- 03 2月, 2018 3 次提交
-
-
由 Tatsuhiro Tsujikawa 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4944)
-
由 Tatsuhiro Tsujikawa 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4944)
-
由 Tatsuhiro Tsujikawa 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4944)
-
- 02 2月, 2018 3 次提交
-
-
由 Todd Short 提交于
Reviewed-by: NBen Kaduk <kaduk@mit.edu> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4964)
-
由 Todd Short 提交于
Reviewed-by: NBen Kaduk <kaduk@mit.edu> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4964)
-
由 Todd Short 提交于
Add SSL_verify_client_post_handshake() for servers to initiate PHA Add SSL_force_post_handshake_auth() for clients that don't have certificates initially configured, but use a certificate callback. Update SSL_CTX_set_verify()/SSL_set_verify() mode: * Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after the initial handshake. * Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless of when the certificate authentication takes place; either initial handshake, re-negotiation, or post-handshake authentication. Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options Add support to s_client: * Enabled automatically when cert is configured * Can be forced enabled via -force_pha Add support to s_server: * Use 'c' to invoke PHA in s_server * Remove some dead code Update documentation Update unit tests: * Illegal use of PHA extension * TLSv1.3 certificate tests DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is implemented, it's PHA support state machine may need to be different. Add a TODO and a #error Update handshake context to deal with PHA. The handshake context for TLSv1.3 post-handshake auth is up through the ClientFinish message, plus the CertificateRequest message. Subsequent Certificate, CertificateVerify, and Finish messages are based on this handshake context (not the Certificate message per se, but it's included after the hash). KeyUpdate, NewSessionTicket, and prior Certificate Request messages are not included in post-handshake authentication. After the ClientFinished message is processed, save off the digest state for future post-handshake authentication. When post-handshake auth occurs, copy over the saved handshake context into the "main" handshake digest. This effectively discards the any KeyUpdate or NewSessionTicket messages and any prior post-handshake authentication. This, of course, assumes that the ID-22 did not mean to include any previous post-handshake authentication into the new handshake transcript. This is implied by section 4.4.1 that lists messages only up to the first ClientFinished. Reviewed-by: NBen Kaduk <kaduk@mit.edu> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4964)
-
- 01 2月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
In a few places we sent an internal_error alert instead of a decode_error. Fixes #5213 Fixes #5214 Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5219)
-
- 30 1月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
If a server receives an unexpected ClientHello then we may or may not accept it. Make sure all such decisions are made in the state machine and not in the record layer. This also removes a disparity between the TLS and the DTLS code. The TLS code was making this decision in the record layer, while the DTLS code was making it later. Finally it also solves a problem where a warning alert was being sent during tls_setup_handshake() and the function was returning a failure return code. This is problematic because it can be called from a transition function - which we only allow fatal errors to occur in. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5190)
-
- 29 1月, 2018 1 次提交
-
-
由 Kurt Roeckx 提交于
Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/4752)
-
- 26 1月, 2018 5 次提交
-
-
由 Benjamin Kaduk 提交于
The latest TLS 1.3 draft split the RSA-PSS signature schemes into two versions that indicate the OID of the RSA key being used. This forced us to rename the preprocessor defines for the sigalg values, and the ssl-trace code was not adopted to match, since it was not enabled int the default build. Belatedly update the ssl_sigalg_tbl in the trace code to match. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5174)
-
由 Benjamin Kaduk 提交于
The check for a duplicate value was reading one entry past where it was supposed to, getting an uninitialized value. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5172)
-
由 Benjamin Kaduk 提交于
The new extension is like signature_algorithms, but only for the signature *on* the certificate we will present to the peer (the old signature_algorithms extension is still used for signatures that we *generate*, i.e., those over TLS data structures). We do not need to generate this extension, since we are the same implementation as our X.509 stack and can handle the same types of signatures, but we need to be prepared to receive it, and use the received information when selecting what certificate to present. There is a lot of interplay between signature_algorithms_cert and signature_algorithms, since both affect what certificate we can use, and thus the resulting signature algorithm used for TLS messages. So, apply signature_algorithms_cert (if present) as a filter on what certificates we can consider when choosing a certificate+sigalg pair. As part of this addition, we also remove the fallback code that let keys of type EVP_PKEY_RSA be used to generate RSA-PSS signatures -- the new rsa_pss_pss_* and rsa_pss_rsae_* signature schemes have pulled the key type into what is covered by the signature algorithm, so we should not apply this sort of compatibility workaround. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5068)
-
由 Benjamin Kaduk 提交于
Our historical SSL{,_CTX}_set_sigalgs() APIs take an array of NID pairs (hash and signature), and our parser for manually specifying unified sigalgs (that do not necessarily correspond to an actual signature+hash pair) was transiting via (the implementation of) this historical API. The TLS 1.3 draft-23 has introduced signature schemes that have identical signature type and hash type, differing only in the (RSA) public key OID, which prevents the rsa_pss_pss_* schemes from being properly identified and sent on the wire. To fix the issue, parse sigalg strings directly into SIGALG_LOOKUP objects, and pass around an array of uint16 wire protocol values instead of NID pairs. The old interface is retained for API compatibility but will become less and less useful with time. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5068)
-
由 Benjamin Kaduk 提交于
We now have a split in the signature algorithms codepoint space for whether the certificate's key is for rsaEncryption or a PSS-specific key, which should let us get rid of some special-casing that we previously needed to try to coax rsaEncryption keys into performing PSS. (This will be done in a subsequent commit.) Send the new PSS-with-PSS-specific key first in our list, so that we prefer the new technology to the old one. We need to update the expected certificate type in one test, since the "RSA-PSS+SHA256" form now corresponds to a public key of type rsaEncryption, so we should expect the server certificate type to be just "RSA". If we want to get a server certificate type of "RSA-PSS", we need to use a new signature algorithm that cannot be represented as signature+hash, so add a test for that as well. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5068)
-
- 25 1月, 2018 9 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4435)
-
由 Matt Caswell 提交于
Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4435)
-
由 Matt Caswell 提交于
Probably this is the CCS between the first and second ClientHellos. It should be ignored. Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4435)
-
由 Matt Caswell 提交于
Fixes some bugs identified during testing. Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4435)
-
由 Matt Caswell 提交于
Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4435)
-
由 Matt Caswell 提交于
Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4435)
-
由 Matt Caswell 提交于
Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4435)
-
由 Matt Caswell 提交于
This enables sending and receiving of the TLSv1.3 cookie on the server side as appropriate. Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4435)
-
由 Matt Caswell 提交于
This just adds the various extension functions. More changes will be required to actually use them. Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4435)
-
- 23 1月, 2018 1 次提交
-
-
由 Rich Salz 提交于
Thanks to David Vernet for reporting this. Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5140)
-
- 19 1月, 2018 1 次提交
-
-
由 Richard Levitte 提交于
Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/5110)
-
- 11 1月, 2018 1 次提交
-
-
由 Patrick Schlangen 提交于
The data argument of SSL_dane_tlsa_add is used read-only, so it should be const. Reviewed-by: NViktor Dukhovni <viktor@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5056)
-
- 10 1月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
In the case of a protocol version alert being sent by a peer the record version number may not be what we are expecting. In DTLS records with an unexpected version number are silently discarded. This probably isn't appropriate for alerts, so we tolerate a mismatch in the minor version number. This resolves an issue reported on openssl-users where an OpenSSL server chose DTLS1.0 but the client was DTLS1.2 only and sent a protocol_version alert with a 1.2 record number. This was silently ignored by the server. Reviewed-by: NViktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5018)
-
- 09 1月, 2018 4 次提交
-
-
由 Richard Levitte 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5038)
-
由 Tomas Mraz 提交于
This avoids situations where third party client is unable to recognize that the client certificate was issued by the same CA with name differring only by case or insignificant characters. Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4731)
-
由 Noah Robbin 提交于
Extract the RSA key using EVP_PKEY_get0. Type is checked externally to be either EVP_PKEY_RSA_PSS or EVP_PKEY_RSA. Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4389)
-
由 Noah Robbin 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4389)
-
- 06 1月, 2018 1 次提交
-
-
由 Bernd Edlinger 提交于
Add comments to no longer usable ciphers. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5023)
-
- 03 1月, 2018 1 次提交
-
-
由 Benjamin Kaduk 提交于
Although this is forbidden by all three(!) relevant specifications, there seem to be multiple server implementations in the wild that send it. Since we didn't check for unexpected extensions in any given message type until TLS 1.3 support was added, our previous behavior was to silently accept these extensions and pass them over to the custom extension callback (if any). In order to avoid regression of functionality, relax the check for "extension in unexpected context" for this specific case, but leave the protocol enforcment mechanism unchanged for other extensions and in other extension contexts. Leave a detailed comment to indicate what is going on. Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4463)
-
- 02 1月, 2018 2 次提交
-
-
由 Matt Caswell 提交于
A TLSv1.3 Certificate Request message was issuing a "Message length parse error" using the -trace option to s_server/s_client. Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/5008)
-
由 Daniel Bevenius 提交于
Similar to commit 17b60280( "Remove extra `the` in SSL_SESSION_set1_id.pod"), this commit removes typos where additional 'the' have been added. Reviewed-by: NAndy Polyakov <appro@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4999)
-
- 29 12月, 2017 2 次提交
-
-
由 Matt Caswell 提交于
We don't keep track of the number of bytes written between in the SSL_write_ex() call and the subsequent flush. If the flush needs to be retried then we will have forgotten how many bytes actually got written. The simplest solution is to just disable it for this scenario. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4802)
-
由 Matt Caswell 提交于
We'd like the first bit of early_data and the ClientHello to go in the same TCP packet if at all possible to enable things like TCP Fast Open. Also, if you're only going to send one block of early data then you also don't need to worry about TCP_NODELAY. Fixes #4783 Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4802)
-
- 27 12月, 2017 1 次提交
-
-
由 Bernd Edlinger 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4981)
-
- 26 12月, 2017 1 次提交
-
-
由 Paul Yang 提交于
Variables n, d, p are no longer there. [skip ci] Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4894)
-
- 18 12月, 2017 1 次提交
-
-
由 Dr. Matthias St. Pierre 提交于
A third shared DRBG is added, the so called master DRBG. Its sole purpose is to reseed the two other shared DRBGs, the public and the private DRBG. The randomness for the master DRBG is either pulled from the os entropy sources, or added by the application using the RAND_add() call. The master DRBG reseeds itself automatically after a given number of generate requests, but can also be reseeded using RAND_seed() or RAND_add(). A reseeding of the master DRBG is automatically propagated to the public and private DRBG. This construction fixes the problem, that up to now the randomness provided by RAND_add() was added only to the public and not to the private DRBG. Signed-off-by: NDr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NKurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/4402)
-