| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
GOST cipher suites requires that CertVerify signatures be generated in a
special way (see ssl3_send_client_kex_gost(), ssl3_get_cert_verify()).
However, the GOST_SIG_FORMAT_RS_LE flag was not passed in case of TLS 1.2
connections (because they use different code path). Set this flag on
GOST PKEYs.
Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>
Sponsored by ROSA Linux
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
Previously only the enabled protocol versions were considered, however we
also have to consider the method in use which may be version pinned.
Found the hard way by danj@ with haproxy and force-tlsv12.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some time prior to SSLeay 0.8.1b, SSL_PKEY_RSA_SIGN got added with the
intention of handling RSA sign only certificates... this incomplete code
had the following comment:
/* check to see if this is a signing only certificate */
/* EAY EAY EAY EAY */
And while the comment was removed in 2005, the incomplete RSA sign-only
handling has remained ever since.
Remove SSL_PKEY_RSA_SIGN and rename SSL_PKEY_RSA_ENC to SSL_PKEY_RSA. While
here also remove the unused SSL_PKEY_DH_RSA.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
The OCSP response length is currently an integer, which is overloaded with
-1 meaning "unset". Use a size_t for the OCSP response length and infer
unset from the OCSP response being NULL. This makes code more readable,
simpler and less error prone.
ok beck@
|
| |
|
|
|
|
|
| |
and if the two lengths differed, the later CBS_write_bytes() would
correctly fail anyway.
Discussed with jsing
|
| |
|
|
|
|
|
|
| |
TLSv1.1 or below, it should check whether the server's random value
contains the magic downgrade protection cookie and in that case abort
the handshake with an illegal parameter alert.
ok inoguchi, jsing
|
| |
|
|
|
|
|
|
|
| |
This reduces replication between the existing TLS client/server and allows
the code to soon be reused for TLSv1.3.
With feedback from inoguchi@ and tb@
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
ssl_get_message is essentially a switch between ssl3_get_message and
dtls1_get_message, both only used by the legacy stack. Instead, use
SSL_IS_DTLS() in ssl3_get_message to call the DTLS function when
necessary.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
- Be consistent with _len naming.
- Use size_t where possible/appropriate.
- Group the CBB code.
- Use EVP_MAX_MD_SIZE consistently, instead of "magic" values.
- Switch GOST to EVP_DigestSign*, making it similar to sigalgs.
ok tb@ a while back.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).
Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.
Joint work with beck@.
|
| |
|
|
|
|
|
|
|
|
| |
We will now include the certificates in the chain in the certificate list,
or use the existing extra_certs if present. Failing that we fall back to
the automatic chain building if not disabled.
This also simplifies the code significantly.
ok beck@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
LibreSSL only supports TLSv1.0 and above, hence the checks the macros are
performing are useless. Simplify them to their effective code. Also place
both under #ifndef LIBRESSL_INTERNAL and use the variables directly in our
code, which improves readability.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
While handshake hash is correct (in as far as it is a hash of handshake
messages), using tls1_transcript_hash*() aligns them with the naming of the
tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses
Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@
|
| |
|
|
| |
to the one I intended to commit
|
| |
|
|
|
|
|
|
|
| |
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.
Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:
clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
type, sigalgs/rsa/ec/gost. Move a few special dances for GOST where they
belong now. This prompted a fix for a long-standing bug with GOST client
certificate authentication where tls1_transcript_data() fails since the
transcript was already freed before. Add a bit of missing error checking
and leave some further cleanup for later.
idea, guidance & ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If DTLS sees a HelloVerifyRequest the transcript is reset - the previous
tls1_init_finished_mac() function could be called multiple times and would
discard any existing state. The replacement tls1_transcript_init() is more
strict and fails if a transcript already exists.
Provide an explicit tls1_transcript_reset() function and call it from the
appropriate places. This also lets us make DTLS less of a special snowflake
and call tls1_transcript_init() in the same place as used for TLS.
ok beck@ tb@
|
| |
|
|
| |
Discussed with beck@
|
| | |
|
| | |
|
| |
|
|
| |
joel's line of thinking about it
|
| |
|
|
|
| |
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@
|
| |
|
|
|
| |
Include check for appropriate RSA key size when used with PSS.
ok tb@
|
| |
|
|
|
|
| |
lightly tested, but will need sanity checks and regress test changes
before being added to any sigalgs list for real
ok jsing@ tb@
|
| |
|
|
|
|
| |
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@
|
| |
|
|
|
|
| |
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@
|
| |
|
|
|
|
| |
Found the hard way by jmc@
ok tb@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
| |
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@
|
| |
|
|
|
|
|
| |
This provides a cleaner, simpler and more readable API, with code that uses
a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
Add a check at the completion of the client/server handshake to ensure that
the handshake transcript has been freed. Fix the case where a server asks
the client for a certificate, but it does not have one, resulting in the
handshake transcript being left around post-handshake.
ok bcook@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
EVP_MD_CTX_create -> EVP_MD_CTX_new
EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during
code reviews.
Raised by tb@
|
| |
|
|
|
|
|
|
| |
Now that all handshake messages are created using CBB, remove the non-CBB
ssl3_handshake_msg_start()/ssl3_handshake_msg_finish() functions. Rename
the CBB variants by dropping the _cbb suffix.
ok bcook@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Now that all callers of tls12_get_sigandhash() have been converted to CBB,
collapse tls12_get_sigandhash() and tls12_get_sigandhash_cbb() into a
single function. Rename it to tls12_gethashandsig() to be representative
of the actual order of the sigalgs parameters, and perform some other
clean up.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| | |
|
| |
|
|
| |
ok bcook@ beck@ tb@
|
| |
|
|
|
|
| |
Everything can go through the EVP_Verify* code path.
ok inoguchi@ tb@
|
| |
|
|
| |
ok beck@ inoguchi@
|
| |
|
|
| |
the missing goto. While here also remove a set of unnecessary parentheses.
|
| |
|
|
|
|
|
| |
These flags enabled experimental behaviour in the write path, which nothing
uses. Removing this code greatly simplifies ssl3_write().
ok beck@ inoguchi@ sthen@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.
This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.
ok beck@
|
| | |
|
| |
|
|
|
|
|
| |
As part of this, change ssl_cipher_list_to_bytes() to take a CBB argument,
rather than a pointer/length. Some additional clean up/renames while here.
Based on a diff from doug@
|
| |
|
|
| |
Part of a diff from doug@
|
