botan HMAC_RNG XTS"). This ensures that only the one fixed key size is ever used with either the prf or extractor objects, allowing you to use, say HMAC(SHA-256)+CMAC(AES-256), or even CMAC(AES-128)+CMAC(AES-128) as the PRFs in the RNG.
* Don't require the AES module; if it's there its there, if it's notlloyd2010-03-192-4/+2
| | | | then you can't use the global PRNG but everything else still works.
* Replace PointGFp::check_invaraints, which would either return silentlylloyd2010-03-196-55/+29
| | | | | | | | | | | or throw an exception, with PointGFp::on_the_curve, which returns a bool. Update callers. This showed several cases where check_invaraints was being called multiple times, for instance when decoding a point with OS2ECP, check_invaraints was called; many callers of OS2ECP would then call check_invaraints again on the same object.
* Add a couple of new helper functions to BER_Decoder:lloyd2010-03-196-46/+42
| | | | | | | | | | decode_and_check takes an expected value; if the decoded value does not match, a Decoding_Error with a specified string is thrown. Useful for checking embedded version codes. decode_octet_string_bigint is for decoding INTEGER values that are stored as OCTET STRINGs. Totally obnoxious and useless, but common especially in the ECC standards.
* More warning flagslloyd2010-03-191-2/+2
|
* A number of changes to primality tests:lloyd2010-03-196-168/+46
| | | | | | | | | | | | | | Use 64 bit nonces in the Miller-Rabin test, instead of 40 bits. Rename check_prime to quick_check_prime and is_prime to check_prime Remove some internal functions which weren't used outside the primality test code, along with the prime products table. For quick checking, instead of doing Miller-Rabin with fixed base 2, do a small number of randomized tests. Always use random bases instead of the first n primes.
* There are some nasty API problems that are caused by having to pass alloyd2010-03-1911-64/+119
| | | | | | | | | | | | | | | | | | | | | | | | PRNG everywhere. The removal of the global PRNG was generated by a desire to remove the global library state entirely. However the real point of this was to remove the use of globally visible _mutable_ state; of the mutable state, the PRNG is probably the least important, and the most useful to share. And it seems unlikely that thread contention would be a major issue in the PRNG. Add back a global PRNG to Library_State. Use lazy initialization, so apps that don't ever use a PRNG don't need a seeding step. Then have AutoSeeded_RNG call that global PRNG. Offer once again RandomNumberGenerator& Library_State::global_rng(); which returns a reference to the global PRNG. This RNG object serializes access to itself with a mutex. Remove the hack known as Blinding::choose_nonce, replace with using the global PRNG to choose a blinding nonce
* Don't call get_eme or get_kdf with name "Raw" (returns NULL); ideallylloyd2010-03-191-3/+3
| | | | | | would like to replace these functions with generic engine code instead of hardcoded lookup, and NULL return value would be impossible to disambiguate.
* Initialize m_pk to null in constructorlloyd2010-03-171-0/+2
|
* The logic PointGFp::operator*= was basically doinglloyd2010-03-162-29/+31
| | | | | | | | | *this = scalar * *this; And operator* was doing a needless copy. Instead make operator* a real multiplication operation, define *= in terms of it.
* Shuffle functions for easier readinglloyd2010-03-162-74/+75
|
* Disable VC++ 4275 entirely; it also causes warnings when building thelloyd2010-03-161-2/+2
| | | | test app...
* Fix include. <botan/mp_core.h> was picking up the system installed version,lloyd2010-03-161-1/+1
| | | | which happened to be compatible enough to work.
* Add a couple of verification tests for GOST 34.10lloyd2010-03-161-3/+16
| | | | | | | | | | | Generating the test vectors found yet another inane (and, of course, undocumented) behavior in the GOST implementation included in OpenSSL; it treats the hash inputs as little endian. Just out of curiousity, I checked RFC 5832, which supposedly specifies this algorithm; not a peep about endian conversions. The more I deal with standards coming out of the CryptoPro people, the less confidence I have in them.