Branch: Tag:

2019-12-04

2019-12-04 21:53:34 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.clientConnection: Session tickets (RFC 4507 and RFC 5077).

Client side support for session tickets.

Implementation only verified against itself.

Backported from 95ad6e4388b6576d7012110efe0edb3479a8422f by Tobias
Josefowitz.

2019-12-04 21:10:03 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Session tickets (RFC 4507 and RFC 5077).

Server side support for session tickets.

Note that the default ticket encoding is to use the session_id,
it thus uses server side state. The ticket encoding can be changed
by overriding {en,de}code_ticket() in SSL.Context.

Implementation verified against OpenSSL's s_client.

Backported from 372b2a05d05fa0d0e052e6634d2acf8d03629ed4 by Tobias
Josefowitz.

2019-05-28

2019-05-28 11:38:50 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Use SignatureScheme instead of array({Hash,Signature}Algorithm).

2019-05-28 09:25:54 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Renumbered HASH_* in preparation for using SignatureScheme.

2019-05-17

2019-05-17 16:44:18 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Improved diag on cipher suite mismatch.

2019-03-19

2019-03-19 12:33:55 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Merge commit '722771973bd' into patches/lyslyskom22891031

* commit '722771973bd': (6177 commits)
Verify that callablep responses are aligned with reality.
...

2019-03-14

2019-03-14 10:39:03 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Merge commit '2470270f500c728d10b8895314d8d8b07016e37b' into grubba/typechecker-automap

* commit '2470270f500c728d10b8895314d8d8b07016e37b': (18681 commits)
Removed the old typechecker.
...

2018-11-04

2018-11-04 16:11:11 by Arne Goedeke <el@laramies.com>

Merge remote-tracking branch 'origin/master' into new_utf8

2018-11-03

2018-11-03 14:21:37 by Marcus Comstedt <marcus@mc.pp.se>

Merge remote-tracking branch 'origin/8.1' into gobject-introspection

2018-04-28

2018-04-28 23:36:44 by Martin Nilsson <nilsson@fastmail.com>

Fixed broken SNI decoding.

2017-12-31

2017-12-31 23:19:10 by Peter Bortas <bortas@gmail.com>

Merge remote-tracking branch 'origin/8.1' into peter/travis

2017-12-12

2017-12-12 13:41:02 by Martin Nilsson <nilsson@fastmail.com>

Sparse list of version support added.

2017-12-11

2017-12-11 21:31:18 by Martin Nilsson <nilsson@fastmail.com>

Implemented supported_versions

2017-12-09

2017-12-09 10:12:14 by Martin Nilsson <nilsson@fastmail.com>

Remove 1.3 logic, as the handshake is completely overhauled.

2016-07-13

2016-07-13 12:18:00 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Session tickets (RFC 4507 and RFC 5077).

Server side support for session tickets.

Note that the default ticket encoding is to use the session_id,
it thus uses server side state. The ticket encoding can be changed
by overriding {en,de}code_ticket() in SSL.Context.

Implementation verified against OpenSSL's s_client.

2016-07-11

2016-07-11 11:14:27 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Removed extraneous else.

Minor code clean-up.

2016-02-26

2016-02-26 21:04:36 by Martin Nilsson <nilsson@fastmail.com>

Empty SNI host name is fatal.

2016-01-16

2016-01-16 22:03:14 by Martin Nilsson <nilsson@fastmail.com>

Fix an issue where EC client certificate would overwrite EC KE on server side.

2015-12-18

2015-12-18 13:52:09 by Martin Nilsson <nilsson@fastmail.com>

Rename preferred_auth_methods to client_auth_methods, and fill it with actual certificate type information.

2015-11-01

2015-11-01 17:44:19 by Martin Nilsson <nilsson@fastmail.com>

NSA IA now only recommends AES-256, P-384, SHA-384, 3072+ bit DH, 3072+ bit RSA

2015-09-24

2015-09-24 02:21:11 by Martin Nilsson <nilsson@fastmail.com>

Allow fine grained control over what extensions to use.

2015-09-14

2015-09-14 00:18:05 by Martin Nilsson <nilsson@fastmail.com>

Simplified the Safari heuristics a bit.

2015-09-13

2015-09-13 23:57:21 by Martin Nilsson <nilsson@fastmail.com>

Uneven signature algorithms extension data is a fatal error.

2015-09-13 23:49:37 by Martin Nilsson <nilsson@fastmail.com>

Stop running the Safari heuristics when we know it isn't a safari client.

2015-09-13 10:10:12 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Context: Added option to disable renegotiation.

This is a feature required by HTTP/2 (RFC 7540 9.2.1).

2015-09-11

2015-09-11 22:15:53 by Martin Nilsson <nilsson@fastmail.com>

Fixed cut-n-pasted variable name.

2015-09-11 22:08:33 by Martin Nilsson <nilsson@fastmail.com>

Let max fragment length extension trigger buffer underflow exception if it happens.

2015-09-11 21:04:22 by Martin Nilsson <nilsson@fastmail.com>

Somewhat stricter ALPN processing.

2015-09-07

2015-09-07 22:57:31 by Martin Nilsson <nilsson@fastmail.com>

Reject some illegal extensions.

2015-09-07 16:42:20 by Martin Nilsson <nilsson@fastmail.com>

Localize Safari 10.8 workaround a bit more.

2015-09-02

2015-09-02 20:16:22 by Martin Nilsson <nilsson@fastmail.com>

Disable extended master secret extension by default. It isn't standardized yet, and currently doesn't interopt with Chrome.

2015-09-02 20:08:06 by Martin Nilsson <nilsson@fastmail.com>

Truncated HMAC may be a security issues, and isn't really supported by anyone else. Disable it by default.

2015-08-19

2015-08-19 13:13:21 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Fixed session resumption.

The SMACKTest changes broke session resumption (by sending
double CCS on the server side for resumed sessions).

2015-08-17

2015-08-17 14:09:30 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Delay sending of CCS.

Delay sending of the Change Cipher Spec message until we have
received and verified the Finished message from the peer.

This makes SMACKTest (http://smacktest.com/) happy.

2015-07-06

2015-07-06 13:52:56 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: Support ALPN being accepted.

Fixes [LysLysKOM 21365565].

2015-07-06 13:36:00 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: Support ALPN being accepted.

Fixes [LysLysKOM 21365565].

2015-04-25

2015-04-25 13:23:47 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Updates from RFC 7507.

The TLS Downgrade SCSV draft is now an RFC.

2015-04-15

2015-04-15 16:48:41 by Martin Nilsson <nilsson@opera.com>

Reindent.

2015-04-15 16:39:53 by Martin Nilsson <nilsson@opera.com>

Avoid single case switches. This will get rid of some intentation.

2015-04-15 12:00:20 by Martin Nilsson <nilsson@opera.com>

handshake_messages now use Buffer, and gets a small bit of abstraction also.

2015-04-13

2015-04-13 14:27:05 by Martin Nilsson <nilsson@opera.com>

Let the packet errors be generated by the recv caller.

2015-04-11

2015-04-11 14:41:15 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Added some comments and fixed some debug typos.

Also adds some FIXME's.

2015-03-31

2015-03-31 17:00:13 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection [TLS 1.3]: Early data may now work again.

2015-03-31 16:18:01 by Martin Nilsson <nilsson@opera.com>

Changed packet parsing to use Stdio.Buffer objects. The Packet factory is still weird and needs some more thought.

2015-03-30

2015-03-30 23:21:14 by Martin Nilsson <nilsson@opera.com>

Removed two more now uneeded checks.

2015-03-30 23:14:02 by Martin Nilsson <nilsson@opera.com>

Check for extra packet data after calling handle_handshake. This will break the code is we are currently incorrectly ignoring any packet data.

2015-03-30 21:30:19 by Martin Nilsson <nilsson@opera.com>

Use Buffer objects instead of strings for handle_handshake API.

2015-03-30 20:27:37 by Martin Nilsson <nilsson@opera.com>

Made internal methods protected.

2015-03-16

2015-03-16 16:56:24 by Martin Nilsson <nilsson@opera.com>

Show the clients version when handshake fails.

2015-03-09

2015-03-09 13:13:03 by Martin Nilsson <nilsson@opera.com>

Don't fail on empty padding extensions.

2015-03-07

2015-03-07 13:42:51 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Context: Added support for private FFDHE-groups.

2015-03-05

2015-03-05 18:27:31 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Constants: Updated FFDHE to draft-ietf-tls-negotiated-ff-dhe-07.

The reintroduction of GROUP_ffdhe2432 in draft #6 was apparently
a cut-and-paste bug.

Also extends the group selection heuristic to use GROUP_ffdhe6144.

2015-03-05 17:58:41 by Martin Nilsson <nilsson@opera.com>

Latest FFDHE draft is a bit inconsistent with protocol definitions and defined fields. It appears though like 2048 is replaced with 2432, though 2432 isn't defined in the appendix.

2015-02-26

2015-02-26 14:51:52 by Martin Nilsson <nilsson@opera.com>

Properly handle curve points formatted with the wrong encoding (as in first sending an fatal alert before closing).

2015-02-25

2015-02-25 00:53:49 by Martin Nilsson <nilsson@opera.com>

Moved common preprocesor defines to tls.h

2015-02-24

2015-02-24 16:49:30 by Martin Nilsson <nilsson@opera.com>

Abstract the fatal alerts a bit.

2015-02-23

2015-02-23 14:02:37 by Martin Nilsson <nilsson@opera.com>

Move some variable checks closer to where the data is parsed, in particular the cipher_len check to before it is used. Renamed id to session_id.

2015-02-23 12:41:19 by Martin Nilsson <nilsson@opera.com>

We already filter out ECC suites in Session, so no need to do that in ServerConnection as well. Moved point format check.

2015-02-22

2015-02-22 18:37:49 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Implemented EXTENSION_extended_master_secret.

2015-02-22 18:29:20 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Prepare for EXTENSION_extended_master_secret.

This makes sure that handshake_messages isn't altered for
HANDSHAKE_client_key_exchange until after the master secret
is generated.

2015-02-01

2015-02-01 09:26:38 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Cipher.KeyExchange: Added init_{client,server}().

Added separate initialization functions for key exchange on
client and server. These will later be used for certificate-
based key exchanges.

2015-01-31

2015-01-31 11:41:57 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Improved group selection for TLS 1.3.

Now uses the guidelines from RFC 3766 to select a suitable FFDHE group.

Selects the smallest available group that is large enough if possible,
and otherwise the largest available group.

The same algorithm is also used in the corresponding ECC code.

2015-01-30

2015-01-30 14:57:59 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Fixed broken debug message.

2015-01-28

2015-01-28 16:28:57 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: No HANDSHAKE_client_key_exchange in TLS 1.3.

2015-01-27

2015-01-27 15:41:47 by Martin Nilsson <nilsson@opera.com>

Send Buffer objects to got_client_key_exchange.

2015-01-26

2015-01-26 16:56:48 by Martin Nilsson <nilsson@opera.com>

Use peer_public_key insteand of peer_certificate_chain to determine if we got any certificates.

2015-01-26 16:49:54 by Martin Nilsson <nilsson@opera.com>

Always check that the certifiate handshake packet is fully consumed. Don't decode certificates more than once.

2015-01-26 16:29:28 by Martin Nilsson <nilsson@opera.com>

Merge common certificate decoding code. No changes in behavior.

2015-01-25

2015-01-25 01:33:56 by Martin Nilsson <nilsson@opera.com>

Changed curve() into get_curve() to be consistent with the other methods, and to properly mask the get_curve() in Nettle.ECC_Curve.ECDSA.

2015-01-25 01:31:10 by Martin Nilsson <nilsson@opera.com>

Changed curve() into get_curve() to be consistent with the other methods, and to properly mask the get_curve() in Nettle.ECC_Curve.ECDSA.

2015-01-24

2015-01-24 12:45:48 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Reduced code duplication somewhat.

All server-side derivation of the master secret is now done by
SSL.Connection::derive_master_secret().

2015-01-24 10:59:03 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Cipher.KeyExchange: Introduced got_client_key_exchange().

Renames ke->server_derive_master_secret() to
ke->got_client_key_exchange(), and changes it
to return the premaster secret.

This will reduce the amount of code duplication soon.

2015-01-19

2015-01-19 21:42:25 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Fixed handshake packet order check.

The handshake packets certificate_verify and client_key_exchange are
allocated in the wrong order.

2015-01-19 16:41:02 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Reduced variable lifetime.

Also makes sure that session->curve is up to date.

2015-01-18

2015-01-18 12:27:35 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Implemented TLS 1.3 draft 4 CertificateVerify.

2015-01-17

2015-01-17 12:26:21 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Fixed multiple TLS 1.3 draft 4 handshaking issues.

The implicit changing of the cipher suite now seems to work.

2015-01-14

2015-01-14 14:57:19 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Support the TLS 1.3 early data extension.

This extension if used in TLS 1.3 to create backward compatible
(TLS 1.2 and earlier) handshakes.

2015-01-10

2015-01-10 12:49:00 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Support TLS 1.3 ClientHello.

Adds support for the TLS 1.3 ClientKeyShare, and replies as
appropriate with RetryRequest, ServerKeyShare or session resumption.

2015-01-10 12:22:15 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Keep handshake_messages running.

In TLS 1.3 multiple ClientHello messages may show up validly in
the handshake transcript, so don't truncate the transcript.

2015-01-10 11:55:26 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Support multiple concurrent pending keys.

In TLS 1.3 multiple keys will be in use in a short span of time.
This change reduces the risk of overwriting not yet used keys
due to timing issues.

2015-01-06

2015-01-06 14:37:40 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Use new_cipher_states().

Reduces code duplication.

2015-01-06 14:25:28 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Enforce handshake packet order.

All currently supported handshake packets are allocated in order.

2015-01-06 14:09:23 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Clean up CCS handling.

expect_change_cipher is now only set by change_cipher_packet().

This is in preparation for TLS 1.3 where CCS won't be on the wire.

2015-01-06 13:23:21 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Added derive_master_secret().

More unification of code in client and server.

2014-12-31

2014-12-31 12:23:52 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Added server_{hello_retry_request,key_share}_packet().

These are both used in TLS 1.3.

2014-12-22

2014-12-22 16:02:48 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Fixed variable name confusion.

In the handling of client certificates there was a local variable
"input" that shadowed another local variable of the same name, and
seems to have been initialized from itself.

NB: Already fixed in Pike 8.0.

2014-12-22 15:57:20 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Extract the public key from the client cert.

This is needed to be able to validate the certificate verify message.

2014-12-22 15:57:20 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Fixed NULL-deref.

There's no key exchange in progress at STATE_wait_for_verify time.

2014-12-21

2014-12-21 12:17:36 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Fixed NULL-deref.

There's no key exchange in progress at STATE_wait_for_verify time.

2014-12-21 12:09:37 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Extract the public key from the client cert.

This is needed to be able to validate the certificate verify message.

2014-12-21 04:57:07 by Martin Nilsson <nilsson@opera.com>

Fixed warning.

2014-12-21 04:49:25 by Martin Nilsson <nilsson@opera.com>

The auth_level and cert checks are done in verify_certificate_chain, so no need to do them here. The length checks here are bogus and will always fail.

2014-12-15

2014-12-15 21:10:53 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Support the Negotiated FF-DHE Parameters draft.

NB: This draft has been incorporated into the TLS 1.3 draft.

2014-12-13

2014-12-13 21:59:15 by Martin Nilsson <nilsson@opera.com>

These catches are intended to catch buffer underflow. That is however already done in the caller in Connection.

2014-12-10

2014-12-10 12:39:15 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Stricter TLS 1.3 interpretation.

2014-12-01

2014-12-01 12:18:06 by Martin Nilsson <nilsson@opera.com>

Abort processing when fatal package is sent.

2014-11-29

2014-11-29 16:27:42 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: Added some support for resuming sessions.

2014-11-27

2014-11-27 12:40:50 by Martin Nilsson <nilsson@opera.com>

Abort processing when fatal package is sent.

2014-11-25

2014-11-25 16:03:38 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Interoperability fix.

The handshake messages are hashed twice, so avoid
zapping them too early.

The SSL module now interoperates with other implementations again.

FIXME: What about renegotiation?

2014-11-25 14:57:52 by Martin Nilsson <nilsson@opera.com>

Allow buffer objects in handshake_packet() and hearbeat_packet().

2014-11-25 12:19:19 by Martin Nilsson <nilsson@opera.com>

Renamed methods for consistency with Stdio.Buffer

2014-11-25 11:48:14 by Martin Nilsson <nilsson@opera.com>

put_fix_string() and add_data() converted to add().

2014-11-24

2014-11-24 18:11:35 by Martin Nilsson <nilsson@opera.com>

Use read_hbuffer where immediately possible.

2014-11-24 17:40:17 by Martin Nilsson <nilsson@opera.com>

Mark key exchange packets as 8bit.

2014-11-24 17:31:49 by Martin Nilsson <nilsson@opera.com>

Rewrote get_uint, put_uint, get_var_string and get_fix_string.

2014-11-24 17:22:30 by Martin Nilsson <nilsson@opera.com>

Replaced pop_data() with read() or direct buffer usage.

2014-11-24 17:02:08 by Martin Nilsson <nilsson@opera.com>

put_var_string -> add_hstring

2014-11-24 16:29:55 by Martin Nilsson <nilsson@opera.com>

Use SSL.Buffer instead of ADT.struct

2014-11-22

2014-11-22 13:10:33 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: Added some support for resuming sessions.

2014-11-19

2014-11-19 16:34:02 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Fixed support for resuming sessions.

It's not a good idea to send the CCS packet twice...

2014-11-19 16:33:43 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Fixed support for resuming sessions.

It's not a good idea to send the CCS packet twice...

2014-11-02

2014-11-02 07:44:53 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Improved protocol fallback.

Some cipher suites have been removed in later versions of TLS.
If the client and server versions both were recent, but had
no common ciphers that weren't removed in the negotiated
version of TLS, the handshake used to fail. Now we instead
try downgrading to older versions of TLS to see if there's
a common implemented suite then.

This fixes one of the common reasons for clients attempting
protocol downgrades on connection failure.

2014-11-02 07:37:41 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Improved protocol fallback.

Some cipher suites have been removed in later versions of TLS.
If the client and server versions both were recent, but had
no common ciphers that weren't removed in the negotiated
version of TLS, the handshake used to fail. Now we instead
try downgrading to older versions of TLS to see if there's
a common implemented suite then.

This fixes one of the common reasons for clients attempting
protocol downgrades on connection failure.

2014-10-15

2014-10-15 20:52:37 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: Don't send extensions in SSL 3.0.

SSL 3.0 doesn't have the concept of protocol extensions,
so don't send any.

In the ServerConnection case, we assume that a client
that has sent extensions will accept extensions regardless
of the negotiated protocol version.

2014-10-15 20:15:16 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ClientConnection: Don't send extensions in SSL 3.0.

SSL 3.0 doesn't have the concept of protocol extensions,
so don't send any.

In the ServerConnection case, we assume that a client
that has sent extensions will accept extensions regardless
of the negotiated protocol version.

2014-10-13

2014-10-13 17:02:42 by Martin Nilsson <nilsson@opera.com>

Some trivial TLS 1.3 changes.

2014-09-22

2014-09-22 15:13:04 by Martin Nilsson <nilsson@opera.com>

The TLS padding extension is implemented. The actual extension ID is still undecided, but doesn't matter.

2014-09-04

2014-09-04 15:57:43 by Arne Goedeke <el@laramies.com>

Merge remote-tracking branch 'origin/8.0' into string_alloc

Conflicts:
src/stralloc.c

2014-09-04 15:00:04 by Martin Nilsson <nilsson@opera.com>

buffer isn't a member of the new ADT.struct

2014-08-24

2014-08-24 12:11:46 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Improved support for renegotiation.

2014-08-12

2014-08-12 19:33:38 by Martin Nilsson <nilsson@opera.com>

OO a bit more.

2014-08-12 12:06:24 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Increased session reuse paranoia.

Don't reuse sessions which differ from what a newly negotiated
session would be.

This fixes potential cross-site attacks and similar.

2014-08-06

2014-08-06 15:04:55 by Martin Nilsson <nilsson@opera.com>

Move ke_factory to CipherSpec.

2014-08-06 14:27:44 by Martin Nilsson <nilsson@opera.com>

Make heartbleed probing optional and default off.

2014-08-01

2014-08-01 06:52:50 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Added lfun::_sprintf().

2014-07-31

2014-07-31 22:11:41 by Martin Nilsson <nilsson@opera.com>

We are typically only calling sign/verify once a connection, so just do the implementation selection during that call.

2014-07-31 19:00:41 by Martin Nilsson <nilsson@opera.com>

Improved some comments.

2014-07-16

2014-07-16 12:57:30 by Martin Nilsson <nilsson@opera.com>

Alerts messages are printed out when SSL3_DEBUG is enabled. Cut down the redundancy.

2014-07-16 11:16:14 by Martin Nilsson <nilsson@opera.com>

Since Session doesn't know about Context, do the CertificatePairs lookup in the caller to avoid ugly type casts.

2014-07-14

2014-07-14 12:03:19 by Martin Nilsson <nilsson@opera.com>

Kill NPN fully.

2014-07-13

2014-07-13 20:39:54 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.ServerConnection: Fixed nextprotoneg handshake.

The padding wasn't validated, and the wrong value was returned from
handle_handshake().

NB: As this stuff belongs to an obsolete draft, which has been
superceeded by RFC 7301, we probably ought to remove it.

2014-07-10

2014-07-10 19:53:28 by Martin Nilsson <nilsson@opera.com>

There MUST NOT be more than one extension of the same type. RFC 5246 section 7.4.1.4.

2014-07-06

2014-07-06 11:40:36 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Implemented support for the fallback SCSV.

This adds support for the protocol extension SCSV specified in
draft-ietf-tls-downgrade-scsv as of 2014-07-04.

This protects clients renegotiating failed connections with lower
protocol versions from MITM downgrade attacks, by informing the
server that the client actually supports a higher protocol version
than the one it is currently using.

2014-06-29

2014-06-29 21:32:17 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Removed some debug.

2014-06-29 14:58:49 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Support EXTENSION_encrypt_then_mac.

This draft extension improves security for old CBC suites by
hashing the encrypted data including the padding. This works
around the various TLS padding attacks.

2014-06-09

2014-06-09 14:56:46 by Martin Nilsson <nilsson@opera.com>

RFC 6066 only allows one host DN in SNI.

2014-05-23

2014-05-23 19:14:54 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Unified several state variables into one.

SSL.Connection()->{closing,dying,handshake_finished} are now unified
into SSL.Connection()->state with named states.

It also keeps track of some of the stuff in SSL.sslfile()->close_state and
SSL.sslfile()->close_packet_send_state, which are likely to be removed soon.

2014-05-16

2014-05-16 21:01:17 by Martin Nilsson <nilsson@opera.com>

Documentation and debug updates.

2014-05-15

2014-05-15 23:20:23 by Martin Nilsson <nilsson@opera.com>

0..255 -> 8bit

2014-05-15 21:19:59 by Martin Nilsson <nilsson@opera.com>

import .

2014-05-15 21:08:58 by Martin Nilsson <nilsson@opera.com>

Fixed botched local variable renaming.

2014-05-15 20:43:25 by Martin Nilsson <nilsson@opera.com>

Got rid of the Alert function.

2014-05-15 20:20:05 by Martin Nilsson <nilsson@opera.com>

Renamed SSL.context to SSL.Context.

2014-05-15 19:50:17 by Martin Nilsson <nilsson@opera.com>

Rename state to State.

2014-05-10

2014-05-10 22:38:20 by Martin Nilsson <nilsson@opera.com>

Change \!s->is_empty() to sizeof(s).

2014-05-10 19:04:27 by Martin Nilsson <nilsson@opera.com>

Abstract the extensions a bit. Also fixes max fragment length extension.

2014-05-08

2014-05-08 16:11:04 by Martin Nilsson <nilsson@opera.com>

Use get/put_var_uint_array for multibyte uints where possible.

2014-05-05

2014-05-05 16:47:37 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Improved documentation.

Updates the documentation to mention {Client,Server}Connection,
and adds a few crossreferences.

2014-05-04

2014-05-04 22:38:54 by Martin Nilsson <nilsson@opera.com>

Divide more mode-specific code between the subclasses.

2014-05-04 20:38:00 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Unified the handshake states.

Now that there is separate code for the server and client
handshake state-machines, there's no reason for them to
have different STATE_* codes.

Also splits and moves finished_packet() to {Client,Server}Connection.

2014-05-04 20:09:07 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Moved handle_handshake() to {Server,Client}Connection.

Splitted the handshake handling into server and client specific code,
and moved it to the respective corresponding module.

2014-05-04 18:00:13 by Martin Nilsson <nilsson@opera.com>

Trivially move out hello_request and client_hello.

2014-05-04 17:10:53 by Martin Nilsson <nilsson@opera.com>

Merge handshake and connection into Connection. Then make that as a base class for ClientConnectio and ServerConnection, that assumes respective role.