aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Add missing headers, triggered errors under minimal buildslloyd2012-06-192-0/+2
|
* Remove BOTAN_MEM_POOL_CHUNK_SIZE macro from build.h, no longer used.lloyd2012-06-192-10/+12
| | | | | Move Karatsuba cutoffs to mp_karat.cpp as that is the only place that uses them and I doubt these get tweaked much (ever).
* In Karatsuba multiplication, we would avoid recursing in cases wherelloyd2012-06-191-48/+10
| | | | | | | | | we know one of the sub values was going to be zero. Avoid doing this as it exposes a timing channel. Some bn_asm code was manually inlined into the Karatsuba for doing additions. Just call the normal functions - if these are too slow that should be fixed.
* Make TLS::Channel::send non-virtual as neither Client nor Serverlloyd2012-06-189-21/+58
| | | | | | | | | | | | | | | | | | | needed to derive from it. Add a new overload of send taking a std::string for convenience (eg client.send("GET / HTTP/1.0\n\r")). Let Channel::renegotiatate's force_full_renegotiation argument default to false. Fix a bug where if we negotiated TLS v1.2 and our Policy was configured to only use MD5 we would send an empty allowed signatures which is maybe bogus or maybe just ambigious (RFC is unclear, though we reject in this case). To fix this, support putting MD5 in the signature algorithms extension, and then in choose_sig_format order first by our hash preference, and only allow hashes that are allowed by policy. Thus is a client claims to support both SHA-2 and MD5 we'll choose SHA-2 even if the client put MD5 first (some versions of GnuTLS ordered the list backwards due to a bug, so this is actually a useful behavior).
* Patch name changedlloyd2012-06-172-46/+15
|
* Update to rev 924b482d25 from https://github.com/OlivierJG/botansqlite3lloyd2012-06-174-24/+28
|
* Use the extended Euclidean algorithm for computing the inverse forlloyd2012-06-171-10/+57
| | | | | | | Montgomery exponentiation as except for the very first division all operands are single words and thus we can assume we have a relatively fast division operation (and additionally working only with words avoids dynamic allocation).
* Commented out entry for anon in default policy:lloyd2012-06-171-0/+1
|
* We would never negotiate anon DH/ECDH even if policy allowed it andlloyd2012-06-171-1/+1
| | | | | the client requested because we wouldn't have a cert chain set for anon.
* Use a special case for odd moduli in inverse_mod with close to doublelloyd2012-06-171-1/+51
| | | | performance.
* inverse_mod - avoid mutable zero_bits, avoid making needless copies oflloyd2012-06-171-11/+12
| | | | the arguments
* Put an upper bound on the blinding value to 160 bits. This seems to belloyd2012-06-174-4/+4
| | | | | | plenty sufficient, and reduces the overhead of setting up the blinder (in terms of exponent size and the cost of computing modular inverses).
* m_ namespace member varslloyd2012-06-152-44/+42
|
* Index, comments, name vars in headerslloyd2012-06-153-5/+15
|
* Computing the Montgomery parameter can be done much cheaper because welloyd2012-06-151-3/+4
| | | | | | | only need the low word of the result. Credits to HAC, somehow I missed that this was possible. This helps especially when a program does a lot of setups, so the improvement is only minor on the benchmark but fairly huge for asio_tls_server.
* Fix X509_Certificate::operator<. It was comparing by calling to_stringlloyd2012-06-142-6/+28
| | | | | | | | | | on each and comparing that. However that is very expensive (lots of formatting) and doesn't even work that well because to_string skips over a lot of information. Instead, compare the tbs bits directly which is both much faster and more accurate. Add a new X509_Certificate::fingerprint which returns a fingerprint compatible at least with what OpenSSL does.
* Profiling with valgrind shows that the 2**16 iteration for findinglloyd2012-06-145-116/+139
| | | | | | ciphersuites was actually a substantial hit on handshakes. Add a new function TLS::Ciphersuite::all_known_ciphersuites which will do this once and cache it for future use.
* Add support (decoding only) for the CRL Distribution Point extension.lloyd2012-06-138-32/+156
|
* Truncate passwords to 55 characters instead of throwing an exception.lloyd2012-06-131-2/+2
| | | | This matches the behavior of other bcrypt implementations.
* We would fail in the case where we connected to a server that did notlloyd2012-06-131-1/+1
| | | | | | | | | | | support secure renegotiation, and then a renegotiation occured (either due to explicit request by a call to renegotiate, or if the counterparty send a hello request and our policy allowed insecure renegotiations), because supported() would be false but our client hello would still contain the renegotion extension. Instead, only break if the client hello doesn't support it but supported() == true, which indicates that at one point in the past both parties supported the extension.
* Fix westmere GCC buildslloyd2012-06-131-1/+1
|
* Allow x86-32 asm with clang. Compiles fine, though I cannot test as Illoyd2012-06-121-0/+1
| | | | only have a 64-bit libc++.
* Update what() signature on exception typeslloyd2012-06-123-3/+3
|
* Fixes for the change to using std::vector in x86-32 specific codelloyd2012-06-124-7/+11
| | | | | | | (relying on implicit pointer conversions). Also, change Serpent::set_round_keys (used by the x86-32 asm version) to assign() the values instead of copying, as we rely on the key schedule to allocate the key values now to minimize memory waste.
* Compile fixlloyd2012-06-111-1/+1
|
* Avoid integer overflows in calls to the mlock allocator, changing thelloyd2012-06-113-20/+44
| | | | | | | interface to more of a calloc style. Alignment remains set to the underlying type size. Increase the maximum mlock size to 512 KB.
* Generate new session IDs in the same format as hello randoms, with thelloyd2012-06-102-3/+3
| | | | | | first 4 bytes a timestamp. Conveniently this means removing the lexicographically first session id from a cache is removing the oldest session.
* Add Handshake_Type codes for RFC 6066 handshake types.lloyd2012-06-102-19/+27
| | | | | | Change the switch in bitmask_for_handshake_type to not have a default: branch, so GCC can warn if we are missing a type. Instead throw if the switch failed to return.
* A fix for bug 191, that we were not preventing resumption of sessions in thelloyd2012-06-096-63/+85
| | | | | | | | | | | | | | | | | | | | case of a fatal alert, as required by section 7.2.2 of RFC 5246. Resolve this by storing the currently active session in Channel. Whenever we send or receive a fatal alert, tell the session manager to forget about that session. This still doesn't strictly meet the requirement for servers, as a session ticket is not invalidated and could later be reused. A conforming client would forget the whole session including the ticket, but that is assuming the attacker wouldn't prevent delivery of the alert message. However it would be difficult for the server to meet this requirement without per-ticket keys or keeping state about which tickets should not be resumable, both of which are stupid given the whole point of session tickets is that it allows resumption without server side state. OpenSSL also seems to allow resumption of sessions ending in a fatal alert when resumed though a ticket.
* Avoid a spurious unrecognized_name alert when a server is running inlloyd2012-06-091-1/+10
| | | | pure anon mode and the client sent a SNI extension.
* m_ namespace Channel, Client, and Server.lloyd2012-06-096-378/+378
| | | | Fix printing of Camellia ciphersuites.
* Use initialize lists here, much cleanerlloyd2012-06-091-53/+44
|
* A fix for bug 192. First, when renegotiating in the client, attempt tolloyd2012-06-0911-72/+99
| | | | | | | | | | | | | | | | | | | renegotiate using our currently negotiated version instead of our preferred version. It turns out that neither OpenSSL nor GnuTLS like clients changing the version between negotiations, both send a protocol_version alert. So we probably want to avoid doing that. On the server side, handle a client sending inconsistent versions as best we can. If the client attmepts to renegotiate a session using a later version, return a server hello with their original version (this is what OpenSSL does). If they attempt to renegotiate using an earlier version, send a fatal alert and close the connection, since this seems like a dubious thing to do. Also, fix the situation where we as a TLS v1.0 server (because of configuration) are talking to a TLS v1.2 client. We would still use their signature_algorithms extension and send a SHA-256 (or whatever) signature!
* Make a proper wrapper in util for SQLite3, update the TLS sessionlloyd2012-06-086-167/+253
| | | | manager to use it. Add --with-sqlite to configure.py
* Move to -O3 with Clang. s/c++0x/c++11/lloyd2012-06-081-2/+2
|
* Invert the policy setting as I think it makes it more obvious thatlloyd2012-06-083-7/+7
| | | | enabling this is a bad idea.
* Update cms, cvc, zlib, bzip2, openssl, and gnump modules for the newlloyd2012-06-0729-178/+199
| | | | | | | | allocator interface. The compression filters now just use malloc/free with a memset. Add a new info.txt field <warning>, like comment but warns. Use for CMS which is pretty broken (doesn't even compile anymore), and for TLS.
* Report what we have already received on an unexpected statelloyd2012-06-073-9/+11
| | | | | | | | | transition. That will come in handy someday. Allow the server to skip sending a session ticket. GnuTLS seems prone to offering it even if it doesn't have a key handy. Fix vector/secure_vector conversions in the SQLite session manager.
* Cleanup, m_ namespace Secure_Renegotiation_Statelloyd2012-06-073-26/+28
|
* Clients sending a SSLv2 hello would cause an internal failure becauselloyd2012-06-072-2/+25
| | | | | | | | | | | | choose_sig_format assumed Client_Hello::supported_algos would always return something. For SSLv2 hellos, always set it to the default values. Noticed with OpenSSL 0.9.7m If a client attempts renegotiation but does not have a secure renegotiation, only continue if policy allows it. Otherwise send a no_renegotition alert (what exactly servers are supposed to do is not really made obvious by the RFC but this seems like reasonable behavior).
* Fix for DHE, strip_leading_zeros always took off the last bytelloyd2012-06-061-1/+1
|
* Modify DL_Group::PEM_decode and BER_decode to take values instead oflloyd2012-06-056-21/+19
| | | | | | | | DataSource&. Remove spurious DataSource_Memory from ec_group.cpp Some indent fixes
* Add assert_done checks here to help avoid interesting substitutionlloyd2012-06-052-0/+4
| | | | attacks and in general detect invalid messages.
* Always print the include dir as we are never in the default pathlloyd2012-06-051-4/+1
| | | | anymore.
* Wrong OID namelloyd2012-06-011-1/+1
|
* Missing source file from d8021f3e5aa8812a2843d6afd27bbe56d04af734lloyd2012-06-011-0/+44
|
* Drop some deprecated functionslloyd2012-06-017-224/+0
|
* Allow arbitrary ciphers and hashes with PKCS #5 v2.0. The onlylloyd2012-05-318-61/+45
| | | | | | | | | | | | | | | | | | requirement is that OIDS for "<cipher>/CBC" and "HMAC(<hash>)" are defined. This does assume the normal parameter set of just the IV, so doesn't work right for (IIRC) RC5, but we don't have an OID set for RC5/CBC anyway. Continue to default to SHA-1 plus AES-256 as prior versions of the library can't handle any hashes other than SHA-1 or any ciphers other than AES or DES. OpenSSL 1.0.0j seems to understand SHA-256 + AES-256, though. BER_Decoder::decode_optional was assuming optional values were explicitly tagged. Now, only take that behavior if the input class tag was for a context specific tagging. Remove abort call for debugging from BER_Decoder Add a new version of DER_Encoder::encode_if for single objects.
* Add new PBKDF interface that takes a std::chrono::milliseconds andlloyd2012-05-3118-424/+373
| | | | | | | | | | | | | | | | | | | | runs the KDF until at least that much time has passed, then returns the number of interations used. New parameter to the PKCS8 encryption routines which tells how long to run the PBKDF. Defaults to 200 milliseconds, which is short enough that it is unlikely to bother anyone but long enough to provide quite reasonable security against cracking attacks. On a Core i7-860, 200 ms with PBKDF2/SHA-1 runs about 180K to 220K iterations (compare with previous default of 10K). New PBE interface, remove new_params/set_key and require all inputs including the passphrase to be passed to the constructor. Drop the PGP S2K as it is pretty weird and not really useful outside of a full PGP implementation. Drop the deprecated PKCS8::encrypt_key and PKCS8::encode functions.
* Target GCC 4.7.0 by defaultlloyd2012-05-301-2/+2
|