Vincent Hanquez
975fc32889
split signature apart from handshake
2012-08-18 23:05:37 +01:00
Vincent Hanquez
4e5c2e8c1d
split apart certificate stuff from handshake.
...
at the moment it's mostly a stub, but will host all handling of
client&server certificates.
2012-08-18 22:57:58 +01:00
Vincent Hanquez
07d0d70c70
Split handshake module. preparation step, removing common functions.
2012-08-18 22:46:53 +01:00
Vincent Hanquez
b64813edac
fixup for merge.
...
requires certificate-1.2.4, so that no one uses client certificate with the sorting DN decode and report weird bugs.
2012-08-05 07:15:32 +01:00
Vincent Hanquez
37b32686ee
Merge remote-tracking branch 'mgrabmueller/client-certificate' into next
...
Conflicts:
Network/TLS/Context.hs
2012-08-05 07:12:07 +01:00
Vincent Hanquez
3613061131
stylistic adjustments
2012-08-04 16:51:12 +01:00
Martin Grabmueller
fa3e2aec1c
Add client cert handshake messages to tests.
2012-07-28 14:40:37 +02:00
Martin Grabmueller
0102d23017
Improve testability with a newtype.
2012-07-28 14:40:11 +02:00
Martin Grabmueller
6f1b13fc5a
Add client cert support for SSL3.
2012-07-28 14:22:16 +02:00
Martin Grabmueller
a285eb345c
Merge remote-tracking branch 'upstream/next' into client-certificate
...
Conflicts:
Network/TLS/Context.hs
Network/TLS/Record/Disengage.hs
2012-07-26 23:17:08 +02:00
Martin Grabmueller
8c18de4e66
Small optimization.
2012-07-26 23:08:31 +02:00
Martin Grabmueller
7182653638
Harmonize code for pre-1.2 and 1.2 versions.
2012-07-26 23:06:08 +02:00
Martin Grabmueller
9aa9675d0c
Use correct version number, simplify code.
2012-07-26 22:46:59 +02:00
Vincent Hanquez
4e9fd480c4
add callback on server to choose cipher according to version.
...
default to previous behavior: choosing the first cipher that match
2012-07-23 21:53:59 +01:00
Vincent Hanquez
4d91e67750
harden packet record chunking.
...
This prevent possible random behavior if cipher is not checking IV size,
or generic exception being throwned in favor of a TLS one.
2012-07-23 09:14:32 +01:00
Vincent Hanquez
c7c394d56e
[SECURITY] add empty TLS packets before appdata
...
Add empty appdata packet before appdata, when using <= TLS10 and using a
block cipher, to workaround the security problem related to CBC residue,
and the fact that it could be guessed by a malicious user, leading to
disclosure of secrets.
2012-07-23 08:54:25 +01:00
Martin Grabmueller
12a1632739
Add initial support for client certificates with TLS 1.2.
2012-07-21 23:24:47 +02:00
Martin Grabmueller
c772ee22d5
Start client certificate support for TLS1.2.
...
Add some checks for matching cert types, sig/hash algorithms, etc.
Remove some obsolete FIXMEs and comments.
2012-07-18 22:19:11 +02:00
Martin Grabmueller
4c84e3ffc7
Add documentation.
2012-07-18 21:34:18 +02:00
Martin Grabmueller
92686e1457
Fix broken negotiation by separating active from pending crypt/mac states.
2012-07-18 17:32:26 +02:00
Martin Grabmueller
a348a56659
Clean up and simplify code.
2012-07-18 16:35:48 +02:00
Martin Grabmueller
1e02f92209
Fix missing digest update in server for CertVerify message.
2012-07-17 23:27:32 +02:00
Martin Grabmueller
90273cc813
Experimental debug output.
2012-07-17 17:42:12 +02:00
Martin Grabmueller
c799b18c4c
Fix encoding of CertRequest, so that encoding and decoding are inverses.
2012-07-17 17:33:11 +02:00
Martin Grabmueller
039c7d254e
Separate finish from certificate verify digests. Will make it easier to support TLS1.2.
2012-07-16 16:19:48 +02:00
Martin Grabmueller
2ca69771a4
Add comments.
2012-07-16 14:40:37 +02:00
Martin Grabmueller
3c46042ce5
Integrate client certificate settings into RoleParams,
...
remember client cert chain for use after handshake has
finished.
2012-07-16 14:36:44 +02:00
Martin Grabmueller
4d53898c5c
Fix verification/signing.
2012-07-15 22:18:27 +02:00
Martin Grabmueller
325c9be4c7
Use getOpaque16 and check for valid DN length.
2012-07-14 16:56:04 +02:00
Martin Grabmueller
74f1bf79ea
Use subject instead of issuer for certificate request.
2012-07-14 16:50:48 +02:00
Martin Grabmueller
f08eb43055
Add comments and FIXMEs.
2012-07-14 16:49:46 +02:00
Martin Grabmueller
9e710b5e88
Accept empty client certificate list. Will error on verification.
2012-07-13 22:29:36 +02:00
Martin Grabmueller
f5972a4818
Implement client certificate support in handshake.
2012-07-13 22:04:23 +02:00
Martin Grabmueller
a2825c31ac
Pull out common functionality for client and server handshake.
2012-07-13 21:48:37 +02:00
Martin Grabmueller
6483e954f4
Add abstractions for accessing client certificate state.
2012-07-13 21:44:19 +02:00
Martin Grabmueller
e617a1bbec
Store public key from client certificate in server mode.
2012-07-13 21:33:45 +02:00
Martin Grabmueller
ef90cda757
Ensure that the same handshake packets are included
...
in the handshake digest for sending and receiving.
2012-07-13 21:23:01 +02:00
Martin Grabmueller
2b101b6fa7
Add function for retrieving certificate verify digest.
2012-07-13 21:18:05 +02:00
Martin Grabmueller
e9abea6cb2
Extend state to hold information about ongoing client certificate exchange.
2012-07-13 21:16:46 +02:00
Martin Grabmueller
797f7822e4
Extend state to hold client private/public keys and add
...
functions for signing and verifying with these keys.
2012-07-13 21:08:23 +02:00
Martin Grabmueller
224f9d4e2c
Add proper types for certificate request/verify messages.
2012-07-13 17:20:10 +02:00
Martin Grabmueller
8b7b2ff1bf
Add parameter structures for client certificates (both server and client versions).
2012-07-13 16:47:58 +02:00
Martin Grabmueller
58beee4f9f
Add functions for signing/verifying with private/public keys.
2012-07-13 16:33:12 +02:00
Vincent Hanquez
ce3f724564
add usual header.
2012-07-12 09:03:48 +01:00
Vincent Hanquez
12104f612e
documentation fixup.
2012-07-12 09:02:38 +01:00
Vincent Hanquez
b140b61012
upgrade cabal-version and fixup problems related to the upgrade.
2012-07-12 09:02:27 +01:00
Vincent Hanquez
4179ceba82
start using Client and Server distinction for want client cert and session resume with
2012-07-12 09:02:10 +01:00
Vincent Hanquez
c8d9f0677b
switch session related callback to a new SessionManager class.
...
add necessary helper setSessionManager to not have to propagate
Rank2Types and ExistentialQuantification to the user.
2012-07-12 08:59:59 +01:00
Vincent Hanquez
9c3177a16a
split some common types from struct and move them to types.
2012-07-12 08:56:16 +01:00
Vincent Hanquez
1048815206
expose more context role related helpers and types.
2012-07-12 08:54:34 +01:00