Martin Willi
a777155ffe
diffie-hellman: Add a bool return value to set_other_public_value()
2015-03-23 17:54:03 +01:00
Martin Willi
42431690e0
diffie-hellman: Add a bool return value to get_my_public_value()
2015-03-23 17:54:03 +01:00
Martin Willi
bace1d6479
diffie-hellman: Use bool instead of status_t as get_shared_secret() return value
...
While such a change is not unproblematic, keeping status_t makes the API
inconsistent once we introduce return values for the public value operations.
2015-03-23 17:54:02 +01:00
Tobias Brunner
18597950fa
tls-peer: Make sure to use the right trusted public key for peer
...
In case a CA certificate uses the same subject DN as the server the
previous code could end up trying to verify the server's signature with
the CA certificate's public key. By comparing the certificate with the
one sent by the peer we make sure to use the right one.
Fixes #849 .
2015-03-09 15:40:06 +01:00
Martin Willi
666c552381
libtls: Add getters for TLS handshake authentication details
2015-03-03 14:08:00 +01:00
Martin Willi
aba5b76ce1
libtls: Merge trustchain auth verification details done during TLS handhsake
2015-03-03 14:08:00 +01:00
Martin Willi
b37080f8c9
tls: Include TLS version announced in Client Hello in encrypted premaster
...
While a hardcoded 1.2 version is fine when we offer that in Client Hello, we
should include the actually offered version if it has been reduced before
starting the exchange.
2014-03-31 16:07:53 +02:00
Martin Willi
2de481e32b
Delegate tls_t.get_{peer,server}_id to handshake layer
...
This allows to get updated peer identities if the peer can't authenticate,
or does when it is optional.
2013-02-28 16:46:08 +01:00
Tobias Brunner
07f826af67
Fixed encoding of TLS extensions (elliptic_curves and signature_algorithms)
2012-11-28 10:20:14 +01:00
Tobias Brunner
f05b427265
Moved debug.[ch] to utils folder
2012-10-24 16:00:51 +02:00
Tobias Brunner
126eb2af59
Check rng return value when generating secrets and IVs in libtls
2012-07-16 14:53:37 +02:00
Martin Willi
9020f7d0b9
Add a return value to tls_crypto_t.derive_secrets()
2012-07-16 14:53:33 +02:00
Martin Willi
6a5c86b7ad
Implemented TLS session resumption both as client and as server
2011-12-31 13:14:49 +01:00
Martin Willi
4caa380625
Separated cipherspec checking and switching, allowing us to defer the second
2011-12-31 13:14:49 +01:00
Andreas Steffen
7e432eff6b
renamed tls_reader|writer to bio_* and moved to libstrongswan
2011-05-31 15:46:51 +02:00
Martin Willi
2db8b58f62
Continue without client authentication if no matching certificate found
2011-04-14 20:02:12 +02:00
Martin Willi
6a8f1a578f
Ignore TLS certificate requests as peer if peer authentication disabled
2011-04-14 20:02:12 +02:00
Martin Willi
1c21f47a06
Send TLS Server Name Indication as peer if server identity is a FQDN
2011-04-14 20:02:12 +02:00
Martin Willi
31c65eb362
Include ec_point_format extension in ClientHello
2010-09-06 18:51:38 +02:00
Martin Willi
ec7d4e70d3
Renamed ecp_format to ansi_format, as point formats in TLS use different identifiers
2010-09-06 18:37:24 +02:00
Martin Willi
e6cce7ff0d
Prepend point format to ECDH public key
2010-09-06 15:37:51 +02:00
Martin Willi
3f7bb88ba3
Use a dynamic curve enumerator to list/convert TLS named curves
2010-09-03 17:24:23 +02:00
Martin Willi
f4c98ae664
Use ECDH group check where appropriate
2010-09-03 16:53:36 +02:00
Martin Willi
4cdade5aae
Select private key based on received cipher suites
2010-09-03 14:54:43 +02:00
Martin Willi
37a59a8fbf
Support for EC curve Hello extension, EC curve fallback
2010-09-03 14:54:43 +02:00
Martin Willi
5fc7297e38
Added client support for ECDHE key exchange
2010-09-03 14:54:43 +02:00
Martin Willi
da3f4a9fd0
Added TLS client side support for DHE suites
2010-09-02 19:33:08 +02:00
Martin Willi
06109c4717
Implemented "signature algorithm" hello extension
2010-09-02 19:33:08 +02:00
Martin Willi
dbb7c0306c
Support different hash/sig algorithms in handshake signing, including ECDSA
2010-09-02 13:07:25 +02:00
Martin Willi
c811479986
Strictly check if the server certificate matches the TLS server identity
2010-08-31 18:10:23 +02:00
Martin Willi
a596006e3f
Send TLS alerts for errors in TLS handshake building
2010-08-25 18:24:27 +02:00
Martin Willi
69e8bb2e8d
Pass NULL peer identity to omit TLS peer authentication, added eap-ttls.request_peer_auth option
2010-08-24 11:34:43 +02:00
Andreas Steffen
c1a929daa7
removed some redundant debug output
2010-08-24 09:02:51 +02:00
Martin Willi
e6f3ef1330
Implemented TLS Alert handling
2010-08-23 15:13:37 +02:00
Martin Willi
f154e30431
Verify negotiated TLS version
2010-08-23 09:47:03 +02:00
Martin Willi
3c19b3461f
Introducing a dedicated debug message group for libtls
2010-08-23 09:47:03 +02:00
Martin Willi
0bcef5fe7a
Streamlined TLS debugging output
2010-08-23 09:45:33 +02:00
Martin Willi
ba31fe1fd6
Use a seperate section for each nested struct member in INIT macro
2010-08-18 12:15:03 +02:00
Andreas Steffen
1327839da8
added generic TLS application data handler and specific EAP-TTLS instantiation
2010-08-12 23:58:54 +02:00
Martin Willi
33ddaaabec
Added support for different encryption schemes to private/public keys
2010-08-10 18:46:30 +02:00
Andreas Steffen
b4d30a425e
support server authentication only for EAP-TTLS
2010-08-07 11:26:04 +02:00
Martin Willi
e85bca7f22
Use certificate subject to get a public key of the TLS server
2010-08-05 13:13:45 +02:00
Andreas Steffen
7ea87db00d
added some more TLS debug output
2010-08-05 09:51:05 +02:00
Andreas Steffen
4657b3a42a
log selected TLS version and cipher suite
2010-08-05 01:21:59 +02:00
Martin Willi
0f82a47063
Moved TLS stack to its own library
2010-08-03 15:39:26 +02:00