| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
invalid change cipher spec. Found due to dead assignment warnings
by the Clang static analyzer.
ok inoguchi (previous version), jsing
|
| |
|
|
|
|
|
|
|
|
| |
type, sigalgs/rsa/ec/gost. Move a few special dances for GOST where they
belong now. This prompted a fix for a long-standing bug with GOST client
certificate authentication where tls1_transcript_data() fails since the
transcript was already freed before. Add a bit of missing error checking
and leave some further cleanup for later.
idea, guidance & ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If DTLS sees a HelloVerifyRequest the transcript is reset - the previous
tls1_init_finished_mac() function could be called multiple times and would
discard any existing state. The replacement tls1_transcript_init() is more
strict and fails if a transcript already exists.
Provide an explicit tls1_transcript_reset() function and call it from the
appropriate places. This also lets us make DTLS less of a special snowflake
and call tls1_transcript_init() in the same place as used for TLS.
ok beck@ tb@
|
| |
|
|
| |
Discussed with beck@
|
| |
|
|
|
|
|
| |
In TLSv1.2, if the client does not send a signature algorithms extension
then for RSA key exchange a signature algorithm of {sha1,rsa} is implied.
The MD5+SHA1 hash only applies to older versions of TLS, which do not
support sigalgs.
|
| | |
|
| | |
|
| |
|
|
| |
joel's line of thinking about it
|
| |
|
|
|
| |
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@
|
| |
|
|
|
|
|
|
|
|
| |
instead of 'uint16_t'
Found with llvm's static analyzer, noticed that it was also already reported in
Coverity CID 155890 and to ensure this was correct also inspected OpenSSL's
equivalent code.
OK tb@ and jsing@
|
| |
|
|
| |
Makes connections to outlook.office365.com work
|
| | |
|
| |
|
|
| |
Spotted by maestre@, ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
| |
Include check for appropriate RSA key size when used with PSS.
ok tb@
|
| |
|
|
| |
ok beck@
|
| | |
|
| |
|
|
|
|
|
| |
Used by unbound's DNS over TLS implementation to do server name
verification.
ok jsing
|
| | |
|
| |
|
|
|
| |
Regression found by Perl module p5-IO-Socket-SSL tests.
with beck@ tb@
|
| |
|
|
|
|
| |
lightly tested, but will need sanity checks and regress test changes
before being added to any sigalgs list for real
ok jsing@ tb@
|
| |
|
|
|
|
| |
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Provide a tls13_handshake_active_action() function to reduce code
duplication and replace tls13_handshake_get_sender().
- Add an INVALID message_type, so we can explicitly detect invalid
conditions.
- Implement skeletons for the tls13_handshake_send_action() and
tls13_handshake_recv_action() functions.
- OR in the NEGOTIATED value at the end of recving or sending a server
hello so that we switch to the next chain in the state table.
ok tb@
|
| |
|
|
| |
Reported by Ben L <bobsayshilol at live dot co dot uk>
|
| |
|
|
|
|
| |
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When the RFC refers to ("") for key derivation, it is referring to the
transcript hash of an empty string, not an empty string. Rename
tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD *
and calculate the hash of an empty string so that we have it available
for the "derived" and other steps. Merge tls13_secrets_init() into
the same function, remove the EVP_MD * from other functions and use the
empty string hash at the appropriate places.
ok beck@ tb@
|
| |
|
|
|
|
| |
and "write". Use self-documenting C99 initializers.
ok bcook, jsing
|
| |
|
|
|
|
| |
Found the hard way by jmc@
ok tb@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
| |
Add a priority list for tls 1.2
ok jsing@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
| |
setting it.
From Ben L <bobsayshilol () live ! co ! uk>.
|
| | |
|
| | |
|
| |
|
|
|
| |
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@
|
| |
|
|
|
|
| |
inspired by s2n's state machine. Lots of help and input from jsing.
ok beck, jsing
|
| | |
|
| |
|
|
|
|
|
| |
This provides a cleaner, simpler and more readable API, with code that uses
a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
| |
discussed with beck and jsing
|
| |
|
|
|
|
|
|
|
| |
Add a check at the completion of the client/server handshake to ensure that
the handshake transcript has been freed. Fix the case where a server asks
the client for a certificate, but it does not have one, resulting in the
handshake transcript being left around post-handshake.
ok bcook@ tb@
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
This is effectively a no-op, since most of the code clamps to the maximum
version supported by the TLS method (which are still at TLSv1.2).
ok beck@ bluhm@ tb@
|
| |
|
|
| |
ok beck@ bluhm@ tb@
|
