| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
In TLSv1.3 there are two types of alerts "closure alerts" and
"error alerts". This makes the record layer more strict and handles closure
of the read and write channels. The callback then handles the record layer to
SSL mapping/behaviour.
ok tb@
|
| |
|
|
|
|
|
|
| |
There is nothing for the handler to really signal, since it cannot change
the fact that we received an alert. While here use TLS13_IO_FAILURE instead
of hardcoding -1.
ok tb@
|
| | |
|
| | |
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Switch the read traffic key to the server application traffic key once
the server finished message has been processed. Switch the write traffic
key to the client application traffic key after sending the client
finished message.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
This allows the read traffic key to be set independently of the write
traffic key. This will become necessary for KeyUpdate handling, however
also allows for switching to application traffic keys at more appropriate
stages of the handshake.
ok tb@
|
| |
|
|
| |
ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
This adds support for processing of the server finished message and
generation of the client finished message.
ok tb@
|
| |
|
|
|
|
|
| |
This allows the TLS 1.3 client to process the certificates that the server
has sent and verify that the server has possession of the private key.
ok tb@
|
| |
|
|
|
|
|
| |
instead
From Pamela Mosiejczuk, many thanks!
OK phessler@ deraadt@
|
| |
|
|
|
|
|
|
|
| |
There are various points where we need the hash of all messages prior to
the current message. Support this by having the handshake code preserve
the transcript hash prior to recording the current message, which avoids
the need to sprinkle this throughout multiple handlers.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
While handshake hash is correct (in as far as it is a hash of handshake
messages), using tls1_transcript_hash*() aligns them with the naming of the
tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses
Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This allows ctx->hs to be used throughout the TLSv1.3 code, rather than
S3I(ctx->ssl)->hs_tls13.
ok inoguchi@ tb@
|
| |
|
|
| |
ok bcook@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
| |
The deduplication is also not quite right - this will be revisited in due
course.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When operating as a TLSv1.0 or TLSv1.1 server, we still have to parse the
TLS sigalgs extension if presented by the client (which might be TLSv1.2
capable), rather than treating its presence as an error.
While here, remove future version dependence issues by avoiding explicit
version equality checks.
Issue reported by bluhm@.
ok bluhm@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
| |
has been seen in the handshake so far. Use it for keyshare.
ok tb@
|
| |
|
|
| |
ok jsing@ bcook@
|
| |
|
|
|
|
|
|
| |
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
| |
Remove GOST based sigalgs from TLS 1.2 since they don't work with TLS 1.2.
ok jsing@
|
| |
|
|
| |
spotted by naddy@
|
| |
|
|
|
|
|
|
|
| |
so it can be used from regress. Update regress accordingly.
Make sure the print target generates the entire table as it
currently is in tls13_handshake.c
discussed with beck and jsing
ok jsing
|
| |
|
|
| |
ok bcook@ jsing@
|
| |
|
|
|
|
|
|
|
|
| |
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@
|
| |
|
|
| |
to the one I intended to commit
|
| |
|
|
|
|
|
|
|
| |
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@
|
| |
|
|
|
|
|
| |
This sorts the valid handshakes with respect to ascending flags
value instead of the ad-hoc order produced by the algorithm.
ok jsing
|
| |
|
|
| |
ok bcook
|
| |
|
|
| |
ok bcook
|
| | |
|
| |
|
|
|
|
|
| |
The text comes from OpenSSL, where it was still published under a
free license.
from schwarze
|
| |
|
|
|
|
|
| |
Part of OpenSSL 1.1 API (pre-licence-change).
input schwarze
ok jsing
|
| |
|
|
|
|
| |
Part of OpenSSL 1.1 API, pre-licence change.
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
a more appropriately licenced file. jsing and doug have rewritten
these functions (including the comments) over the past years.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Move tls13_connect() to a new tls13_client.c file and provide a legacy
wrapper to it, which allocates a struct tls_ctx if necessary. Also move
tls13_client_hello_send() to tls13_client.c and actual implement the
building of a client hello.
ok tb@
|
| |
|
|
|
|
|
| |
This means that we actually receive and send handshake messages to and from
the record layer.
ok tb@
|
| |
|
|
| |
Document it.
|
| |
|
|
|
|
|
| |
Pull the shared code up into a function and call it from tls13_connect()
and tls13_accept() instead of duplicating it.
"Yes, please!" tb@
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
will be used in a few places shortly, e.g. in
ssl_cipher_list_to_bytes().
ok jsing
|
| | |
|
