| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Improve client certificate selection to allow EC certificates
instead of only RSA certificates.
* Do not error out if a TLSv1.3 server requests an OCSP response as
part of a certificate request.
* Fix SSL_shutdown behavior to match the legacy stack. The previous
behaviour could cause a hang.
* Fix a memory leak and add a missing error check in the handling of
the key update message.
* Fix a memory leak in tls13_record_layer_set_traffic_key.
* Avoid calling freezero with a negative size if a server sends a
malformed plaintext of all zeroes.
* Ensure that only PSS may be used with RSA in TLSv1.3 in order
to avoid using PKCS1-based signatures.
* Add the P-521 curve to the list of curves supported by default
in the client.
This is errata/6.7/019_libssl.patch.sig
|
| |
|
|
|
|
|
|
| |
Previously we would only select an X25519 key share from the client,
ignoring any others. Change this so that we will select the first of the
key shares that matches one of our supported groups.
ok beck@ inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It is currently possible for key_share to be NULL when a TLS client
receives a keyshare extension. However, for this to occur the client has
to be doing TLS 1.2 or earlier, which means that it was invalid for the
server to send the extension. As such, check for NULL and treat it as an
invalid extension.
Found by oss-fuzz (#20741 and #20745).
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
In a hello retry request the server will only send the selected group and
not actually provide a key exchange. In this case we need to store the
server selected group for further processing.
ok tb@
|
| |
|
|
|
|
|
|
| |
Even if we're not processing/using the peer public key from the key share,
we still need to unpack it in order to parse the TLS extension correctly.
Resolves issues with TLSv1.3 clients talking to TLSv1.2 server.
ok tb@
|
| |
|
|
|
|
|
| |
Pull out the key share handling code and provide a clean/self contained
interface. This will make it easier to support groups other than X25519.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
in tls 1.3
Will be used in a follow on commit to enable tls1.3 client certificates
ok jsing@
|
| |
|
|
|
|
|
|
|
| |
messages.
TLSv1.3 messages that include extensions need a length prefixed field with
zero bytes, rather than no data at all.
ok beck@ tb@
|
| |
|
|
| |
ok beck@
|
| | |
|
| | |
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
|
| |
I'll figure it out a bit later.
Found and diagnosed by inoguchi@
|
| |
|
|
| |
ok tb@ inoguchi@
|
| |
|
|
|
|
|
|
|
|
|
| |
The RFC does not require X25519 and it also allows clients to send an empty
key share when the want the server to select a group. The current behaviour
results in handshake failures where the client supports TLS 1.3 and sends a
TLS key share extension that does not contain X25519.
Issue reported by Hubert Kario via github.
ok tb@
|
| |
|
|
|
|
|
|
| |
name (which means the client sent SNI during the initial handshake).
Issue reported by Renaud Allard.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
functions based on message type (clienthello/serverhello), to which side
is handling the processing.
No intended functional change.
ok beck@
|
| |
|
|
|
|
|
|
|
|
| |
it is an encrypted extension. Include it in the server hello for now.
This will have to be revisited once TLSv1.3 gets there. Fixes SRTP
negotiation.
Problem found by two rust-openssl regress failures reported by mikeb.
with & ok beck
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).
Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.
Joint work with beck@.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
LibreSSL only supports TLSv1.0 and above, hence the checks the macros are
performing are useless. Simplify them to their effective code. Also place
both under #ifndef LIBRESSL_INTERNAL and use the variables directly in our
code, which improves readability.
ok tb@
|
| |
|
|
|
| |
The deduplication is also not quite right - this will be revisited in due
course.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When operating as a TLSv1.0 or TLSv1.1 server, we still have to parse the
TLS sigalgs extension if presented by the client (which might be TLSv1.2
capable), rather than treating its presence as an error.
While here, remove future version dependence issues by avoiding explicit
version equality checks.
Issue reported by bluhm@.
ok bluhm@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
| |
has been seen in the handshake so far. Use it for keyshare.
ok tb@
|
| |
|
|
|
|
|
|
| |
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
|
|
| |
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@
|
| |
|
|
| |
to the one I intended to commit
|
| |
|
|
|
|
|
|
|
| |
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@
|
| |
|
|
|
|
| |
A couple of cleanup/style tweaks while here.
ok tb@
|
| | |
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
| |
appear with which messages.
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.
Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:
clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse
ok beck@ tb@
|
| |
|
|
|
| |
Add a priority list for tls 1.2
ok jsing@
|
| |
|
|
|
| |
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
| |
RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.
ok beck@ tb@
|
| |
|
|
|
|
| |
by moving the needs/build/parse functions into their own struct.
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
alert rather than an internal_error alert.
Issue found by Simon Friedberger, Robert Merget and Juraj Somorovsky.
ok beck@ inoguchi@
|
| |
|
|
|
|
|
|
|
|
|
| |
The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.
This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.
The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).
ok inoguchi@
|
| |
|
|
| |
Also reference the knowledge base article instead of a discussion thread.
|
| |
|
|
|
|
|
|
| |
If no TLS extensions are present in a client hello or server hello, omit
the entire extensions block, rather than including it with a length of
zero.
ok beck@ inoguchi@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- When parsing the OCSP extension we can have multiple responder IDs - pull
these out correctly.
- Stop using CBS_stow() - it's unnecessary since we just need access to the
data and length (which we can get via CBS_data() and CBS_len()).
- Use a temporary pointer when calling d2i_*() functions, since it will
increment the pointer by the number of bytes it consumed when decoding.
The original code incorrectly passes the pointer allocated via CBS_stow()
(using malloc()) to a d2i_*() function and then calls free() on the now
incremented pointer, most likely resulting in a crash. This issue was
reported by Robert Swiecki who found the issue using honggfuzz.
ok beck@
|
| |
|
|
|
|
|
| |
after we finish building the responder ID list. Otherwise adding to the
responder ID list fails.
ok beck@
|
| |
|
|
|
|
| |
leaving ssl_add_{client,server}hello_tlsext() as pointer to CBB wrappers.
ok doug@
|
