| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Improve client certificate selection to allow EC certificates
instead of only RSA certificates.
* Do not error out if a TLSv1.3 server requests an OCSP response as
part of a certificate request.
* Fix SSL_shutdown behavior to match the legacy stack. The previous
behaviour could cause a hang.
* Fix a memory leak and add a missing error check in the handling of
the key update message.
* Fix a memory leak in tls13_record_layer_set_traffic_key.
* Avoid calling freezero with a negative size if a server sends a
malformed plaintext of all zeroes.
* Ensure that only PSS may be used with RSA in TLSv1.3 in order
to avoid using PKCS1-based signatures.
* Add the P-521 curve to the list of curves supported by default
in the client.
This is errata/6.7/019_libssl.patch.sig
|
| |
|
|
|
|
|
|
|
| |
SSL_get_server_tmp_key() provides the peer ephemeral public key used
for key exchange. In the case of TLSv1.3 this is essentially the peer
public key from the key share used for TLSv1.3 key exchange, hence make it
availaable via SSL_get_server_tmp_key().
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Like much of the original DTLS code, dtls1_enc() is effectively a renamed
copy of tls1_enc(). Since then tls1_enc() has been modified, however the
non-AEAD code remains largely the same. As such, remove dtls1_enc() and
instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS,
however this is a non-issue since we do not support AEAD cipher suites with
DTLS currently.
ok tb@
|
| |
|
|
|
|
|
|
| |
Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
The enc function pointers do not serve any purpose these days - remove
a layer of indirection and call dtls1_enc()/tls1_enc() directly.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
In a hello retry request the server will only send the selected group and
not actually provide a key exchange. In this case we need to store the
server selected group for further processing.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use flags to signal the need to switch to the legacy client and to identify
a hello retry request. This allows the caller to take appropriate action,
rather than trying to do this in the parsing/processing code.
Split the key deriviation and record protection engagement code into a
separate function, both for readability and reuse.
Change handshake states outside of the processing code.
ok tb@
|
| |
|
|
|
|
| |
mangling.
ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
Pull out the key share handling code and provide a clean/self contained
interface. This will make it easier to support groups other than X25519.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
This reduces replication between the existing TLS client/server and allows
the code to soon be reused for TLSv1.3.
With feedback from inoguchi@ and tb@
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
ssl_get_message is essentially a switch between ssl3_get_message and
dtls1_get_message, both only used by the legacy stack. Instead, use
SSL_IS_DTLS() in ssl3_get_message to call the DTLS function when
necessary.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Currently, TLSv1.3 cipher suites are filtered out by the fact that
they have authentication and key exchange algorithms that are not
being set in ssl_set_cert_masks(). Fix this so that ssl3_choose_cipher()
works for TLSv1.3, however we also now need to ensure that we filter out
TLSv1.3 for non-TLSv1.3 and only select TLSv1.3 for TLSv1.3.
ok beck@ tb@
|
| |
|
|
|
|
| |
the same from the server.
ok jsing@ tb@
|
| |
|
|
|
|
|
| |
This will allow the TLSv1.3 stack to provide its own implementation. Nuke
a completely bogus comment from SSL_pending() whilst here.
ok beck@
|
| |
|
|
|
|
|
|
| |
This currently only has enough code to handle fallback to the legacy TLS
stack for TLSv1.2 or earlier, however allows for further development and
testing.
ok beck@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This also makes it available to clients that use libtls, including ftp(1)
and nc(1).
Note that this does not expose additional defines via public headers, which
means that any code conditioning on defines like TLS1_3_VERSION or
SSL_OP_NO_TLSv1_3 will not enable or use TLSv1.3. This approach is
necessary since too many pieces of software assume that if TLS1_3_VERSION
is available, other OpenSSL 1.1 API will also be available, which is not
necessarily the case.
ok beck@ tb@
|
| |
|
|
|
|
| |
reverts previous attempt which would have broken ports
ok jsing@
|
| |
|
|
|
|
|
| |
For now ssl3_shutdown() is called in all cases, however TLSv1.3 will soon
get its own version.
ok beck@
|
| |
|
|
|
|
|
|
|
| |
Convert ssl_get_prev_session(), tls1_process_ticket() and
tls1_decrypt_ticket() to handle the session ID from the client hello
as a CBS. While here also swap the order of arguments for
tls1_decrypt_ticket() so that it is consistent with the other functions.
ok tb@
|
| |
|
|
|
|
|
| |
There is not much point having a tlsext_tick_md macro that replaces
EVP_sha256() in two places, when the cipher is just hardcoded.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
The original implementation allows for libcrypto to be compiled without a
given algorithm and libssl then detects that ciphers or digests are
unavailable so that it can disable the associated cipher suites.
This is unnecessary since we do not compile out algorithms.
ok beck@, tb@ (a while back)
|
| |
|
|
|
|
| |
These are no longer used now that we defer signature algorithm selection.
ok beck@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).
Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.
Joint work with beck@.
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
We will now include the certificates in the chain in the certificate list,
or use the existing extra_certs if present. Failing that we fall back to
the automatic chain building if not disabled.
This also simplifies the code significantly.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
Note that this is not the full chain, as the leaf certificate currently
remains in the x509 member of CERT_PKEY. Unfortunately we've got to
contend with the fact that some OpenSSL *_chain_* APIs exclude the leaf
certificate while others include it...
ok beck@ tb@
|
| |
|
|
|
|
| |
SSL_HANDSHAKE_TLS13 back to ssl_locl.h.
discussed with jsing and inoguchi
|
| |
|
|
|
|
| |
This solves build error on luna88k with gcc3.
ok aoyama@ jca@ jsing@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
| |
There are various points where we need the hash of all messages prior to
the current message. Support this by having the handshake code preserve
the transcript hash prior to recording the current message, which avoids
the need to sprinkle this throughout multiple handlers.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
While handshake hash is correct (in as far as it is a hash of handshake
messages), using tls1_transcript_hash*() aligns them with the naming of the
tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses
Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
|
|
| |
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@
|
| |
|
|
| |
to the one I intended to commit
|
| |
|
|
|
|
|
|
|
| |
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@
|
| |
|
|
|
|
|
| |
will be used in a few places shortly, e.g. in
ssl_cipher_list_to_bytes().
ok jsing
|
| |
|
|
|
|
|
|
| |
While here, rename struct handshake to struct handshake_stage to avoid
potential ambiguity/conflict with the handshake data struct. Also add
forward and back pointers between SSL and struct tls13_ctx.
ok tb@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If DTLS sees a HelloVerifyRequest the transcript is reset - the previous
tls1_init_finished_mac() function could be called multiple times and would
discard any existing state. The replacement tls1_transcript_init() is more
strict and fails if a transcript already exists.
Provide an explicit tls1_transcript_reset() function and call it from the
appropriate places. This also lets us make DTLS less of a special snowflake
and call tls1_transcript_init() in the same place as used for TLS.
ok beck@ tb@
|
| |
|
|
|
|
| |
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@
|
