yogsototh/hs-tls
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
647 commits 1 branch 11 tags 1.7 MiB
Commit graph

647 commits

This branch
This branch
All branches
Author SHA1 Message Date
Vincent Hanquez
4d91e67750 harden packet record chunking. 
This prevent possible random behavior if cipher is not checking IV size,
or generic exception being throwned in favor of a TLS one.
 2012-07-23 09:14:32 +01:00
Vincent Hanquez
c7c394d56e [SECURITY] add empty TLS packets before appdata 
Add empty appdata packet before appdata, when using <= TLS10 and using a
block cipher, to workaround the security problem related to CBC residue,
and the fact that it could be guessed by a malicious user, leading to
disclosure of secrets.
 2012-07-23 08:54:25 +01:00
Martin Grabmueller
12a1632739 Add initial support for client certificates with TLS 1.2. 2012-07-21 23:24:47 +02:00
Martin Grabmueller
c772ee22d5 Start client certificate support for TLS1.2. 
Add some checks for matching cert types, sig/hash algorithms, etc.
Remove some obsolete FIXMEs and comments.
 2012-07-18 22:19:11 +02:00
Martin Grabmueller
4c84e3ffc7 Add documentation. 2012-07-18 21:34:18 +02:00
Martin Grabmueller
92686e1457 Fix broken negotiation by separating active from pending crypt/mac states. 2012-07-18 17:32:26 +02:00
Martin Grabmueller
a348a56659 Clean up and simplify code. 2012-07-18 16:35:48 +02:00
Martin Grabmueller
1e02f92209 Fix missing digest update in server for CertVerify message. 2012-07-17 23:27:32 +02:00
Martin Grabmueller
90273cc813 Experimental debug output. 2012-07-17 17:42:12 +02:00
Martin Grabmueller
c799b18c4c Fix encoding of CertRequest, so that encoding and decoding are inverses. 2012-07-17 17:33:11 +02:00
Martin Grabmueller
039c7d254e Separate finish from certificate verify digests. Will make it easier to support TLS1.2. 2012-07-16 16:19:48 +02:00
Martin Grabmueller
2ca69771a4 Add comments. 2012-07-16 14:40:37 +02:00
Martin Grabmueller
3c46042ce5 Integrate client certificate settings into RoleParams, 
remember client cert chain for use after handshake has
finished.
 2012-07-16 14:36:44 +02:00
Martin Grabmueller
4d53898c5c Fix verification/signing. 2012-07-15 22:18:27 +02:00
Martin Grabmueller
325c9be4c7 Use getOpaque16 and check for valid DN length. 2012-07-14 16:56:04 +02:00
Martin Grabmueller
74f1bf79ea Use subject instead of issuer for certificate request. 2012-07-14 16:50:48 +02:00
Martin Grabmueller
f08eb43055 Add comments and FIXMEs. 2012-07-14 16:49:46 +02:00
Martin Grabmueller
9e710b5e88 Accept empty client certificate list. Will error on verification. 2012-07-13 22:29:36 +02:00
Martin Grabmueller
f5972a4818 Implement client certificate support in handshake. 2012-07-13 22:04:23 +02:00
Martin Grabmueller
a2825c31ac Pull out common functionality for client and server handshake. 2012-07-13 21:48:37 +02:00
Martin Grabmueller
6483e954f4 Add abstractions for accessing client certificate state. 2012-07-13 21:44:19 +02:00
Martin Grabmueller
e617a1bbec Store public key from client certificate in server mode. 2012-07-13 21:33:45 +02:00
Martin Grabmueller
ef90cda757 Ensure that the same handshake packets are included 
in the handshake digest for sending and receiving.
 2012-07-13 21:23:01 +02:00
Martin Grabmueller
2b101b6fa7 Add function for retrieving certificate verify digest. 2012-07-13 21:18:05 +02:00
Martin Grabmueller
e9abea6cb2 Extend state to hold information about ongoing client certificate exchange. 2012-07-13 21:16:46 +02:00
Martin Grabmueller
797f7822e4 Extend state to hold client private/public keys and add 
functions for signing and verifying with these keys.
 2012-07-13 21:08:23 +02:00
Martin Grabmueller
224f9d4e2c Add proper types for certificate request/verify messages. 2012-07-13 17:20:10 +02:00
Martin Grabmueller
8b7b2ff1bf Add parameter structures for client certificates (both server and client versions). 2012-07-13 16:47:58 +02:00
Martin Grabmueller
58beee4f9f Add functions for signing/verifying with private/public keys. 2012-07-13 16:33:12 +02:00
Vincent Hanquez
ff14e0b988 fixing new API breakage related to RoleParam and SessionManager change 2012-07-12 09:04:50 +01:00
Vincent Hanquez
ce3f724564 add usual header. 2012-07-12 09:03:48 +01:00
Vincent Hanquez
e47501736b add usual header 2012-07-12 09:03:24 +01:00
Vincent Hanquez
12104f612e documentation fixup. 2012-07-12 09:02:38 +01:00
Vincent Hanquez
b140b61012 upgrade cabal-version and fixup problems related to the upgrade. 2012-07-12 09:02:27 +01:00
Vincent Hanquez
4179ceba82 start using Client and Server distinction for want client cert and session resume with 2012-07-12 09:02:10 +01:00
Vincent Hanquez
c8d9f0677b switch session related callback to a new SessionManager class. 
add necessary helper setSessionManager to not have to propagate
Rank2Types and ExistentialQuantification to the user.
 2012-07-12 08:59:59 +01:00
Vincent Hanquez
9c3177a16a split some common types from struct and move them to types. 2012-07-12 08:56:16 +01:00
Vincent Hanquez
1048815206 expose more context role related helpers and types. 2012-07-12 08:54:34 +01:00
Vincent Hanquez
593f1affbb fixes to run on tls 1.0 2012-07-10 07:58:01 +01:00
Vincent Hanquez
d0d48bb476 export SessionID and SessionData. 2012-07-08 10:14:09 +01:00
Vincent Hanquez
6ae20f4125 remove npnId and use Extension's proper definition 2012-07-05 05:36:28 +01:00
Martin Grabmueller
3d629acaf1 Add missing module Network.TLS.Handshake to .cabal file. 2012-07-04 22:15:19 +02:00
Vincent Hanquez
e1bc9db398 bump version to 0.9.6 2012-07-03 07:18:10 +01:00
Vincent Hanquez
daa5fd42a4 export clientWith and serverWith 2012-07-03 07:14:28 +01:00
Vincent Hanquez
b57ef66d28 move extension decoding and encoding in a separate file. 2012-05-14 06:39:20 +01:00
Vincent Hanquez
d8b37f7fb9 move runGetErr and add runGetMaybe 2012-05-14 06:36:17 +01:00
Vincent Hanquez
5844120e4c rename NextProtocolNegotiation as HsNextProtocolNegotiation 2012-05-14 06:35:55 +01:00
Vincent Hanquez
d0481f76a3 remove the need to have same length arguments in bytesEq. bail early in case strings have different size. 2012-05-14 06:32:47 +01:00
Vincent Hanquez
9b32e6d5f4 [SECURITY] use constant equality testing to prevent timing determination of the expected value. 
it doesn't seems to be in an usable context though.
 2012-05-14 06:32:14 +01:00
Vincent Hanquez
8509d7dbc1 rename Extension in ExtensionRaw. 2012-05-14 04:41:50 +01:00