aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Report what we have already received on an unexpected statelloyd2012-06-073-9/+11
| | | | | | | | | transition. That will come in handy someday. Allow the server to skip sending a session ticket. GnuTLS seems prone to offering it even if it doesn't have a key handy. Fix vector/secure_vector conversions in the SQLite session manager.
* Cleanup, m_ namespace Secure_Renegotiation_Statelloyd2012-06-073-26/+28
|
* Clients sending a SSLv2 hello would cause an internal failure becauselloyd2012-06-072-2/+25
| | | | | | | | | | | | choose_sig_format assumed Client_Hello::supported_algos would always return something. For SSLv2 hellos, always set it to the default values. Noticed with OpenSSL 0.9.7m If a client attempts renegotiation but does not have a secure renegotiation, only continue if policy allows it. Otherwise send a no_renegotition alert (what exactly servers are supposed to do is not really made obvious by the RFC but this seems like reasonable behavior).
* Fix for DHE, strip_leading_zeros always took off the last bytelloyd2012-06-061-1/+1
|
* Modify DL_Group::PEM_decode and BER_decode to take values instead oflloyd2012-06-056-21/+19
| | | | | | | | DataSource&. Remove spurious DataSource_Memory from ec_group.cpp Some indent fixes
* Add assert_done checks here to help avoid interesting substitutionlloyd2012-06-052-0/+4
| | | | attacks and in general detect invalid messages.
* Always print the include dir as we are never in the default pathlloyd2012-06-051-4/+1
| | | | anymore.
* Wrong OID namelloyd2012-06-011-1/+1
|
* Missing source file from d8021f3e5aa8812a2843d6afd27bbe56d04af734lloyd2012-06-011-0/+44
|
* Drop some deprecated functionslloyd2012-06-017-224/+0
|
* Allow arbitrary ciphers and hashes with PKCS #5 v2.0. The onlylloyd2012-05-318-61/+45
| | | | | | | | | | | | | | | | | | requirement is that OIDS for "<cipher>/CBC" and "HMAC(<hash>)" are defined. This does assume the normal parameter set of just the IV, so doesn't work right for (IIRC) RC5, but we don't have an OID set for RC5/CBC anyway. Continue to default to SHA-1 plus AES-256 as prior versions of the library can't handle any hashes other than SHA-1 or any ciphers other than AES or DES. OpenSSL 1.0.0j seems to understand SHA-256 + AES-256, though. BER_Decoder::decode_optional was assuming optional values were explicitly tagged. Now, only take that behavior if the input class tag was for a context specific tagging. Remove abort call for debugging from BER_Decoder Add a new version of DER_Encoder::encode_if for single objects.
* Add new PBKDF interface that takes a std::chrono::milliseconds andlloyd2012-05-3118-424/+373
| | | | | | | | | | | | | | | | | | | | runs the KDF until at least that much time has passed, then returns the number of interations used. New parameter to the PKCS8 encryption routines which tells how long to run the PBKDF. Defaults to 200 milliseconds, which is short enough that it is unlikely to bother anyone but long enough to provide quite reasonable security against cracking attacks. On a Core i7-860, 200 ms with PBKDF2/SHA-1 runs about 180K to 220K iterations (compare with previous default of 10K). New PBE interface, remove new_params/set_key and require all inputs including the passphrase to be passed to the constructor. Drop the PGP S2K as it is pretty weird and not really useful outside of a full PGP implementation. Drop the deprecated PKCS8::encrypt_key and PKCS8::encode functions.
* Target GCC 4.7.0 by defaultlloyd2012-05-301-2/+2
|
* Use libc++ with Clang by default as libstdc++ and Clang don't playlloyd2012-05-301-1/+1
| | | | well together in C++11 mode.
* Call clear_mem instead of memset directlylloyd2012-05-302-6/+7
|
* Support for the authority information access extension, limited tolloyd2012-05-275-1/+86
| | | | | | only grabbing type 6 (URL) values for OCSP which is likely the only thing it's ever used for. Expose the value with new function X509_Certificate::ocsp_responder
* Add an X509_Certificate::allowed_usage for extended constraints.lloyd2012-05-275-51/+64
| | | | | | Check that whatever certificate we got is allowed to sign OCSP responses. Add another helper function BER_Decoder to try to handle the ASN.1 mess.
* Signature verification on OCSP responses. Still needs a bit of APIlloyd2012-05-274-18/+89
| | | | reworking I think, and a lot more testing, but it seems functional.
* Derive X509_Object from ASN1_Object.lloyd2012-05-277-30/+52
| | | | | | | | In the path validator, pass singlular Certificate_Store args as const reference and const_cast them. It's not ideal but it seems to lead to the cleanest external API. Treat all v1 X.509 certs as implicit CAs.
* Initial ability to check the results.lloyd2012-05-273-26/+34
|
* Very preliminary and fairly nasty OCSP support. Client side only. Canlloyd2012-05-275-0/+408
| | | | | generate requests and parse replies, does not verify signatures or so most anything else useful yet.
* Have BER_Deocder::decode_list actually start the SEQUENCE. All callerslloyd2012-05-273-12/+22
| | | | | | | | | | | | did it and it would be silly for it not to. Update the two existing callers, who were both doing start_cons().decode_list().end_cons() to just call decode_list(). Add BER_Decoder::get_next so we can get arbitrarily weird types without having to break message chains. Add dummy tag arguments to the ASN1_Object decoder so it can be used from decode_optional.
* Remove the PRIVATE ASN.1 tag. Not being used outside of the prettylloyd2012-05-274-5/+6
| | | | | | | | | | | | | | printer example, and really is just CONSTRUCTED | CONTEXT_SPECIFIC. Extend the ASN.1 printer to recurse into OCTET STRINGS that contain DER, and to print enumeration values. BOTAN_DLL export some OID operators (+, !=, <) Add an OID entry for 1.3.6.1.5.5.7.48.1.1 OCSP basic response. Correct the Certificate_Policies code, it was dumping policy OIDs into the extended key usage!
* Several new hooks in X509_Certificate to get raw (from the certlloyd2012-05-272-9/+39
| | | | binary) values which we need for OCSP.
* No reason to use secure_vector herelloyd2012-05-262-2/+2
|
* Use std::deque instead of SecureQueue in TLS::Stream_Handshake_Readerlloyd2012-05-263-16/+18
| | | | | | | as after all we are reading things that we received over a network connection so there certainly is no reason to try to mlock them. Also remove unneeded include in tls_record.h
* Plain hex_decode now returns a std::vector, use hex_decode_locked tolloyd2012-05-265-18/+66
| | | | get a secure_vector.
* Only build the mlock allocator on Linux, *BSD, or Solaris.lloyd2012-05-261-0/+8
| | | | | As best I can tell those are the only Unix kernels that allow unprivledged users to mlock memory.
* Some post merge fixups.lloyd2012-05-2512-69/+33
| | | | | Fix some bugs that triggered if DEFAULT_BUFFERSIZE was either too small or an odd size.
* propagate from branch 'net.randombit.botan.x509-path-validation' (head ↵lloyd2012-05-25541-9386/+14284
|\ | | | | | | | | | | 63b5a20eab129ca13287fda33d2d02eec329708f) to branch 'net.randombit.botan' (head 8b8150f09c55184f028f2929c4e7f7cd0d46d96e)
| * Two more locking_allocator bugs. In allocate, we did not setlloyd2012-05-251-5/+9
| | | | | | | | | | | | | | | | | | | | | | best_fit->first in cases where we had an almost exact match (exact fit but with some alignment bytes at the start), meaning that not only would we lose those bytes forever, but that we might later hand out a range overlapping with what we handed to our current caller. Also, in deallocate, lower_bound on the freelist might return end() (for instance if the freelist is entirely empty). Avoid trying to update the iterator in that case.
| * Use std::async for parallel CRT in Rabin Williams signature generation.lloyd2012-05-251-6/+7
| |
| * Remove targets clang doesn't actually supportlloyd2012-05-251-6/+0
| |
| * Always use -pthread with clang, matching gcc behaviorlloyd2012-05-251-5/+3
| |
| * Include <string> in buf_comp.h and filter.h as we used std::string butlloyd2012-05-253-16/+2
| | | | | | | | | | | | | | were not including it in the header chain. Caused compilation failures using Clang 3.1 using libc++. Remove the 3-argument version of hash_seq in SRP6, was not being used.
| * Resize key arrays in HMAC and SSL3_MAC when the key is set.lloyd2012-05-255-18/+19
| | | | | | | | Plus a few minor cleanups.
| * Fix alignment again and add assert checks so we don't mess up again.lloyd2012-05-251-4/+30
| | | | | | | | | | | | We previously ignored a block that was exactly the right size for the allocation and the needed alignment. If we find such a block prefer it over any other (non-exact) blocks to minimize fragmentation.
| * For block and stream ciphers, don't set the size of the key vectorslloyd2012-05-2558-193/+205
| | | | | | | | | | | | | | | | | | | | | | until we are actually setting a key. This avoids the problem of prototype objects consuming not just memory but the precious few bytes of mlock'able memory that we're given by Linux. Use clear_mem instead of a loop in BigInt::mask_bits If OS2ECP encounters an invalid format type, include what type it was in the exception message.
| * Instead of a map of start->length for recording the free list use alloyd2012-05-242-33/+44
| | | | | | | | | | | | vector of (start,length) where we are careful to maintain the correct ordering. Much much faster than the map version as it mostly avoids allocations and copies.
| * Properly align return values of mlock_allocator. Be more careful aboutlloyd2012-05-226-108/+35
| | | | | | | | | | | | | | | | | | | | | | pointer checks as a sufficiently smart compiler might optimize way pointer comparisons otherwise. Avoid using an iterator value after we have released it from the map. Reduce the default buffer size to 1K to reduce pressure on mlock memory. Drop the old mlock wrapper code.
| * Remove a debug call in secmem.h.lloyd2012-05-224-4/+220
| | | | | | | | | | | | | | | | | | Add a new mlock allocator which is far superior to the previous one both in terms of behavior (will lock exactly as much memory as we can actually mlock and will fall back to new/delete in all other cases), and much better and much simpler freelist than the old mem_pool code. Currently we only support systems with mmap+mlock, however it should be easy to extend to also support Windows VirtualLock if desired.
| * Replace 0 and NULL pointer constants with nullptr. Also fix an oldlloyd2012-05-1863-176/+179
| | | | | | | | style cast in secmem.h
| * Fairly huge update that replaces the old secmem types with std::vectorlloyd2012-05-18379-2834/+2047
| | | | | | | | | | | | using a custom allocator. Currently our allocator just does new/delete with a memset before deletion, and the mmap and mlock allocators have been removed.
| * propagate from branch 'net.randombit.botan' (head ↵lloyd2012-05-1812-99/+793
| |\ | | | | | | | | | | | | | | | 6332543aa5a8a4cc13662008ff9ac0f0016d9a4d) to branch 'net.randombit.botan.cxx11' (head 5517c9f8f6d1990f269afb94f569a97a80c5a5f4)
| | * NR_Verification_Operation::verify_mr would return false if the inputlloyd2012-05-182-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | was not the right size for a signature (following DSA). This would silently convert to an empty vector which we would treat as a valid message on the return. However the EMSA checks will always fail so not a huge problem. While checking this out I noticed that an empty value for EMSA4 would result in us reading memory we didn't own.
| | * Pipe::reset's requirement that a message be completed meant thatlloyd2012-05-181-2/+0
| | | | | | | | | | | | | | | | | | exceptions thrown in end_msg (for instance in CBC decryption when the padding is bad) more or less screwed up the pipe completely. Allowing reset here at least allows an escape hatch.
| | * We were checking the wrong bit for rdrand support. Found using SDE'slloyd2012-05-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | -ivb_rdrnd_cpuid option to toggle the bit off and on. Fortunately on Intel processors the bit we were actually checking is also enabled by Ivy Bridge. However it is also used on AMD Bulldozer processors to signal half-precision floating point support so we could false positive there.
| | * Markus Wanner pointed out on the mailing list that using rdrand opcodelloyd2012-05-071-3/+8
| | | | | | | | | | | | | | | | | | | | | didn't work on older GCC/binutils. Instead hardcode the expression for rdrand %eax, which should work everywhere. Also, avoid including immintrin.h unless we're going to use it, to avoid problems with older compilers that lack that header (this caused build failures under GCC 3.4.6).
| | * Padding wasn't set for DSA keys. Irrelevant for cert verify as thatlloyd2012-05-022-3/+3
| | | | | | | | | | | | isn't working here anyway, but also broke DSA servers.
| | * Partially roll back b2aef16225863cef27cdee4b91703966b3ed1458, itlloyd2012-04-281-2/+2
| | | | | | | | | | | | caused huge performance issues with DSA/ECDSA signing performance.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-18 23:07:29 +0000