| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
insufficient_security alert if the server tries to give us a DH group
smaller than that. Also check to make sure the key isn't obviously
bogus (<=1 || >= p-1), though as the key is purely ephemeral it
doesn't seem like a small subgroup attack would provide much advantage
anyway.
|
| |
|
|
|
|
|
| |
Move Karatsuba cutoffs to mp_karat.cpp as that is the only place that
uses them and I doubt these get tweaked much (ever).
|
|
|
|
|
|
|
|
|
| |
we know one of the sub values was going to be zero. Avoid doing this
as it exposes a timing channel.
Some bn_asm code was manually inlined into the Karatsuba for doing
additions. Just call the normal functions - if these are too slow that
should be fixed.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
needed to derive from it. Add a new overload of send taking a
std::string for convenience (eg client.send("GET / HTTP/1.0\n\r")).
Let Channel::renegotiatate's force_full_renegotiation argument default
to false.
Fix a bug where if we negotiated TLS v1.2 and our Policy was
configured to only use MD5 we would send an empty allowed signatures
which is maybe bogus or maybe just ambigious (RFC is unclear, though
we reject in this case). To fix this, support putting MD5 in the
signature algorithms extension, and then in choose_sig_format order
first by our hash preference, and only allow hashes that are allowed
by policy. Thus is a client claims to support both SHA-2 and MD5 we'll
choose SHA-2 even if the client put MD5 first (some versions of GnuTLS
ordered the list backwards due to a bug, so this is actually a useful
behavior).
|
| |
|
| |
|
|
|
|
|
|
|
| |
Montgomery exponentiation as except for the very first division all
operands are single words and thus we can assume we have a relatively
fast division operation (and additionally working only with words
avoids dynamic allocation).
|
| |
|
|
|
|
|
| |
the client requested because we wouldn't have a cert chain set for
anon.
|
|
|
|
| |
performance.
|
|
|
|
| |
the arguments
|
|
|
|
|
|
| |
plenty sufficient, and reduces the overhead of setting up the blinder
(in terms of exponent size and the cost of computing modular
inverses).
|
| |
|
| |
|
|
|
|
|
|
|
| |
only need the low word of the result. Credits to HAC, somehow I missed
that this was possible. This helps especially when a program does a
lot of setups, so the improvement is only minor on the benchmark but
fairly huge for asio_tls_server.
|
|
|
|
|
|
|
|
|
|
| |
on each and comparing that. However that is very expensive (lots of
formatting) and doesn't even work that well because to_string skips
over a lot of information. Instead, compare the tbs bits directly
which is both much faster and more accurate.
Add a new X509_Certificate::fingerprint which returns a fingerprint
compatible at least with what OpenSSL does.
|
|
|
|
|
|
| |
ciphersuites was actually a substantial hit on handshakes. Add a new
function TLS::Ciphersuite::all_known_ciphersuites which will do this
once and cache it for future use.
|
| |
|
|
|
|
| |
This matches the behavior of other bcrypt implementations.
|
|
|
|
|
|
|
|
|
|
|
| |
support secure renegotiation, and then a renegotiation occured (either
due to explicit request by a call to renegotiate, or if the
counterparty send a hello request and our policy allowed insecure
renegotiations), because supported() would be false but our client
hello would still contain the renegotion extension. Instead, only
break if the client hello doesn't support it but supported() == true,
which indicates that at one point in the past both parties supported
the extension.
|
| |
|
|
|
|
| |
only have a 64-bit libc++.
|
| |
|
|
|
|
|
|
|
| |
(relying on implicit pointer conversions). Also, change
Serpent::set_round_keys (used by the x86-32 asm version) to assign()
the values instead of copying, as we rely on the key schedule to
allocate the key values now to minimize memory waste.
|
| |
|
|
|
|
|
|
|
| |
interface to more of a calloc style. Alignment remains set to the
underlying type size.
Increase the maximum mlock size to 512 KB.
|
|
|
|
|
|
| |
first 4 bytes a timestamp. Conveniently this means removing the
lexicographically first session id from a cache is removing the oldest
session.
|
|
|
|
|
|
| |
Change the switch in bitmask_for_handshake_type to not have a default:
branch, so GCC can warn if we are missing a type. Instead throw if
the switch failed to return.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
case of a fatal alert, as required by section 7.2.2 of RFC 5246.
Resolve this by storing the currently active session in Channel. Whenever we
send or receive a fatal alert, tell the session manager to forget about that
session.
This still doesn't strictly meet the requirement for servers, as a session
ticket is not invalidated and could later be reused. A conforming client
would forget the whole session including the ticket, but that is assuming
the attacker wouldn't prevent delivery of the alert message.
However it would be difficult for the server to meet this requirement
without per-ticket keys or keeping state about which tickets should not be
resumable, both of which are stupid given the whole point of session tickets
is that it allows resumption without server side state. OpenSSL also seems
to allow resumption of sessions ending in a fatal alert when resumed though
a ticket.
|
|
|
|
| |
pure anon mode and the client sent a SNI extension.
|
|
|
|
| |
Fix printing of Camellia ciphersuites.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
renegotiate using our currently negotiated version instead of our
preferred version. It turns out that neither OpenSSL nor GnuTLS like
clients changing the version between negotiations, both send a
protocol_version alert. So we probably want to avoid doing that.
On the server side, handle a client sending inconsistent versions as
best we can. If the client attmepts to renegotiate a session using a
later version, return a server hello with their original version (this
is what OpenSSL does). If they attempt to renegotiate using an earlier
version, send a fatal alert and close the connection, since this seems
like a dubious thing to do.
Also, fix the situation where we as a TLS v1.0 server (because of
configuration) are talking to a TLS v1.2 client. We would still use
their signature_algorithms extension and send a SHA-256 (or whatever)
signature!
|
|
|
|
| |
manager to use it. Add --with-sqlite to configure.py
|
| |
|
|
|
|
| |
enabling this is a bad idea.
|
|
|
|
|
|
|
|
| |
allocator interface. The compression filters now just use malloc/free
with a memset.
Add a new info.txt field <warning>, like comment but warns. Use for
CMS which is pretty broken (doesn't even compile anymore), and for TLS.
|
|
|
|
|
|
|
|
|
| |
transition. That will come in handy someday.
Allow the server to skip sending a session ticket. GnuTLS seems prone
to offering it even if it doesn't have a key handy.
Fix vector/secure_vector conversions in the SQLite session manager.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
choose_sig_format assumed Client_Hello::supported_algos would always
return something. For SSLv2 hellos, always set it to the default
values. Noticed with OpenSSL 0.9.7m
If a client attempts renegotiation but does not have a secure
renegotiation, only continue if policy allows it. Otherwise send a
no_renegotition alert (what exactly servers are supposed to do is not
really made obvious by the RFC but this seems like reasonable
behavior).
|
| |
|
|
|
|
|
|
|
|
| |
DataSource&.
Remove spurious DataSource_Memory from ec_group.cpp
Some indent fixes
|
|
|
|
| |
attacks and in general detect invalid messages.
|
|
|
|
| |
anymore.
|
| |
|