| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
and Symbol addition and removal in libcrypto.
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
Stop reaching into DH internals and use the new API functions instead.
ok inoguchi jsing
|
| |
|
|
| |
Trivial conversion to cope with opaque BIO.
|
| | |
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
| |
peer_pkeys comes from some world where peers can send multiple certificates
- in fact, one of each known type. Since we do not live in such a world,
get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2
and TLSv1.3, both clients and servers can only send a single leaf
(aka end-entity) certificate).
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
The 'peer' member of SSL_SESSION is the leaf/end-entity certificate
provided by our peer. Rename it since 'peer' on its own is unhelpful.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Distinguish between decode errors and other errors, so that we can send
a SSL_AD_DECODE_ERROR alert when appropriate.
Fixes a tlsfuzzer failure, due to it expecting a decode error alert and
not receiving one.
Prompted by anton@
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
SSL_AD_DECODE_ERROR is the default alert for a TLS extension parsing
failure - remove the various gotos and simply return 0 instead.
ok tb@
|
| | |
|
| |
|
|
|
| |
If a libssl function takes an SSL *, it should normally be the first
argument.
|
| |
|
|
|
|
|
|
| |
Fix leaks, use sizeof() instead of hardcoded sizes, actually check return
codes, explicit_bzero() the premaster secret on the server side and
generally try to kick the GOST kex code into some sort of shape.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Like other KEX handling functions, there is no need to return anything
other than failure/success here.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
GOST skip certificate verify handling got broken in r1.132 of s3_srvr.c
circa 2016. Prior to this, ssl3_get_client_key_exchange() returned an
'extra special' value to indicate that the state machine should skip
certificate verify. Fix this by setting and checking the
TLS1_FLAGS_SKIP_CERT_VERIFY flag, which is the same as is done in the
client.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
With TLSv1.2 and earlier, the authentication algorithm used to sign the
ServerKeyExchange message is dependent on the cipher suite in use and has
nothing to do with the key exchange algorithm. As such, check the
authentication algorithm based on the cipher suite in
ssl3_get_server_key_exchange() and handle things accordingly.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
There is no reason for SESS_CERT to exist - remove it and merge its members
into SSL_SESSION for the time being. More clean up to follow.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
| |
Nearly all structs in libssl start with an SSL_ suffix, rename CERT and
CERT_PKEY for consistency.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Support for non-ephemeral DH was removed a long time ago - as such, the
dh_tmp and dh_tmp_cb are used for DHE parameters. Rename them to reflect
reality.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Support for non-ephemeral DH was removed a very long time ago - the only
way that dh_tmp is set is via DHparams_dup(), hence the public and private
keys are always going to be NULL.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
This requires a few more additions to the DHE key share code - we need to
be able to either set the DHE parameters or specify the number of key bits
for use with auto DHE parameters. Additionally, we need to be able to
serialise the DHE parameters to send to the client.
This removes the infamous 'tmp' struct from ssl3_state_internal_st.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
This requires adding DHE support to tls_key_share. In doing so,
tls_key_share_peer_public() has to lose the group argument and gains
an invalid_key argument. The one place that actually needs the group
check is tlsext_keyshare_client_parse(), so add code to do this.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This brings the code more in line with the tls12_record_layer and reduces
the effort needed to make EVP_AEAD_CTX opaque.
Prompted by and ok tb@
|
| |
|
|
| |
Prompted by and ok tb@
|
| |
|
|
|
|
|
|
|
| |
In preparation to use the key share code in both the TLSv1.3 and legacy
stacks, rename tls13_key_share to tls_key_share, moving it into the shared
handshake struct. Further changes will then allow the legacy stack to make
use of the same code for ephemeral key exchange.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In the legacy stack, a message handling function returns -1 for failure,
0 for need more data and 1 for success (although in extra special cases
2 may also be used). However, the various send/get kex functions only
need to indicate success or failure - switch these to return 0 on failure
(rather than -1) and use normal result testing.
This leaves GOST unchanged for now, as that code is special and needs
extra work.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If we receive something other than a "named curve", send a handshake
failure alert as we're unable to complete the handshake with the given
parameters. If the server responded with a curve that we did not advertise
send an illegal parameter alert.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This provides better symmetry with the parsing code and will allow for
better reuse with the legacy stack, which has different message structures.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
a use of uninitialized in the unlikely event that either of them fails.
Problem introduced in r1.128.
CID 345113
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Due to a wonderful API inconsistency, a client includes the peer's leaf
certificate in the stored certificate chain, while a server does not.
Found due to a haproxy test failure reported by Ilya Shipitsin.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Before the TLSv1.3 stack grew client certificate support, it fell back
to the legacy stack. Proper client certificate support was added in a2k20
with a TLS13_USE_LEGACY_CLIENT_AUTH knob to provide an easy fallback in
case the new code should have a problem. This was never needed.
As ifdefed code is wont to do, this bitrotted a few months later when
the client and server methods were merged.
discussed with jsing
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
| |
These will be used in libcrypto.
With input from and ok tb@
|
| |
|
|
|
|
| |
This will be used in the libcrypto certificate transparency code.
ok tb@
|
| |
|
|
|
|
|
|
| |
This will be used in the TLSv1.3 record layer.
From BoringSSL.
ok tb@
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Provide ssl_kex_generate_dhe_params_auto() which handles DHE key generation
based on parameters determined by the specified key bits. Convert the
existing DHE auto parameter selection code into a function that just tells
us how many key bits to use.
Untangle and rework the server side DHE key exchange to use the ssl_kex_*
functions.
ok inoguchi@ tb@
|
