chacha20 comes in two variants: ietf rfc7539, using 96 bit iv and 32 bit counter
and draft-agl-tls-chacha20poly1305 using 64 bit iv and a 64 bit counter. so
setupChachastate() now takes a ivlen argument which sets the mode.
add ccpoly_encrypt()/ccpoly_decrypt() routines.
to implement timing safe ccpoly_decrypt(), a constant time memcmp was needed, so
adding tsmemcmp() to libsec.
X509req() and X509gen() used to leak memory, and had no way for
the caller to free the allocated certificate/certificate request
buffer returned. this is not critical as these functions are only
used in short lived rsa(2) helper programs. but i prefer to have
library routines not leak memory as one does not know in advance
where the code is going to be used.
we used to negotiate tls1.1 for client cert authentication because the
signature generation was not implemented for tls1.2. this is now fixed
and tls1.2 can be negotiated with client certs.
actually verify the diffie hellman parameter signature, this
comes in two flavours. TLS1.2 uses X509 signature with a
single hash specified by the signature algorithm field in
the signature itself and pre TLS1.2 where md5+sha1 hashes
of the signed blob are pkcs1 padded and encrypted with the
rsa private key.
stop advertizing non-rsa cipher suits (DSS and ECDSA), as
we have not implmenented them.
fix some memory leaks in X509 code while we'r at it.
TLS1.2 requires the client to send the list of supported
signature and hash algorithm pairs. some servers will simply
reject the client hello otherwise. note that we do not implement
any dh/ecdh param signature verification.
order the cipher list to strogest first. aes128 is actually more
secure than aes256.
make digest_certinfo() return the digest length, otherwise
return -1 as an error and handle it in the callers.
pass expected digest length to verify_signature() and
check digest length from certificate! make sure we wont
run off the buffer.
fix newlines in error prints of X509dump().
this implements SHA2 (224, 256, 384, 512) signature algorithms and
uses sha256WithRSAEncryption for X509req() and X509gen() instead
of oid_md5WithRSAEncryption.
tlsClient() now can optionally send the server_name in the ClientHello
message by setting the TLSconn.serverName. This is required for some
https sites.
RFC2104 defines HMAC for keys bigger than the 64 byte block
size as follows:
Applications that use keys longer than B (64) bytes will
first hash the key using H (the hash function) and then
use the resultant L byte string as the actual key to HMAC.
1) handle errors when loading thumbprint file.
initThumbprints() now returns nil and sets errstr
on error. a syntax error in a thumbprint file
should be reported instead of silently ignored!
(have to check users)
2) fix memory leak in initThumbprints(); we have to use
freeThumbprints() instead of free to release crltab.
3) use the actual head entries for thumbprint
storage in the thumbprints array. most thumbprint
files are rather sparse.
4) remove private emalloc() function. we shouldnt
just exit the calling process on allocation error,
instead handle error properly. this is a library!
from /n/sources/patch/blowfish/readme:
Blowfish is broken. The order of the bytes in the ciphertext
is wrong. The problem is the conversion from the ciphertext
plaintext block to the array of u32int used by the core funcions
and vice versa.
This code has been tested on big endian and little endian
machines.
A test program is also included, bftets.c. It uses the
test vectors of blowfish available at
https://www.schneier.com/code/vectors.txt
- TLSconn structure on stack but not initialized (zeroed)
- original filedescriptor double closed in error case
- original filedescriptor leaked in success case
- leaked TLSconn.sessionID and TLSconn.cert
- clarify in pushtls(2) and pushssl(2)
This patch adds client TLS authentication to libsec in compliance with
rfc 4346.
A new -c flag has been introduced for tlsclient allowing the user to
specify a certificate in pem(8) format which will be provided to the
server upon request.
A -D debug flag has been introduced to enable debugging output.
The patch has been tested against OpenSSL 0.9.7j 04 May 2006.
It exists today because of the great (debugging) help and insight
provided by Matthias Bauer.
TODOs:
- specification of a certain client key in factotum is not possible at
the moment
- tlssrv should support this too
These will get added in another patch.
The first try to submit this patch failed due to a network error.
Sorry for the duplication!
Kind regards,
Christian