Browse source

Changelog

Query
From:
To:
Branch:
Path:
Message:
BugID:
User: +
Format:
: 7 checkins (+57/-7) by 3 people : 2 checkins (+13/-5) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 3 checkins (+32/-2) by 2 people : 2 checkins (+11/-1) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 2 checkins (+7/-2) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 10 checkins (+213/-65) by 2 people : 7 checkins (+151/-72) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 4 checkins (+42/-2) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 1 checkin (+28/-19) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 3 checkins (+66/-43) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 1 checkin (+2/-0) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 1 checkin (+73/-0) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 1 checkin (+46/-24) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 5 checkins (+166/-4) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 4 checkins (+18/-12) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 4 checkins (+29/-4) by 2 people : 3 checkins (+14/-3) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 1 checkin (+55/-29) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 2 checkins (+64/-33) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 2 checkins (+124/-180) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 8 checkins (+187/-113) by 3 people : 12 checkins (+85/-42) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 1 checkin (+96/-1) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 2 checkins (+13/-10) by 2 people : 3 checkins (+103/-88) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 6 checkins (+227/-21) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 2 checkins (+34/-6) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 1 checkin (+53/-6) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 3 checkins (+55/-3) by 2 people : 1 checkin (+73/-2) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 1 checkin (+57/-52) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 1 checkin (+59/-2) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 3 checkins (+72/-14) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 4 checkins (+67/-39) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 8 checkins (+70/-14) by 2 people : 9 checkins (+132/-92) by 2 people : 8 checkins (+196/-136) by 2 people : 1 checkin (+10/-4) by Henrik Grubbström (Grubba) <grubba@grubba.org> : 4 checkins (+35/-23) by 2 people : 20 checkins (+550/-298) by 2 people : 19 checkins (+115/-198) by Martin Nilsson <nilsson@opera.com> Lines added/removed recently

Today; Sunday 25 January 2015

2015-01-25 02:33:56 (9 hours ago) by Martin Nilsson <nilsson@opera.com>

Changed curve() into get_curve() to be consistent with the other methods, and to properly mask the get_curve() in Nettle.ECC_Curve.ECDSA.

2015-01-25 02:31:10 (9 hours ago) by Martin Nilsson <nilsson@opera.com>

Changed curve() into get_curve() to be consistent with the other methods, and to properly mask the get_curve() in Nettle.ECC_Curve.ECDSA.

2015-01-25 02:17:14 (9 hours ago) by Martin Nilsson <nilsson@opera.com>

Move from pubx/puby to point.

2015-01-25 02:12:43 (9 hours ago) by Martin Nilsson <nilsson@opera.com>

Added some basic Point support.

2015-01-25 01:57:00 (9 hours ago) by Martin Nilsson <nilsson@opera.com>

Synchronize with latest FF-DHE draft.

2015-01-25 01:47:14 (9 hours ago) by Martin Nilsson <nilsson@opera.com>

Fixed testsuite after name changes. Added FFDHE2048 test case.

Yesterday; Saturday 24 January 2015

2015-01-24 15:42:35 (20 hours ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [Nettle]: Updated to new ECC API.

FIXME: Crypto.ECC.Curve and Crypto.ECC.Curve.Point ought to
implement LFUN::_equal() and/or LFUN::`==().

2015-01-24 15:39:36 (20 hours ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [Nettle]: Updated to new ECC API.

FIXME: Crypto.ECC.Curve and Crypto.ECC.Curve.Point ought to
implement LFUN::_equal() and/or LFUN::`==().

2015-01-24 15:31:11 (20 hours ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Cipher: Updated ECDH(E) key exchanges to new ECC API.

2015-01-24 15:21:55 (20 hours ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Nettle.ECC_Curve: Curve-multiplication now returns Points.

NB: This is not backward compatible with previous releases of Pike 8.0.
Nettle.ECC_Curve: Added some documentation.
__builtin.Nettle.ECC_Curve: Some indentation changes.
__builtin.Nettle.ECC_Curve.Point: Use parent reference to size().
__builtin.Nettle: Moved Point to ECC_Curve.Point.

This will allow for using parent references in ECC_Curve.Point.

2015-01-24 15:19:59 (20 hours ago) by Martin Nilsson <nilsson@opera.com>

A surgical introduction of the ECC Point object. What really should happen is that ECC Curve operations generate Point objects instead of gmp arrays. Then all x/y variables should be replaced with Point objects in Cipher.
Bugfixes and support for serialization.

2015-01-24 15:19:58 (20 hours ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Nettle.ECC: Added initial implementation of Curve.Point.

This is to simplify handling of points on ECC curves.

Currently the code is sufficient to perform ECDSA, but
eg encode and decode would be nice.

TODO: Other code needs to be updated to accept Points.

2015-01-24 15:19:58 (20 hours ago) by Martin Nilsson <nilsson@opera.com>

ECC_Curve.Point can now deserialize x9.62 curve points.

2015-01-24 13:45:48 (21 hours ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Reduced code duplication somewhat.

All server-side derivation of the master secret is now done by
SSL.Connection::derive_master_secret().

2015-01-24 11:59:03 (23 hours ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Cipher.KeyExchange: Introduced got_client_key_exchange().

Renames ke->server_derive_master_secret() to
ke->got_client_key_exchange(), and changes it
to return the premaster secret.

This will reduce the amount of code duplication soon.

Friday 23 January 2015

2015-01-23 16:35:17 (2 days ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Cipher: Updated ECDH(E) key exchanges to new ECC API.

2015-01-23 16:31:41 (2 days ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Nettle.ECC_Curve: Curve-multiplication now returns Points.

NB: This is not backward compatible with current Pike 8.0.

2015-01-23 16:19:49 (2 days ago) by Martin Nilsson <nilsson@opera.com>

Pad signature to the same size as the key.

2015-01-23 14:17:42 (2 days ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Crypto.RandomString: Reduce entropy waste.

random_string() used to want as much entropy added as was extracted.
This had a tendency to cause frequent (expensive) reseeding for no
good reason. This patch changes the entropy estimates, and speeds up
random_string() about a factor 200.

Thursday 22 January 2015

2015-01-22 17:21:44 (3 days ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Use SSL.File instead of SSL.sslfile.

Also improved error handling on running out of fds.

Wednesday 21 January 2015

2015-01-21 20:32:39 (4 days ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Nettle.ECC_Curve: Added some documentation.

2015-01-21 20:25:14 (4 days ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

__builtin.Nettle.ECC_Curve: Some indentation changes.
__builtin.Nettle.ECC_Curve.Point: Use parent reference to size().

2015-01-21 20:19:03 (4 days ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

__builtin.Nettle: Moved Point to ECC_Curve.Point.

This will allow for using parent references in ECC_Curve.Point.

2015-01-21 18:23:09 (4 days ago) by Martin Nilsson <nilsson@opera.com>

Know about some primes in active use.

2015-01-21 17:10:22 (4 days ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Fixed the client certificate tests.

Tuesday 20 January 2015

2015-01-20 17:16:01 (5 days ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.PKCS.Signature: Added decode_signed().

2015-01-20 16:10:40 (5 days ago) by Martin Nilsson <nilsson@opera.com>

A surgical introduction of the ECC Point object. What really should happen is that ECC Curve operations generate Point objects instead of gmp arrays. Then all x/y variables should be replaced with Point objects in Cipher.

2015-01-20 15:13:11 (5 days ago) by Martin Nilsson <nilsson@opera.com>

Bugfixes and support for serialization.

2015-01-20 14:15:15 (5 days ago) by Martin Nilsson <nilsson@opera.com>

ECC_Curve.Point can now deserialize x9.62 curve points.

2015-01-20 10:54:07 (5 days ago) by Martin Nilsson <nilsson@opera.com>

Line wrap comment.
Don't crash when q[d] is already cleared.

Monday 19 January 2015

2015-01-19 22:42:25 (6 days ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Fixed handshake packet order check.

The handshake packets certificate_verify and client_key_exchange are
allocated in the wrong order.

2015-01-19 17:41:02 (6 days ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Reduced variable lifetime.

Also makes sure that session->curve is up to date.

2015-01-19 14:32:40 (6 days ago) by Martin Nilsson <nilsson@opera.com>

Deprecated verify_certificates, as auth_level does the same thing. This breaks some tests that appears to be incomplete, so disable them.

2015-01-19 13:47:47 (6 days ago) by Martin Nilsson <nilsson@opera.com>

Document AUTHLEVEL a bit.

2015-01-19 13:16:24 (6 days ago) by Martin Nilsson <nilsson@opera.com>

Don't allow non-zero padding in bitstrings. This change is not fully backwards compatible.

Sunday 18 January 2015

2015-01-18 13:27:35 (7 days ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Implemented TLS 1.3 draft 4 CertificateVerify.

Saturday 17 January 2015

2015-01-17 13:49:52 (1 week ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Session: Filter suites unsupported in TLS 1.3.

2015-01-17 13:26:21 (1 week ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Fixed multiple TLS 1.3 draft 4 handshaking issues.

The implicit changing of the cipher suite now seems to work.

Friday 16 January 2015

2015-01-16 17:17:10 (1 week ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: Handle TLS 1.3 CertificateVerify.

Thursday 15 January 2015

2015-01-15 17:55:30 (1 week ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: Added got_certificate_request().

This breaks out the code for handling certificate requests from
handle_handshake() to a separate function to reduce code-
duplication when implementing TLS 1.3.

Wednesday 14 January 2015

2015-01-14 15:57:19 (2 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Support the TLS 1.3 early data extension.

This extension if used in TLS 1.3 to create backward compatible
(TLS 1.2 and earlier) handshakes.

Tuesday 13 January 2015

2015-01-13 16:14:52 (2 weeks ago) by Martin Karlgren <marty@roxen.com>

release number bumped to 914 by export.pike
release number bumped to 915 by export.pike

2015-01-13 14:35:41 (2 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: Support TLS 1.3 ServerKeyShare.

Monday 12 January 2015

2015-01-12 16:02:48 (2 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: Support TLS 1.3 HelloRetryRequest.

Sunday 11 January 2015

2015-01-11 19:07:17 (2 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: derive_master_secret() now knows about TLS 1.3 draft 4.

2015-01-11 19:04:04 (2 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: hash_messages() now takes a length argument.

In TLS 1.3 hash_messages() will be used to generate the various
master keys, which are longer than 12 bytes.

Saturday 10 January 2015

2015-01-10 13:49:00 (2 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Support TLS 1.3 ClientHello.

Adds support for the TLS 1.3 ClientKeyShare, and replies as
appropriate with RetryRequest, ServerKeyShare or session resumption.

2015-01-10 13:22:15 (2 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Keep handshake_messages running.

In TLS 1.3 multiple ClientHello messages may show up validly in
the handshake transcript, so don't truncate the transcript.

2015-01-10 12:55:26 (2 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Support multiple concurrent pending keys.

In TLS 1.3 multiple keys will be in use in a short span of time.
This change reduces the risk of overwriting not yet used keys
due to timing issues.

Friday 09 January 2015

2015-01-09 19:41:01 (2 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: Removed some obsolete FIXMEs.

2015-01-09 19:32:31 (2 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: Added send_certs().

This breaks out the code for sending client certificates from
handle_handshake() to a separate function to reduce code-
duplication when implementing TLS 1.3.

2015-01-09 11:58:23 (2 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: ChangeCipherSpec is not sent on the wire in TLS 1.3.

Thursday 08 January 2015

2015-01-08 18:03:41 (2 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Constants: Added STATE_wait_for_key_share.

This state will be used in TLS 1.3.

2015-01-08 08:25:18 (2 weeks ago) by Martin Nilsson <nilsson@opera.com>

We import '.', so we'll find Cipher unprefixed.

Wednesday 07 January 2015

2015-01-07 18:06:52 (3 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: Support TLS 1.3 ClientKeyShare.

client_hello() now sends a pure TLS 1.3 hello if Context.min_version
is TLS 1.3 or later, a compat TLS 1.3 hello if Context.max_version is
TLS 1.3 or later, and a legacy TLS 1.2 or earlier handshake otherwise.

Note that SSL.ServerConnection does not yet suport pure TLS 1.3 hellos,
and that the SSL.ClientConnection won't be happy with the result from a
server that does support TLS 1.3.

Tuesday 06 January 2015

2015-01-06 15:37:40 (3 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Use new_cipher_states().

Reduces code duplication.

2015-01-06 15:25:28 (3 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Enforce handshake packet order.

All currently supported handshake packets are allocated in order.

2015-01-06 15:10:42 (3 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Packet: Fixed return type for send().

Fixes warning.
SSL.Connection: Clean up CCS handling.

expect_change_cipher is now only set by change_cipher_packet().

This is in preparation for TLS 1.3 where CCS won't be on the wire.

2015-01-06 14:23:21 (3 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Added derive_master_secret().

More unification of code in client and server.

Monday 05 January 2015

2015-01-05 17:27:12 (3 weeks ago) by Arne Goedeke <el@laramies.com>

peep: add some neccessary overflow checks
Further work on AARCH32:

* improved immediate stores
* use store multiple fpr int2sval store
* use register allocator

Author: Arne Goedeke <el@laramies.com>
Author: Tobias S. Josefowitz <tobij@tobij.de>

2015-01-05 14:26:38 (3 weeks ago) by Stephen R. van den Berg <srb@cuci.nl>

pgsql: Drop unnamedstatementkey even if destroyed randomly.
pgsql: Drop unnamedstatementkey even if destroyed randomly.

2015-01-05 13:00:16 (3 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: handshake_packet() now accepts Stdio.Buffer.

Also converts some #defines to protected constants to avoid
syntax errors.

2015-01-05 12:51:57 (3 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: client_hello() now knows about early_data.

The early_data extension is used in TLS 1.3 to keep backward
compatibility. Unfortunately no code point for the extension
has been allocated yet, so the selected code point will most
likely change.

Sunday 04 January 2015

2015-01-04 17:51:19 (3 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Parameterized the client certificate test.

Also adds progress indicator to the client certificate test.

2015-01-04 01:01:00 (3 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Parameterized the client/server combination test.

Replaced the list of client/server tests (100 tests) with a single
test_tests(), as the number of tests increases as O(n^4) (with
TLS 1.3 the list would grow to 225, and then to 441).

Saturday 03 January 2015

2015-01-03 17:59:40 (3 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Use fmt_version() in progress indicator.

2015-01-03 14:48:47 (3 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Cipher: lookup() now knows about TLS 1.3.

Friday 02 January 2015

2015-01-02 15:28:00 (3 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Cipher: Some more KeyShare-related API changes.

The API now seems to be usable for TLS 1.3.

Thursday 01 January 2015

2015-01-01 22:46:12 (3 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Cipher: Added FIXME.

2015-01-01 22:31:23 (3 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Constants: Updated some HANDSHAKE_* constants from TLS 1.3.

The TLS 1.3 draft in progress has renumbered these constants.

2015-01-01 13:40:33 (3 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: More cipher suites obsoleted in TLS 1.3.

TLS 1.3 only has support for ephemeral key exchanges.

Wednesday 31 December 2014

2014-12-31 13:23:52 (4 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Added server_{hello_retry_request,key_share}_packet().

These are both used in TLS 1.3.

2014-12-31 04:59:25 (4 weeks ago) by Tobias S. Josefowitz <tobij@tobij.de>

Standards.IIM: Locale.Charset -> Charset

2014-12-31 04:55:28 (4 weeks ago) by Tobias S. Josefowitz <tobij@tobij.de>

Filesystem.Zip: fix return type of helper function
Standards.IIM: Locale.Charset -> Charset

Tuesday 30 December 2014

2014-12-30 22:06:54 (4 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Precompiler: Fixed typo in generated output.

2014-12-30 22:04:40 (4 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Precompiler: Fixed typo in generated output.

2014-12-30 17:40:44 (4 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Moved certificate_verify_packet() to Connection.

In TLS 1.3 this packet will be generated on the server side too.

Monday 29 December 2014

2014-12-29 15:22:19 (4 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Precompiler: Fix support for recent Pike 7.8.

Pike 7.8.594 and later have TYPEOF() et al, but not set_program_id_to_id().

2014-12-29 15:18:32 (4 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Precompiler: Fix support for recent Pike 7.8.

Pike 7.8.594 and later have TYPEOF() et al, but not set_program_id_to_id().

2014-12-29 15:01:44 (4 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Protocols.LDAP: Attempt to pin connections to the same server.

When using replication and DNS-round-robin for LDAP, it is common that
the servers in the rotation aren't 100% identical, so attempt to have
successive connections go to the same LDAP server if possible, otherwise
higher level protocols (eg incremental updates) may be broken.

Fixes [bug 7406].

Also improves support for IPv6.
Protocols.LDAP: Attempt to pin connections to the same server.

When using replication and DNS-round-robin for LDAP, it is common that
the servers in the rotation aren't 100% identical, so attempt to have
successive connections go to the same LDAP server if possible, otherwise
higher level protocols (eg incremental updates) may be broken.

Fixes [bug 7406].

Also improves support for IPv6.

2014-12-29 14:57:06 (4 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Protocols.LDAP: Attempt to pin connections to the same server.

When using replication and DNS-round-robin for LDAP, it is common that
the servers in the rotation aren't 100% identical, so attempt to have
successive connections go to the same LDAP server if possible, otherwise
higher level protocols (eg incremental updates) may be broken.

Fixes [bug 7406].

Also improves support for IPv6.

Sunday 28 December 2014

2014-12-28 14:53:34 (4 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: More KeyShare{EC,}DHE fixes for TLS 1.3.

Saturday 27 December 2014

2014-12-27 16:15:05 (4 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Added KeyShare{EC,}DHE in preparation for TLS 0.3.

Friday 26 December 2014

2014-12-26 01:29:52 (4 weeks ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Constants: Added HANDSHAKE_hello_retry_request from TLS 1.3 draft 3.

Thursday 25 December 2014

2014-12-25 01:06:25 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Test client certificates for all versions of SSL/TLS.
Testsuite [SSL]: Improved robustness of test_ssl_connection().

test_ssl_connnection() now survives getting multiple suites where
the first argument is an unsupported suite. This previously led
to getting complaints about not getting the expected suite.
Testsuite [SSL]: Test client certificates for all versions of SSL/TLS.

Wednesday 24 December 2014

2014-12-24 10:00:39 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Improved robustness of test_ssl_connection().

test_ssl_connnection() now survives getting multiple suites where
the first argument is an unsupported suite. This previously led
to getting complaints about not getting the expected suite.

Tuesday 23 December 2014

2014-12-23 15:11:58 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Crypto: Added some FIXMEs regarding RFC 6979.

2014-12-23 14:45:12 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.PKCS: Added some identifiers from RFC 4055.

Also adds some RFC references.

2014-12-23 14:41:16 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.PKCS: Added some identifiers from RFC 4055.

Also adds some RFC references.

Monday 22 December 2014

2014-12-22 17:02:48 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Fixed variable name confusion.

In the handling of client certificates there was a local variable
"input" that shadowed another local variable of the same name, and
seems to have been initialized from itself.

NB: Already fixed in Pike 8.0.

2014-12-22 16:57:20 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Extract the public key from the client cert.

This is needed to be able to validate the certificate verify message.
SSL.ServerConnection: Fixed NULL-deref.

There's no key exchange in progress at STATE_wait_for_verify time.

2014-12-22 16:03:05 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: Send client certificate verify packet.

Update certificate_verify_packet() and reenable the related code.

Also fixes several FIXME's regarding the dual use of the
certificate_state variable. It is now strictly used only
for the server certificates.

Client-side support for client certificates should now work.

2014-12-22 16:00:55 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Fixed some erroneous failures.

The server_ctx list of suites needs to be restored after the Suite-B tests.
Otherwise the server will select a different suite than the testsuite expects.
Testsuite [SSL]: Use same DN for the RSA certs as for the others.

The RSA cert is created via a different taste of the
Standards.PKCS.Certificate.build_distinguished_name() than
the DSA and ECDSA certs. Reorder the fields to make sure
that the exact same DN is generated in both cases.

Fixes issue where SSL.Context()->find_cert_issuer() either
didn't find the RSA certs, or didn't found only the RSA certs.
Testsuite: Added some tests of client certificates.

Sunday 21 December 2014

2014-12-21 13:17:36 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Fixed NULL-deref.

There's no key exchange in progress at STATE_wait_for_verify time.

2014-12-21 13:09:37 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Extract the public key from the client cert.

This is needed to be able to validate the certificate verify message.

2014-12-21 12:28:01 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: Send client certificate verify packet.

Update certificate_verify_packet() and reenable the related code.

Also fixes several FIXME's regarding the dual use of the
certificate_state variable. It is now strictly used only
for the server certificates.

Client-side support for client certificates should now work.

2014-12-21 12:18:27 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Fixed some erroneous failures.

The server_ctx list of suites needs to be restored after the Suite-B tests.
Otherwise the server will select a different suite than the testsuite expects.

2014-12-21 05:57:07 (1 month ago) by Martin Nilsson <nilsson@opera.com>

Fixed warning.

2014-12-21 05:49:25 (1 month ago) by Martin Nilsson <nilsson@opera.com>

The auth_level and cert checks are done in verify_certificate_chain, so no need to do them here. The length checks here are bogus and will always fail.
cert is always set in all callers, and the current code would crash anyay if it wasn't. Remove check.

2014-12-21 05:02:01 (1 month ago) by Martin Nilsson <nilsson@opera.com>

Minor clean up.
Added HKDF, used by e.g. IKEv2 (IPSec).

Saturday 20 December 2014

2014-12-20 22:23:42 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Use same DN for the RSA certs as for the others.

The RSA cert is created via a different taste of the
Standards.PKCS.Certificate.build_distinguished_name() than
the DSA and ECDSA certs. Reorder the fields to make sure
that the exact same DN is generated in both cases.

Fixes issue where SSL.Context()->find_cert_issuer() either
didn't find the RSA certs, or didn't found only the RSA certs.

2014-12-20 19:41:10 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Constants: Added some more notes about DTLS.

Friday 19 December 2014

2014-12-19 17:32:59 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Constants: Added some DTLS constants.

Thursday 18 December 2014

2014-12-18 13:24:32 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Gmp: Disable Gmp.smpz()->invert().

This function has multiple issues:

* It doesn't work as implemented (eg argument 6 to mpb_sec_invert()
is wrong).

* It would clobber THIS. Gmp manual 8.1:
"In either case, the input A is destroyed."

* To work, the number of limbs in THIS, modulo and res MUST
be the same (aka n). This can probably be accomplished
by using mpz_realloc2(), of which the Gmp manual 5.1 says:
"Calling this function is never necessary; reallocation is
handled automatically by GMP when needed."

Fixing the above issues while still keeping the _sec property
is non-trivial, and best left to the Gmp people, so we wait for
an mpz_invert_sec().

2014-12-18 11:46:04 (1 month ago) by Marcus Wellhardh <wellhardh@roxen.com>

release number bumped to 912 by export.pike
release number bumped to 913 by export.pike

Wednesday 17 December 2014

2014-12-17 17:18:42 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

Gmp: Renaming of macros.

The old LIMBS(X) has been renamed to ALIMBS(X) (all allocated limbs).

Adds a new LIMBS(X) which returns the array of limbs.

Tuesday 16 December 2014

2014-12-16 17:47:13 (1 month ago) by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Cipher: validate_dh() now knows about the FFDHE groups.

Also adds the MODP groups of equivalent strength.

2014-12-16 17:00:55 (1 month ago) by Stephen R. van den Berg <srb@cuci.nl>

Fix typo.

2014-12-16 01:06:43 (1 month ago) by Bill Welliver <bill@welliver.org>

Nettle: build successfully on Windows
build: modules that invoke pike for building should now be able to do so.

[permalink]

Bugs mentioned

  7406RESOLVEDProtocols.LDAP: Lock on AD-server (DNS round robin) until failover needed to avoid flip-flop.
  915RESOLVEDSpaces needed around example boxes.
Bugs? Suggestions?