| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
as per RFC8446 section 4.2. Recognized extensions that appear in an
incorrect message must abort the handshake.
ok jsing@
|
| |
|
|
|
|
| |
At the moment this is mechanical, with the functions renamed. This will be
refactored for tls13.
ok jsing@
|
| |
|
|
|
|
|
|
|
|
| |
around broken GOST implementations. It looks like client certificates with
GOST have been completely broken since reimport of the GOST code, so no-one
is using LibreSSL this way. The client side was fixed only last week for
TLSv1.0 and TLSv1.1. This workaround is now in the way of much needed
simplifcation and cleanup, so it is time for it to go.
suggested by and ok jsing
|
| |
|
|
|
|
|
| |
invalid change cipher spec. Found due to dead assignment warnings
by the Clang static analyzer.
ok inoguchi (previous version), jsing
|
| |
|
|
|
|
|
|
|
|
| |
type, sigalgs/rsa/ec/gost. Move a few special dances for GOST where they
belong now. This prompted a fix for a long-standing bug with GOST client
certificate authentication where tls1_transcript_data() fails since the
transcript was already freed before. Add a bit of missing error checking
and leave some further cleanup for later.
idea, guidance & ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If DTLS sees a HelloVerifyRequest the transcript is reset - the previous
tls1_init_finished_mac() function could be called multiple times and would
discard any existing state. The replacement tls1_transcript_init() is more
strict and fails if a transcript already exists.
Provide an explicit tls1_transcript_reset() function and call it from the
appropriate places. This also lets us make DTLS less of a special snowflake
and call tls1_transcript_init() in the same place as used for TLS.
ok beck@ tb@
|
| |
|
|
| |
Discussed with beck@
|
| |
|
|
|
|
|
| |
In TLSv1.2, if the client does not send a signature algorithms extension
then for RSA key exchange a signature algorithm of {sha1,rsa} is implied.
The MD5+SHA1 hash only applies to older versions of TLS, which do not
support sigalgs.
|
| | |
|
| | |
|
| |
|
|
| |
joel's line of thinking about it
|
| |
|
|
|
| |
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@
|
| |
|
|
|
|
|
|
|
|
| |
instead of 'uint16_t'
Found with llvm's static analyzer, noticed that it was also already reported in
Coverity CID 155890 and to ensure this was correct also inspected OpenSSL's
equivalent code.
OK tb@ and jsing@
|
| |
|
|
| |
Makes connections to outlook.office365.com work
|
| | |
|
| |
|
|
| |
Spotted by maestre@, ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
| |
Include check for appropriate RSA key size when used with PSS.
ok tb@
|
| |
|
|
| |
ok beck@
|
| | |
|
| |
|
|
|
|
|
| |
Used by unbound's DNS over TLS implementation to do server name
verification.
ok jsing
|
| | |
|
| |
|
|
|
| |
Regression found by Perl module p5-IO-Socket-SSL tests.
with beck@ tb@
|
| |
|
|
|
|
| |
lightly tested, but will need sanity checks and regress test changes
before being added to any sigalgs list for real
ok jsing@ tb@
|
| |
|
|
|
|
| |
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Provide a tls13_handshake_active_action() function to reduce code
duplication and replace tls13_handshake_get_sender().
- Add an INVALID message_type, so we can explicitly detect invalid
conditions.
- Implement skeletons for the tls13_handshake_send_action() and
tls13_handshake_recv_action() functions.
- OR in the NEGOTIATED value at the end of recving or sending a server
hello so that we switch to the next chain in the state table.
ok tb@
|
| |
|
|
| |
Reported by Ben L <bobsayshilol at live dot co dot uk>
|
| |
|
|
|
|
| |
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When the RFC refers to ("") for key derivation, it is referring to the
transcript hash of an empty string, not an empty string. Rename
tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD *
and calculate the hash of an empty string so that we have it available
for the "derived" and other steps. Merge tls13_secrets_init() into
the same function, remove the EVP_MD * from other functions and use the
empty string hash at the appropriate places.
ok beck@ tb@
|
| |
|
|
|
|
| |
and "write". Use self-documenting C99 initializers.
ok bcook, jsing
|
| |
|
|
|
|
| |
Found the hard way by jmc@
ok tb@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
| |
Add a priority list for tls 1.2
ok jsing@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
| |
setting it.
From Ben L <bobsayshilol () live ! co ! uk>.
|
| | |
|
| | |
|
| |
|
|
|
| |
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@
|
| |
|
|
|
|
| |
inspired by s2n's state machine. Lots of help and input from jsing.
ok beck, jsing
|
| | |
|
| |
|
|
|
|
|
| |
This provides a cleaner, simpler and more readable API, with code that uses
a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
| |
discussed with beck and jsing
|
| |
|
|
|
|
|
|
|
| |
Add a check at the completion of the client/server handshake to ensure that
the handshake transcript has been freed. Fix the case where a server asks
the client for a certificate, but it does not have one, resulting in the
handshake transcript being left around post-handshake.
ok bcook@ tb@
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
| |
ok beck@ tb@
|
