| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
SSL_AD_DECODE_ERROR is the default alert for a TLS extension parsing
failure - remove the various gotos and simply return 0 instead.
ok tb@
|
| | |
|
| |
|
|
|
| |
If a libssl function takes an SSL *, it should normally be the first
argument.
|
| |
|
|
|
|
|
|
| |
Fix leaks, use sizeof() instead of hardcoded sizes, actually check return
codes, explicit_bzero() the premaster secret on the server side and
generally try to kick the GOST kex code into some sort of shape.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Like other KEX handling functions, there is no need to return anything
other than failure/success here.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
GOST skip certificate verify handling got broken in r1.132 of s3_srvr.c
circa 2016. Prior to this, ssl3_get_client_key_exchange() returned an
'extra special' value to indicate that the state machine should skip
certificate verify. Fix this by setting and checking the
TLS1_FLAGS_SKIP_CERT_VERIFY flag, which is the same as is done in the
client.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
With TLSv1.2 and earlier, the authentication algorithm used to sign the
ServerKeyExchange message is dependent on the cipher suite in use and has
nothing to do with the key exchange algorithm. As such, check the
authentication algorithm based on the cipher suite in
ssl3_get_server_key_exchange() and handle things accordingly.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
There is no reason for SESS_CERT to exist - remove it and merge its members
into SSL_SESSION for the time being. More clean up to follow.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
| |
Nearly all structs in libssl start with an SSL_ suffix, rename CERT and
CERT_PKEY for consistency.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Support for non-ephemeral DH was removed a long time ago - as such, the
dh_tmp and dh_tmp_cb are used for DHE parameters. Rename them to reflect
reality.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Support for non-ephemeral DH was removed a very long time ago - the only
way that dh_tmp is set is via DHparams_dup(), hence the public and private
keys are always going to be NULL.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
This requires a few more additions to the DHE key share code - we need to
be able to either set the DHE parameters or specify the number of key bits
for use with auto DHE parameters. Additionally, we need to be able to
serialise the DHE parameters to send to the client.
This removes the infamous 'tmp' struct from ssl3_state_internal_st.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
This requires adding DHE support to tls_key_share. In doing so,
tls_key_share_peer_public() has to lose the group argument and gains
an invalid_key argument. The one place that actually needs the group
check is tlsext_keyshare_client_parse(), so add code to do this.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This brings the code more in line with the tls12_record_layer and reduces
the effort needed to make EVP_AEAD_CTX opaque.
Prompted by and ok tb@
|
| |
|
|
| |
Prompted by and ok tb@
|
| |
|
|
|
|
|
|
|
| |
In preparation to use the key share code in both the TLSv1.3 and legacy
stacks, rename tls13_key_share to tls_key_share, moving it into the shared
handshake struct. Further changes will then allow the legacy stack to make
use of the same code for ephemeral key exchange.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In the legacy stack, a message handling function returns -1 for failure,
0 for need more data and 1 for success (although in extra special cases
2 may also be used). However, the various send/get kex functions only
need to indicate success or failure - switch these to return 0 on failure
(rather than -1) and use normal result testing.
This leaves GOST unchanged for now, as that code is special and needs
extra work.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If we receive something other than a "named curve", send a handshake
failure alert as we're unable to complete the handshake with the given
parameters. If the server responded with a curve that we did not advertise
send an illegal parameter alert.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This provides better symmetry with the parsing code and will allow for
better reuse with the legacy stack, which has different message structures.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
a use of uninitialized in the unlikely event that either of them fails.
Problem introduced in r1.128.
CID 345113
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Due to a wonderful API inconsistency, a client includes the peer's leaf
certificate in the stored certificate chain, while a server does not.
Found due to a haproxy test failure reported by Ilya Shipitsin.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Before the TLSv1.3 stack grew client certificate support, it fell back
to the legacy stack. Proper client certificate support was added in a2k20
with a TLS13_USE_LEGACY_CLIENT_AUTH knob to provide an easy fallback in
case the new code should have a problem. This was never needed.
As ifdefed code is wont to do, this bitrotted a few months later when
the client and server methods were merged.
discussed with jsing
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
| |
These will be used in libcrypto.
With input from and ok tb@
|
| |
|
|
|
|
| |
This will be used in the libcrypto certificate transparency code.
ok tb@
|
| |
|
|
|
|
|
|
| |
This will be used in the TLSv1.3 record layer.
From BoringSSL.
ok tb@
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Provide ssl_kex_generate_dhe_params_auto() which handles DHE key generation
based on parameters determined by the specified key bits. Convert the
existing DHE auto parameter selection code into a function that just tells
us how many key bits to use.
Untangle and rework the server side DHE key exchange to use the ssl_kex_*
functions.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Call DH_check_pub_key() after decoding the peer public key - this will be
needed for the server DHE key exchange, but also benefits the client.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
sk is commonly used for a STACK_OF(), so call the shared key simply key.
ok jsing
|
| |
|
|
|
|
|
| |
If we can provide an EC key that is used, then it is by definition
non-ephemeral.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Assign the result of BN_dup() and BN_bn2bin() to local BIGNUMs, then
set the factors and pubkey on the dh using DH_set0_{pqg,key}().
A second pass will be done during the upcoming bump.
ok jsing
|
| |
|
|
|
|
|
|
| |
BIO_s_file_internal() should never have leaked out of libcrypto,
but it did. As a first step of getting rid of it, stop using it
internally.
ok jsing
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
This follows what was done previously for ECDHE EC point key exchange and
will allow for deduplication and further code improvement.
Convert the TLSv1.2 client to use the new DHE key exchange functions.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
| |
reaching into the EVP_PKEY struct.
ok inoguchi jsing
|
| |
|
|
| |
ok schwarze@
|
| |
|
|
| |
from beck
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For some strange historical reason ECDSA_sign() and ECDSA_verify}() have
a type argument that they ignore. For another strange historical reason,
the type passed to them from libssl is pkey->save_type, which is used to
avoid expensive engine lookups when setting the pkey type... Whatever the
aforementioned reasons were, we can't access pkey->save_type with the
OpenSSL 1.1 API, and this is thus in the way of making EVP_PKEY opaque.
Simply pass in 0 instead.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
The code assumes that the server certificate has an RSA key and bases
the calculation of the size of the ephemeral DH key on this assumption.
So instead of checking whether we have any key by inspecting the dh
part of the union, let's check that we actually have an RSA key.
While here, make sure that its length is non-negative.
ok jsing
|
