summaryrefslogtreecommitdiff
path: root/lib/libssl
AgeCommit message (Collapse)Author
2019-01-18copyrightBob Beck
2019-01-18bump copyright years appopriatelyBob Beck
2019-01-18Add client side of supported versions and keyshare extensions with basic regressBob Beck
ok jsing@
2019-01-18Expose some symbols in a new tls13_handshake.h for regression testing.Theo Buehler
Update the handshake state tables and flag names according to the design decisions and naming conventions in the hackroom. Garbage collect some things that turn out not to belong here. ok jsing
2019-01-18Remove this copy, we have decided we can do this in placeBob Beck
ok jsing@
2019-01-18Add support for RFC 8446 section 4.2 enforcing which extensions mayBob Beck
appear with which messages. ok jsing@
2019-01-18Rename TLS extension handling to use less "hello".Joel Sing
When the TLS extension code was rewritten, TLS extensions could only exist in ClientHello and ServerHello messages - as such, they were named in pairs of *_clienthello_{needs,build} which would be called by the client and *_clienthello_parse. Likewise for *_serverhello_{needs,build} which would be called by a server and *_serverhello_parse, which would be called by a client. Enter TLSv1.3 - TLS extensions can now exist in one of seven messages, with only certain types being allowed to appear in each, meaning the naming scheme no longer works. Instead, rename them to indicate the caller rather than the message type - this effectively means: clienthello_needs -> client_needs clienthello_build -> client_build clienthello_parse -> server_parse serverhello_needs -> server_needs serverhello_build -> server_build serverhello_parse -> client_parse ok beck@ tb@
2019-01-17Get rid of is_serverhello in preparation for other messagesBob Beck
ok jsing@ tb@
2019-01-17Provide an extensible buffer implementation that uses a read callback.Joel Sing
The read callback returns a TLS13_IO_* value on EOF, failure, want pollin or want pollout, or a positive value indicating the number of bytes read. This will be used by upcoming TLSv1.3 handshake message and record processing code, both of which need the ability to read a fixed size header, before extending the buffer to the number of bytes specified in the header. ok beck@ tb@
2019-01-17Add support to enforce restrictions on where extensions can appearBob Beck
as per RFC8446 section 4.2. Recognized extensions that appear in an incorrect message must abort the handshake. ok jsing@
2019-01-17Add a direct copy of the exension parsing code to be modified for tls13.Bob Beck
At the moment this is mechanical, with the functions renamed. This will be refactored for tls13. ok jsing@
2018-12-07Remove an ugly hack in the client certificate verification code that worksTheo Buehler
around broken GOST implementations. It looks like client certificates with GOST have been completely broken since reimport of the GOST code, so no-one is using LibreSSL this way. The client side was fixed only last week for TLSv1.0 and TLSv1.1. This workaround is now in the way of much needed simplifcation and cleanup, so it is time for it to go. suggested by and ok jsing
2018-12-03Send SSL_AD_DECODE alerts in the case of a bad hello request or anTheo Buehler
invalid change cipher spec. Found due to dead assignment warnings by the Clang static analyzer. ok inoguchi (previous version), jsing
2018-11-29Refactor a tangle in ssl3_send_client_verify() into one function for eachTheo Buehler
type, sigalgs/rsa/ec/gost. Move a few special dances for GOST where they belong now. This prompted a fix for a long-standing bug with GOST client certificate authentication where tls1_transcript_data() fails since the transcript was already freed before. Add a bit of missing error checking and leave some further cleanup for later. idea, guidance & ok jsing
2018-11-21Fix DTLS transcript handling for HelloVerifyRequest.Joel Sing
If DTLS sees a HelloVerifyRequest the transcript is reset - the previous tls1_init_finished_mac() function could be called multiple times and would discard any existing state. The replacement tls1_transcript_init() is more strict and fails if a transcript already exists. Provide an explicit tls1_transcript_reset() function and call it from the appropriate places. This also lets us make DTLS less of a special snowflake and call tls1_transcript_init() in the same place as used for TLS. ok beck@ tb@
2018-11-19Revert previous - DTLSv1 uses MD5+SHA1 for RSA signature verification.Joel Sing
Discussed with beck@
2018-11-19Revert previous - the default sigalg for RSA key exchange is {sha1,rsa}.Joel Sing
In TLSv1.2, if the client does not send a signature algorithms extension then for RSA key exchange a signature algorithm of {sha1,rsa} is implied. The MD5+SHA1 hash only applies to older versions of TLS, which do not support sigalgs.
2018-11-17Fix DTLS, because DTLS still remains a special flower, allows regress to passBob Beck
2018-11-16revert previousBob Beck
2018-11-16Fix DTLS. Because the DTLS code is strange. I am really coming around toBob Beck
joel's line of thinking about it
2018-11-16Unbreak legacy ciphers for prior to 1.1 by setting having a legacyBob Beck
sigalg for MD5_SHA1 and using it as the non sigalgs default ok jsing@
2018-11-14Fix wrong sizeof argument by using 'uint16_t *', with minor nit from tb@,Ricardo Mestre
instead of 'uint16_t' Found with llvm's static analyzer, noticed that it was also already reported in Coverity CID 155890 and to ensure this was correct also inspected OpenSSL's equivalent code. OK tb@ and jsing@
2018-11-14In TLS1.2 we use evp_sha1 if we fall back this far, not evp_md5_sha1 as in 1.1Bob Beck
Makes connections to outlook.office365.com work
2018-11-13Temporary workaround for breakage seen in www.videolan.org with curve mismatchBob Beck
2018-11-13NULL out mdctx to prevent possible double free introduced in version 1.4Bob Beck
Spotted by maestre@, ok tb@
2018-11-13Fix pkey_ok to be less strange, and add cuve checks required for the EC onesBob Beck
ok tb@
2018-11-11Add check function to verify that pkey is usable with a sigalg.Bob Beck
Include check for appropriate RSA key size when used with PSS. ok tb@
2018-11-11quiet warning on other compilersBrent Cook
ok beck@
2018-11-11bump minors after symbol addition.Theo Buehler
2018-11-11Add SSL_set1_host(), a thin wrapper around X509_VERIFY_PARAM_set1_host().Theo Buehler
Used by unbound's DNS over TLS implementation to do server name verification. ok jsing
2018-11-11Nuke trailing whitespaceBob Beck
2018-11-11Free the server tls transcript in case session reuse did not work.Alexander Bluhm
Regression found by Perl module p5-IO-Socket-SSL tests. with beck@ tb@
2018-11-11Add support for RSA PSS algorithims being used in sigalgs.Bob Beck
lightly tested, but will need sanity checks and regress test changes before being added to any sigalgs list for real ok jsing@ tb@
2018-11-11Convert signatures and verifcation to use the EVP_DigestXXX apiBob Beck
to allow for adding PSS, Nuke the now unneejded guard around the PSS algorithms in the sigalgs table ok jsing@ tb@
2018-11-10Remove dead codeBob Beck
ok jsing@
2018-11-10Tweak and improve the TLSv1.3 state machine.Joel Sing
- Provide a tls13_handshake_active_action() function to reduce code duplication and replace tls13_handshake_get_sender(). - Add an INVALID message_type, so we can explicitly detect invalid conditions. - Implement skeletons for the tls13_handshake_send_action() and tls13_handshake_recv_action() functions. - OR in the NEGOTIATED value at the end of recving or sending a server hello so that we switch to the next chain in the state table. ok tb@
2018-11-10Avoid a double allocation and memory leak.Joel Sing
Reported by Ben L <bobsayshilol at live dot co dot uk>
2018-11-10Stop keeping track of sigalgs by guessing it from digest and pkey,Bob Beck
just keep the sigalg around so we can remember what we actually decided to use. ok jsing@
2018-11-10Use TLS13_HS_{CLIENT,SERVER} instead of using a redundant _SEND{,S}.Theo Buehler
ok jsing
2018-11-10Fix last of the empty hash nonsenseBob Beck
ok jsing@
2018-11-09Fix the TLSv1.3 key schedule implementation.Joel Sing
When the RFC refers to ("") for key derivation, it is referring to the transcript hash of an empty string, not an empty string. Rename tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD * and calculate the hash of an empty string so that we have it available for the "derived" and other steps. Merge tls13_secrets_init() into the same function, remove the EVP_MD * from other functions and use the empty string hash at the appropriate places. ok beck@ tb@
2018-11-09Use "send" and "recv" consistently instead of mixing them with "read"Theo Buehler
and "write". Use self-documenting C99 initializers. ok bcook, jsing
2018-11-09Ensure we free the handshake transcript upon session resumption.Joel Sing
Found the hard way by jmc@ ok tb@
2018-11-09Ensure we only choose sigalgs from our prefernce list, not the whole listBob Beck
ok jsing@
2018-11-09Add the ability to have a separate priority list for sigalgs.Bob Beck
Add a priority list for tls 1.2 ok jsing@
2018-11-09Correct defines for writer tests in connect/accept loops.Joel Sing
ok tb@
2018-11-09Correct function naming for tls13_handshake_advance_state_machine().Joel Sing
ok tb@
2018-11-09Avoid leak: free existing SRTP connection profiles beforeTheo Buehler
setting it. From Ben L <bobsayshilol () live ! co ! uk>.
2018-11-09Add header guards and hidden declarations.Joel Sing
2018-11-09Add header guards and hidden declarations.Joel Sing