| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
| |
Add a priority list for tls 1.2
ok jsing@
|
| |
|
|
|
| |
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@
|
| |
|
|
|
|
|
| |
This provides a cleaner, simpler and more readable API, with code that uses
a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
Add a check at the completion of the client/server handshake to ensure that
the handshake transcript has been freed. Fix the case where a server asks
the client for a certificate, but it does not have one, resulting in the
handshake transcript being left around post-handshake.
ok bcook@ tb@
|
| |
|
|
| |
ok inoguchi@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The original code did a crazy encode/malloc/encode/decode/modify/encode
dance, in order to encode a session in the form needed to encrypt then add
to a session ticket. By modifying the encoding functions slightly, we can
do this entire dance as a single encode.
Inspired by similar changes in BoringSSL.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The original implementation is rather crazy and means that we effectively
have two lots of code that parse a ClientHello and two lots of code that
parse TLS extensions. Partially simplify this by passing a CBS containing
the extension block through to the session handling functions, removing the
need to reimplement the ClientHello parsing.
While here standarise on naming for session_id and session_id_len.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
Parse up until the extensions (if any), then proceed with processing,
rather than gradually parsing while processing. This makes the code
cleaner, requires messages to be valid before processing and makes way
for upcoming changes.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Now that all handshake messages are created using CBB, remove the non-CBB
ssl3_handshake_msg_start()/ssl3_handshake_msg_finish() functions. Rename
the CBB variants by dropping the _cbb suffix.
ok bcook@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
The CBB conversion resulted in the ticket encryption being handled
incorrectly, resulting in only the last block being used. Fix this and
restore the previous behaviour.
Issue found by inoguchi@ and sebastia@.
ok inoguchi@ and tb@
|
| |
|
|
|
|
|
|
|
|
| |
Now that all callers of tls12_get_sigandhash() have been converted to CBB,
collapse tls12_get_sigandhash() and tls12_get_sigandhash_cbb() into a
single function. Rename it to tls12_gethashandsig() to be representative
of the actual order of the sigalgs parameters, and perform some other
clean up.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
This removes a memorable BUF_MEM_grow() and associated comment.
ok inoguchi@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok bcook@ beck@ tb@
|
| |
|
|
|
|
| |
Everything can go through the single EVP_Sign* code path.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
have been converted to CBS, pull it up a level.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
client KEX DHE processing, rather than reusing the buffer that is used
to send/receive handshake messages.
ok beck@ inoguchi@
|
| |
|
|
|
|
|
| |
Also allocate a dedicated buffer to hold the shared secret, rather than
reusing init_buf.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
For pure ECDHE we do not need to construct a new key using the one that
was set up during the other half of the key exchange. Also, since we do not
support any form of ECDH the n == 0 case is not valid (per RFC 4492 section
5.7), so we can ditch this entirely.
ok inoguchi@ tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
Convert to CBS, use more appropriate variable names and improve validation.
Allocate a dedicated buffer to hold the decrypted result, rather than
decrypting into the handshake buffer (which is also used to send data).
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
| |
around the SSLv3/TLSv1.0 period... and buggy clients are buggy. This also
helps to clean up the RSA key exchange code.
ok "kill it with fire" beck@ tb@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.
The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).
ok inoguchi@
|
| |
|
|
| |
With review/feedback from inoguchi@
|
| |
|
|
| |
Based on a diff from doug@
|
| |
|
|
|
| |
length, since the caller has already been converted to CBS. A small amount
of additional clean up whilst here.
|
| | |
|
| |
|
|
| |
ok beck@ doug@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
NPN was never standardised and the last draft expired in October 2012.
ALPN was standardised in July 2014 and has been supported in LibreSSL
since December 2014. NPN has also been removed from Chromium in May 2016.
TLS clients and servers that try to use/enable NPN will fail gracefully and
fallback to the default protocol, since it will essentially appear that the
otherside does not support NPN. At some point in the future we will
actually remove the NPN related symbols entirely.
ok bcook@ beck@ doug@
|
| |
|
|
|
|
| |
back.
ok guenther@
|
| |
|
|
| |
ok beck@ doug@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Over the years OpenSSL grew multiple ways of being able to specify EC keys
(and/or curves) for use with ECDH and ECDHE key exchange. You could specify
a static EC key (SSL{_CTX,}_set_tmp_ecdh()), use that as a curve and
generate ephemeral keys (SSL_OP_SINGLE_ECDH_USE), provide the EC key via
a callback that was provided with insufficient information
(SSL{_CTX,}_set_tmp_ecdh_cb()) or enable automatic selection and generation
of EC keys via SSL{_CTX,}_set_ecdh_auto(). This complexity leads to
problems (like ECDHE not being enabled) and potential weird configuration
(like being able to do ECDHE without the ephemeral part...).
We no longer support ECDH and ECDHE can be disabled by removing ECDHE
ciphers from the cipher list. As such, permanently enable automatic EC
curve selection and generation, effectively disabling all of the
configuration knobs. The only exception is the
SSL{_CTX,}_set_tmp_ecdh() functions, which retain part of their previous
behaviour by configuring the curve of the given EC key as the only curve
being enabled. Everything else becomes a no-op.
ok beck@ doug@
|
| |
|
|
|
|
|
| |
while we are at it, convert SSLerror to use a function
internally, so that we may later allocate the handshake
structure and check for it
ok jsing@
|
| |
|
|
| |
ok jsing@, gcc@, regress@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DTLS cookie validation. This can mask a later failure and result in a
positive return value being returned from ssl3_get_client_hello(), when
it should return a negative value to propagate the error.
Ironically this was introduced in OpenSSL 2e9802b7a7b with the commit
message "Fix DTLS cookie management bugs".
Fix based on OpenSSL.
Issue reported by Nicolas Bouliane <nbouliane at jive dot com>.
ok beck@
|
| |
|
|
|
| |
less code, but there is also a potential performance gain since they can be
larger allocations.
|
| | |
|
| |
|
|
|
|
|
|
| |
into the CBB memory, rather than mallocing and memcpying, which also makes
makes the code more consistent with the client. Add a missing check for the
first EC_POINT_point2oct() call.
ok beck@
|
| |
|
|
|
|
|
| |
with the handshake hash. For now tls1_digest_cached_records() is retained
to release the handshake buffer.
ok beck@ inoguchi@
|
| |
|
|
|
|
|
|
|
|
| |
suite has been selected, and convert the final finish MAC to use this
handshake hash.
This is a first step towards cleaning up the current handshake
buffer/digest code.
ok beck@ inoguchi@
|
| |
|
|
| |
ok beck@ inoguchi@
|
| |
|
|
| |
ok inoguchi@
|
| |
|
|
|
|
|
| |
"ssl3-md5" and "ssl-sha1", call the EVP_md5() and EVP_sha1() functions
directly.
ok beck@ inoguchi@
|
| |
|
|
|
|
|
|
|
| |
Make a table of "function codes" which maps the internal state of the SSL *
to something like a useful name so in a typical error in the connection you
know in what sort of place in the handshake things happened. (instead of
by arcane function name).
Add SSLerrorx() for when we don't have an SSL *
ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
