Age | Commit message (Collapse) | Author |
|
|
|
|
|
ok jsing@
|
|
Update the handshake state tables and flag names according to the
design decisions and naming conventions in the hackroom. Garbage collect
some things that turn out not to belong here.
ok jsing
|
|
ok jsing@
|
|
appear with which messages.
ok jsing@
|
|
When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.
Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:
clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse
ok beck@ tb@
|
|
ok jsing@ tb@
|
|
The read callback returns a TLS13_IO_* value on EOF, failure, want pollin
or want pollout, or a positive value indicating the number of bytes read.
This will be used by upcoming TLSv1.3 handshake message and record
processing code, both of which need the ability to read a fixed size
header, before extending the buffer to the number of bytes specified in the
header.
ok beck@ tb@
|
|
as per RFC8446 section 4.2. Recognized extensions that appear in an
incorrect message must abort the handshake.
ok jsing@
|
|
At the moment this is mechanical, with the functions renamed. This will be
refactored for tls13.
ok jsing@
|
|
around broken GOST implementations. It looks like client certificates with
GOST have been completely broken since reimport of the GOST code, so no-one
is using LibreSSL this way. The client side was fixed only last week for
TLSv1.0 and TLSv1.1. This workaround is now in the way of much needed
simplifcation and cleanup, so it is time for it to go.
suggested by and ok jsing
|
|
invalid change cipher spec. Found due to dead assignment warnings
by the Clang static analyzer.
ok inoguchi (previous version), jsing
|
|
type, sigalgs/rsa/ec/gost. Move a few special dances for GOST where they
belong now. This prompted a fix for a long-standing bug with GOST client
certificate authentication where tls1_transcript_data() fails since the
transcript was already freed before. Add a bit of missing error checking
and leave some further cleanup for later.
idea, guidance & ok jsing
|
|
If DTLS sees a HelloVerifyRequest the transcript is reset - the previous
tls1_init_finished_mac() function could be called multiple times and would
discard any existing state. The replacement tls1_transcript_init() is more
strict and fails if a transcript already exists.
Provide an explicit tls1_transcript_reset() function and call it from the
appropriate places. This also lets us make DTLS less of a special snowflake
and call tls1_transcript_init() in the same place as used for TLS.
ok beck@ tb@
|
|
Discussed with beck@
|
|
In TLSv1.2, if the client does not send a signature algorithms extension
then for RSA key exchange a signature algorithm of {sha1,rsa} is implied.
The MD5+SHA1 hash only applies to older versions of TLS, which do not
support sigalgs.
|
|
|
|
|
|
joel's line of thinking about it
|
|
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@
|
|
instead of 'uint16_t'
Found with llvm's static analyzer, noticed that it was also already reported in
Coverity CID 155890 and to ensure this was correct also inspected OpenSSL's
equivalent code.
OK tb@ and jsing@
|
|
Makes connections to outlook.office365.com work
|
|
|
|
Spotted by maestre@, ok tb@
|
|
ok tb@
|
|
Include check for appropriate RSA key size when used with PSS.
ok tb@
|
|
ok beck@
|
|
|
|
Used by unbound's DNS over TLS implementation to do server name
verification.
ok jsing
|
|
|
|
Regression found by Perl module p5-IO-Socket-SSL tests.
with beck@ tb@
|
|
lightly tested, but will need sanity checks and regress test changes
before being added to any sigalgs list for real
ok jsing@ tb@
|
|
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@
|
|
ok jsing@
|
|
- Provide a tls13_handshake_active_action() function to reduce code
duplication and replace tls13_handshake_get_sender().
- Add an INVALID message_type, so we can explicitly detect invalid
conditions.
- Implement skeletons for the tls13_handshake_send_action() and
tls13_handshake_recv_action() functions.
- OR in the NEGOTIATED value at the end of recving or sending a server
hello so that we switch to the next chain in the state table.
ok tb@
|
|
Reported by Ben L <bobsayshilol at live dot co dot uk>
|
|
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@
|
|
ok jsing
|
|
ok jsing@
|
|
When the RFC refers to ("") for key derivation, it is referring to the
transcript hash of an empty string, not an empty string. Rename
tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD *
and calculate the hash of an empty string so that we have it available
for the "derived" and other steps. Merge tls13_secrets_init() into
the same function, remove the EVP_MD * from other functions and use the
empty string hash at the appropriate places.
ok beck@ tb@
|
|
and "write". Use self-documenting C99 initializers.
ok bcook, jsing
|
|
Found the hard way by jmc@
ok tb@
|
|
ok jsing@
|
|
Add a priority list for tls 1.2
ok jsing@
|
|
ok tb@
|
|
ok tb@
|
|
setting it.
From Ben L <bobsayshilol () live ! co ! uk>.
|
|
|
|
|