Martin Willi
30308c5fdb
libtls: Link against ws_w32 on Windows
2014-06-04 15:53:05 +02:00
Tobias Brunner
435fecd751
unit-tests: Make sure plugins in the builddir are loaded
...
When running the tests in GDB the working directory apparently is
different. With the relative path used previously the plugins would not
be found and those installed on the system would get used.
2014-05-19 14:06:43 +02:00
Martin Willi
064fe9c963
enum: Return boolean result for enum_from_name() lookup
...
Handling the result for enum_from_name() is difficult, as checking for
negative return values requires a cast if the enum type is unsigned. The new
signature clearly differentiates lookup result from lookup value.
Further, this actually allows to convert real -1 enum values, which could not
be distinguished from "not-found" and the -1 return value.
This also fixes several clang warnings where enums are unsigned.
2014-05-16 15:42:07 +02:00
Martin Willi
e2bf45a491
tls: Move variable sized tls_record_t struct to end of tls_t data
...
clang complains about the the non-last variable length member.
2014-05-16 15:42:07 +02:00
Andreas Steffen
8d59090349
Implemented PT-EAP protocol (RFC 7171)
2014-05-12 06:59:21 +02:00
Martin Willi
5ba9f73457
tls: Add a test case to check correct enum name mapping of cipher suites
2014-04-01 14:52:18 +02:00
Martin Willi
2c8d77394c
tls: Add socket based tests testing all supported suites with TLS 1.2/1.1/1.0
2014-04-01 14:52:18 +02:00
Martin Willi
74162ed997
tls: Remove superfluous initializers in TLS AEAD implementations
2014-04-01 14:52:18 +02:00
Martin Willi
e15f64cc81
tls: Support a maximum TLS version to negotiate using TLS socket abstraction
2014-04-01 14:28:55 +02:00
Martin Willi
5313880261
tls: Support a null encryption flag on TLS socket abstraction
2014-04-01 14:28:55 +02:00
Martin Willi
ddf5222096
tls: Introduce a generic TLS purpose that accepts NULL encryption ciphers
2014-04-01 14:28:55 +02:00
Martin Willi
ac5717c9e9
tls: Export a function to list supported TLS cipher suites
2014-04-01 14:28:55 +02:00
Martin Willi
c0efaaebe3
tls: Create a unit-test runner
2014-04-01 14:28:55 +02:00
Martin Willi
e67e8dd197
tls: Fix some TLS cipher suite enum names
...
It is important to have them mapped correctly, as we use these official TLS
identifiers to configure specific TLS suites.
2014-03-31 16:07:53 +02:00
Martin Willi
b37080f8c9
tls: Include TLS version announced in Client Hello in encrypted premaster
...
While a hardcoded 1.2 version is fine when we offer that in Client Hello, we
should include the actually offered version if it has been reduced before
starting the exchange.
2014-03-31 16:07:53 +02:00
Martin Willi
f93497507f
tls: Check for minimal TLS record length before each record iteration
...
Fixes fragment reassembling if a buffer contains more than one record, but
the last record contains a partial TLS record header. Thanks to Nick Saunders
and Jamil Nimeh for identifying this issue and providing a fix for it.
2014-03-31 15:56:12 +02:00
Martin Willi
b886dad498
tls: Fix AEAD algorithm filtering, avoid filtering all suites if no AEAD found
2014-03-31 15:56:12 +02:00
Martin Willi
48d6b57c30
tls: Offer TLS signature schemes in ClientHello in order of preference
...
Additionally, we now query plugin features to find out what schemes we exactly
support.
2014-03-31 15:56:12 +02:00
Martin Willi
d06890d6e2
tls: Define AES-GCM cipher suites from RFC 5288/5289
2014-03-31 15:56:12 +02:00
Martin Willi
f0f301170b
tls: Implement the TLS AEAD abstraction for real AEAD modes
2014-03-31 15:56:12 +02:00
Martin Willi
d3204677ba
tls: Separate TLS protection to abstracted AEAD modes
...
To better separate the code path for different TLS versions and modes of
operation, we introduce a TLS AEAD abstraction. We provide three implementations
using traditional transforms, and get prepared for TLS AEAD modes.
2014-03-31 15:56:12 +02:00
Tobias Brunner
409adef43c
libtls: Move settings to <ns>.tls with fallback to libtls
2014-02-12 14:34:32 +01:00
Tobias Brunner
9af44ef5d9
Build all shared libraries with -no-undefined and link them properly
...
The flag is required to convince libtool on Cygwin to build DLLs. But on
Windows these shared libraries can not have undefined symbols, so we have to
link them explicitly to the libraries they reference.
For plugins this is currently not done, so only the monolithic build is
supported. The plugin loader wouldn't be able to load DLLs anyway, as
it tries to load files that don't exist on Cygwin.
2013-09-12 01:44:49 +02:00
Andreas Steffen
9dc3b2053d
Optimize TLS socket buffer for TLS_MAX_FRAGMENT_LEN
2013-08-19 09:50:57 +02:00
Andreas Steffen
97b1d39de5
Extract client identity and authentication type from SASL authentication
2013-08-15 23:34:22 +02:00
Martin Willi
19cb07b890
automake: replace INCLUDES by AM_CPPFLAGS
...
INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.
2013-07-18 14:59:19 +02:00
Andreas Steffen
5a8dd63433
fixed typo
2013-03-27 22:56:37 +01:00
Tobias Brunner
79306b7e6e
Use proper integer types when handling TLS exchanges
...
tls_t.build takes a size_t argument not a ssize_t.
2013-03-22 11:40:57 +01:00
Martin Willi
1db6bf2f3f
If TLS peer authentication not required, the client does nonetheless, allow it to fail
2013-03-06 15:53:12 +01:00
Martin Willi
807f2facd0
Request a TLS client certificate even if no peer identity is given
...
This allows a peer to perform client authentication if it wants, but skip
it if not.
2013-02-28 16:46:08 +01:00
Martin Willi
257c80cb5b
Wrap tls_t.get_{server,peer}_id methods in tls_socket_t
2013-02-28 16:46:08 +01:00
Martin Willi
2de481e32b
Delegate tls_t.get_{peer,server}_id to handshake layer
...
This allows to get updated peer identities if the peer can't authenticate,
or does when it is optional.
2013-02-28 16:46:08 +01:00
Martin Willi
8b56943222
Merge branch 'pt-tls'
2013-02-14 17:06:07 +01:00
Andreas Steffen
bd1ee5bdc4
make AR identities available to IMVs via IF-IMV 1.4 draft
2013-02-11 15:30:44 +01:00
Martin Willi
435348f406
Send TLS close notify during tls_socket_t destruction
2013-01-15 17:43:05 +01:00
Martin Willi
7bbf7aa97a
Send TLS close notify if application returns SUCCESS
2013-01-15 17:43:05 +01:00
Martin Willi
c43e8fdec4
Block TLS read when sending data, but have to wait for the handshake data first
2013-01-15 17:43:05 +01:00
Martin Willi
ee90c78998
Use a more POSIXy tls_socket interface with more flexibility.
...
If an unsufficient read buffer is provided, application data gets cached
for subsequent read() calls.
2013-01-15 17:43:05 +01:00
Tobias Brunner
07f826af67
Fixed encoding of TLS extensions (elliptic_curves and signature_algorithms)
2012-11-28 10:20:14 +01:00
Tobias Brunner
f05b427265
Moved debug.[ch] to utils folder
2012-10-24 16:00:51 +02:00
Tobias Brunner
12642a6831
Moved data structures to new collections subfolder
2012-10-24 16:00:49 +02:00
Tobias Brunner
1407a0026f
Added missing break when building TLS cipher suites
2012-09-28 18:55:40 +02:00
Martin Willi
ab2c989c32
Don't allow NULL encryption with PEAP
2012-09-12 13:19:52 +02:00
Martin Willi
acada66a35
Use memmove on overlapping regions, and operate with correct sizeof()
2012-09-12 13:19:52 +02:00
Martin Willi
fb3cf1b708
Whitespace cleanups in tls_eap
2012-09-12 13:19:52 +02:00
Martin Willi
02cabd0f26
Check if TLS handshake received Finished before processing application data
2012-08-09 12:10:41 +02:00
Martin Willi
2df12b4c57
Fix tls_prf bug introduced with bc474883
2012-07-17 11:33:05 +02:00
Martin Willi
87dd205b61
Add a return value to hasher_t.allocate_hash()
2012-07-16 14:55:06 +02:00
Martin Willi
8bd6a30af1
Add a return value to hasher_t.get_hash()
2012-07-16 14:55:06 +02:00
Martin Willi
ce73fc19db
Add a return value to crypter_t.set_key()
2012-07-16 14:53:38 +02:00