Age | Commit message (Collapse) | Author |
|
SSL_get_server_tmp_key() provides the peer ephemeral public key used
for key exchange. In the case of TLSv1.3 this is essentially the peer
public key from the key share used for TLSv1.3 key exchange, hence make it
availaable via SSL_get_server_tmp_key().
ok inoguchi@ tb@
|
|
Changed to use local variable to hold malloc address rather than directly
set to S3I(s)->tmp.x25519, and set that private_key pointer to
S3I(s)->tmp.x25519 after all the "goto err;".
Also added freezero for S3I(s)->tmp.x25519 to ssl3_free() and ssl3_clear().
ok jsing@ tb@
|
|
Pull out the key share handling code and provide a clean/self contained
interface. This will make it easier to support groups other than X25519.
ok beck@ inoguchi@ tb@
|
|
Currently, TLSv1.3 cipher suites are filtered out by the fact that
they have authentication and key exchange algorithms that are not
being set in ssl_set_cert_masks(). Fix this so that ssl3_choose_cipher()
works for TLSv1.3, however we also now need to ensure that we filter out
TLSv1.3 for non-TLSv1.3 and only select TLSv1.3 for TLSv1.3.
ok beck@ tb@
|
|
In OpenSSL, SSL_CTX_get_extra_chain_certs() really means return extra
certs, unless there are none, in which case return the chain associated
with the certificate. If you really just want the extra certs, including
knowing if there are no extra certs, then you need to call
SSL_CTX_get_extra_chain_certs_only()! And to make this even more
entertaining, these functions are not documented in any OpenSSL release.
Reported by sephiroth-j on github, since the difference in behaviour
apparently breaks OCSP stapling with nginx.
ok beck@ inoguchi@ tb@
|
|
The recent EC group cofactor change results in stricter validation,
which causes the EC_GROUP_set_generator() call to fail.
Issue reported and fix tested by rsadowski@
ok tb@
|
|
These allow for chains to be managed on a per-certificate basis rather than
as a single "extra certificates" list. Note that "chain" in this context
does not actually include the leaf certificate however, unlike
SSL_CTX_use_certificate_chain_{file,mem}().
Thanks to sthen@ for running this through a bulk ports build.
ok beck@ tb@
|
|
Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).
Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.
Joint work with beck@.
|
|
While handshake hash is correct (in as far as it is a hash of handshake
messages), using tls1_transcript_hash*() aligns them with the naming of the
tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses
Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
|
ok jsing@ bcook@
|
|
extensions for tls1.3.
versions is currently defanged to ignore its result until tls13 server
side wired in full, so that server side code still works today when
we only support tls 1.2
ok bcook@ tb@ jsing@
|
|
ok jsing@
|
|
to the one I intended to commit
|
|
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@
|
|
There is no guarantee that ssl3_clear() is called before ssl3_free(), so
free things here. Also move the chunk in ssl3_clear() up so that it is with
the "free" code rather than the "reinit" code.
ok beck@ tb@
|
|
ok jsing@
|
|
This provides a cleaner, simpler and more readable API, with code that uses
a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
|
ok beck@ tb@
|
|
ok beck@ tb@
|
|
RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.
ok beck@ tb@
|
|
The tls1_check_ec_tmp_key() function is now rather misnamed, so just inline
the code. Also, rather than running tls1_get_shared_curve() once per EC
cipher suite, we can run it once at the start of the ssl3_choose_cipher()
function.
ok bluhm@ tb@
|
|
In January 2017, we changed large amounts of libssl's data structures to
be non-visible/internal, however intentionally left things that the
software ecosystem was needing to use. The four or so applications that
reached into libssl for record layer related state now implement
alternative code. As such, make these data structures internal.
ok tb@
|
|
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can
condition on that rather than having a separate redundant flag.
ok tb@
|
|
|
|
Now that all handshake messages are created using CBB, remove the non-CBB
ssl3_handshake_msg_start()/ssl3_handshake_msg_finish() functions. Rename
the CBB variants by dropping the _cbb suffix.
ok bcook@ inoguchi@ tb@
|
|
These are insecure and should not be used - furthermore, we would should
not have been allowing their negotiation with TLSv1.2 (as noted by Robert
Merget, Juraj Somorovsky and Simon Friedberger). Removing these cipher
suites also fixes this issue.
ok beck@ inoguchi@
|
|
These flags enabled experimental behaviour in the write path, which nothing
uses. Removing this code greatly simplifies ssl3_write().
ok beck@ inoguchi@ sthen@ tb@
|
|
We already provided the setters, so also provide the getters like
OpenSSL does. Addition prompted by the use of those functions in recent
openvpn releases.
manpage diff from schwarze@ (thanks!) with input from jsing@, ok tb@
jsing@
|
|
|
|
While here make the CBS usage in ssl3_get_cipher_by_char() more consistent
with other code.
ok inoguchi@
|
|
which allows us to drop dtls1_send_change_cipher_spec() entirely.
ok inoguchi@
|
|
|
|
Spotted by Andreas Bartelt <obsd at bartula dot de>
|
|
Support for the IETF standardised chacha20-poly1305 cipher suites was
added 16 months ago, which means they exist in both of the currently
supported OpenBSD releases.
Also prompted by Andreas Bartelt <obsd at bartula dot de>.
ok beck@ doug@
|
|
NPN was never standardised and the last draft expired in October 2012.
ALPN was standardised in July 2014 and has been supported in LibreSSL
since December 2014. NPN has also been removed from Chromium in May 2016.
TLS clients and servers that try to use/enable NPN will fail gracefully and
fallback to the default protocol, since it will essentially appear that the
otherside does not support NPN. At some point in the future we will
actually remove the NPN related symbols entirely.
ok bcook@ beck@ doug@
|
|
back.
ok guenther@
|
|
ok beck@ doug@
|
|
Over the years OpenSSL grew multiple ways of being able to specify EC keys
(and/or curves) for use with ECDH and ECDHE key exchange. You could specify
a static EC key (SSL{_CTX,}_set_tmp_ecdh()), use that as a curve and
generate ephemeral keys (SSL_OP_SINGLE_ECDH_USE), provide the EC key via
a callback that was provided with insufficient information
(SSL{_CTX,}_set_tmp_ecdh_cb()) or enable automatic selection and generation
of EC keys via SSL{_CTX,}_set_ecdh_auto(). This complexity leads to
problems (like ECDHE not being enabled) and potential weird configuration
(like being able to do ECDHE without the ephemeral part...).
We no longer support ECDH and ECDHE can be disabled by removing ECDHE
ciphers from the cipher list. As such, permanently enable automatic EC
curve selection and generation, effectively disabling all of the
configuration knobs. The only exception is the
SSL{_CTX,}_set_tmp_ecdh() functions, which retain part of their previous
behaviour by configuring the curve of the given EC key as the only curve
being enabled. Everything else becomes a no-op.
ok beck@ doug@
|
|
breaking from some and returning from others.
|
|
|
|
they can eventually be exposed as direct functions/symbols.
|
|
from some.
|
|
|
|
|
|
eventually be exposed as direct functions/symbols.
|
|
for readability.
|
|
|
|
Reported by <dravion at ht-foss dot net>
|
|
keep these around.
ok beck@
|
|
while we are at it, convert SSLerror to use a function
internally, so that we may later allocate the handshake
structure and check for it
ok jsing@
|