| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
| |
This allows the TLS 1.3 client to process the certificates that the server
has sent and verify that the server has possession of the private key.
ok tb@
|
| |
|
|
|
|
|
| |
instead
From Pamela Mosiejczuk, many thanks!
OK phessler@ deraadt@
|
| |
|
|
|
|
|
|
|
| |
There are various points where we need the hash of all messages prior to
the current message. Support this by having the handshake code preserve
the transcript hash prior to recording the current message, which avoids
the need to sprinkle this throughout multiple handlers.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
While handshake hash is correct (in as far as it is a hash of handshake
messages), using tls1_transcript_hash*() aligns them with the naming of the
tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses
Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This allows ctx->hs to be used throughout the TLSv1.3 code, rather than
S3I(ctx->ssl)->hs_tls13.
ok inoguchi@ tb@
|
| |
|
|
| |
ok bcook@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
| |
The deduplication is also not quite right - this will be revisited in due
course.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When operating as a TLSv1.0 or TLSv1.1 server, we still have to parse the
TLS sigalgs extension if presented by the client (which might be TLSv1.2
capable), rather than treating its presence as an error.
While here, remove future version dependence issues by avoiding explicit
version equality checks.
Issue reported by bluhm@.
ok bluhm@ tb@
|
| |
|
|
|
|
| |
call OPENSSL_assert() with the specific message, which due to recent
changes will end up syslog :)
ok jsing
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
| |
has been seen in the handshake so far. Use it for keyshare.
ok tb@
|
| |
|
|
|
|
|
|
| |
core files (which can depend upon various file layouts) have resonated
with my hate for this function outside a purely debugging context. I
also dislike how the report goes to stderr which may get lost or ignored.
Increase the noise (with syslog_r) and use _exit(1) to gaurantee termination.
ok jsing
|
| | |
|
| |
|
|
| |
ok jsing@ bcook@
|
| |
|
|
|
|
|
|
| |
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
| |
Remove GOST based sigalgs from TLS 1.2 since they don't work with TLS 1.2.
ok jsing@
|
| |
|
|
| |
spotted by naddy@
|
| |
|
|
|
|
|
|
|
| |
so it can be used from regress. Update regress accordingly.
Make sure the print target generates the entire table as it
currently is in tls13_handshake.c
discussed with beck and jsing
ok jsing
|
| |
|
|
| |
ok bcook@ jsing@
|
| |
|
|
|
|
|
|
|
|
| |
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@
|
| |
|
|
| |
to the one I intended to commit
|
| |
|
|
|
|
|
|
|
| |
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@
|
| |
|
|
|
|
|
| |
This sorts the valid handshakes with respect to ascending flags
value instead of the ad-hoc order produced by the algorithm.
ok jsing
|
| |
|
|
| |
ok bcook
|
| |
|
|
| |
ok bcook
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The text comes from OpenSSL, where it was still published under a
free license.
from schwarze
|
| |
|
|
|
|
|
| |
Part of OpenSSL 1.1 API (pre-licence-change).
input schwarze
ok jsing
|
| |
|
|
|
|
| |
Part of OpenSSL 1.1 API, pre-licence change.
ok jsing
|
| |
|
|
| |
Reported by bcook and sthen
|
| |
|
|
|
|
|
| |
xchacha is a chacha stream that allows for an extended nonce, which
in turn makes it feasible to use random nonces.
ok tb@
|
| | |
|
| | |
|
| |
|
|
| |
the wrong idiom. ok tedu@ but probably needs some tweakin
|
| | |
|
| |
|
|
|
|
|
| |
a more appropriately licenced file. jsing and doug have rewritten
these functions (including the comments) over the past years.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Move tls13_connect() to a new tls13_client.c file and provide a legacy
wrapper to it, which allocates a struct tls_ctx if necessary. Also move
tls13_client_hello_send() to tls13_client.c and actual implement the
building of a client hello.
ok tb@
|
| |
|
|
|
|
|
| |
This means that we actually receive and send handshake messages to and from
the record layer.
ok tb@
|
| |
|
|
| |
Document it.
|
| |
|
|
|
|
|
| |
Pull the shared code up into a function and call it from tls13_connect()
and tls13_accept() instead of duplicating it.
"Yes, please!" tb@
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
will be used in a few places shortly, e.g. in
ssl_cipher_list_to_bytes().
ok jsing
|
