- 22 8月, 2018 2 次提交
-
-
由 Matt Caswell 提交于
We need to ensure that the min-max version range we use when constructing the ClientHello is the same range we use when we validate the version selected by the ServerHello. Otherwise this may appear as a fallback or downgrade. Fixes #6964 Reviewed-by: NViktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7013)
-
由 Tomas Mraz 提交于
The TLS-1.3 ciphersuites must not be blocked by @SECLEVEL=3 even though they are not explicitly marked as using DH/ECDH. Reviewed-by: NKurt Roeckx <kurt@roeckx.be> Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6959)
-
- 20 8月, 2018 2 次提交
-
-
由 Matt Caswell 提交于
We already have SSL_set_post_handshake_auth(). This just adds the SSL_CTX equivalent. Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6938)
-
由 Matt Caswell 提交于
Having post handshake auth automatically switched on breaks some applications written for TLSv1.2. This changes things so that an explicit function call is required for a client to indicate support for post-handshake auth. Fixes #6933. Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6938)
-
- 15 8月, 2018 2 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NBen Kaduk <kaduk@mit.edu> Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6741)
-
由 Matt Caswell 提交于
Reviewed-by: NBen Kaduk <kaduk@mit.edu> Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6741)
-
- 14 8月, 2018 1 次提交
-
-
由 Dmitry Yakovlev 提交于
To avoid crash (same as #5138 fixed in 44f23cd2) CLA: trivial Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6937)
-
- 09 8月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
A client that has fallen back could detect an inappropriate fallback if the TLSv1.3 downgrade protection sentinels are present. Fixes #6756 Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6894)
-
- 08 8月, 2018 4 次提交
-
-
由 Matt Caswell 提交于
At certain points in the handshake we could receive either a plaintext or an encrypted alert from the client. We should tolerate both where appropriate. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6887)
-
由 Matt Caswell 提交于
If we sent early_data and then received back an HRR, the enc_write_ctx was stale resulting in errors if an alert needed to be sent. Thanks to Quarkslab for reporting this. In any case it makes little sense to encrypt alerts using the client_early_traffic_secret, so we add special handling for alerts sent after early_data. All such alerts are sent in plaintext. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6887)
-
由 Matt Caswell 提交于
Under certain error conditions a call to SSLfatal could accidently be missed. Reviewed-by: NBen Kaduk <kaduk@mit.edu> Reviewed-by: NAndy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6872)
-
由 Rich Salz 提交于
Thanks to GitHub user zsergey105 for reporting this. Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6875)
-
- 07 8月, 2018 2 次提交
-
-
由 Andy Polyakov 提交于
Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786)
-
由 Andy Polyakov 提交于
In some cases it's about redundant check for return value, in some cases it's about replacing check for -1 with comparison to 0. Otherwise compiler might generate redundant check for <-1. [Even formatting and readability fixes.] Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6860)
-
- 06 8月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
In some scenarios the connection could fail without an alert being sent. This causes a later assertion failure. Thanks to Quarkslab for reporting this. Reviewed-by: NAndy Polyakov <appro@openssl.org> Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/6852)
-
- 31 7月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
Ensure that the certificate required alert actually gets sent (and doesn't get translated into handshake failure in TLSv1.3). Ensure that proper reason codes are given for the new TLSv1.3 alerts. Remove an out of date macro for TLS13_AD_END_OF_EARLY_DATA. This is a left over from an earlier TLSv1.3 draft that is no longer used. Fixes #6804 Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6809)
-
- 27 7月, 2018 1 次提交
-
-
由 Benjamin Kaduk 提交于
Commit 1c4aa31d changed how we process and store SNI information during the handshake, so that a hostname is only saved in the SSL_SESSION structure if that SNI value has actually been negotiated. SSL_get_servername() was adjusted to match, with a new conditional being added to handle the case when the handshake processing is ongoing, and a different location should be consulted for the offered SNI value. This was done in an attempt to preserve the historical behavior of SSL_get_servername(), a function whose behavior only mostly matches its documentation, and whose documentation is both lacking and does not necessarily reflect the actual desired behavior for such an API. Unfortunately, sweeping changes that would bring more sanity to this space are not possible until OpenSSL 1.2.0, for ABI compatibility reasons, so we must attempt to maintain the existing behavior to the extent possible. The above-mentioned commit did not take into account the behavior of SSL_get_servername() during resumption handshakes for TLS 1.2 and prior, where no SNI negotiation is performed. In that case we would not properly parse the incoming SNI and erroneously return NULL as the servername, when instead the logical session is associated with the SNI value cached in the SSL_SESSION. (Note that in some cases an SNI callback may not need to do anything in a TLS 1.2 or prior resumption flow, but we are calling the callbacks and did not provide any guidance that they should no-op if the connection is being resumed, so we must handle this case in a usable fashion.) Update our behavior accordingly to return the session's cached value during the handshake, when resuming. This fixes the boringssl tests. [extended tests] Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6792)
-
- 20 7月, 2018 4 次提交
-
-
由 Benjamin Kaduk 提交于
The API used to set what SNI value to send in the ClientHello can also be used on server SSL objects, with undocumented and un-useful behavior. Unfortunately, when generic SSL_METHODs are used, s->server is still set, prior to the start of the handshake, so we cannot prevent this nonsensical usage at the present time. Leave a note to revisit this when ABI-breaking changes are permitted. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6378)
-
由 Benjamin Kaduk 提交于
In particular, adhere to the rule that we must not modify any property of an SSL_SESSION object once it is (or might be) in a session cache. Such modifications are thread-unsafe and have been observed to cause crashes at runtime. To effect this change, standardize on the property that SSL_SESSION->ext.hostname is set only when that SNI value has been negotiated by both parties for use with that session. For session resumption this is trivially the case, so only new handshakes are affected. On the client, the new semantics are that the SSL->ext.hostname is for storing the value configured by the caller, and this value is used when constructing the ClientHello. On the server, SSL->ext.hostname is used to hold the value received from the client. Only if the SNI negotiation is successful will the hostname be stored into the session object; the server can do this after it sends the ServerHello, and the client after it has received and processed the ServerHello. This obviates the need to remove the hostname from the session object in case of failed negotiation (a change that was introduced in commit 9fb6cb81 in order to allow TLS 1.3 early data when SNI was present in the ClientHello but not the session being resumed), which was modifying cached sessions in certain cases. (In TLS 1.3 we always produce a new SSL_SESSION object for new connections, even in the case of resumption, so no TLS 1.3 handshakes were affected.) Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6378)
-
由 Benjamin Kaduk 提交于
These tiny functions only read from the input SSL, and we are about to use them from functions that only have a const SSL* available, so propagate const a bit further. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6378)
-
由 Matt Caswell 提交于
The spec says that a client MUST set legacy_version to TLSv1.2, and requires servers to verify that it isn't SSLv3. Fixes #6600 Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6747)
-
- 19 7月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
It is not valid to send early_data after an HRR has been received. Fixes #6734 Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6737)
-
- 18 7月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
Using the rsa_pss_rsae_sha256 sig alg should imply that the key OID is rsaEncryption. Similarly rsa_pss_pss_sha256 implies the key OID is rsassaPss. However we did not check this and incorrectly tolerated a key OID that did not match the sig alg sent by the peer. Fixes #6611 Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6732)
-
- 17 7月, 2018 3 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6724)
-
由 Matt Caswell 提交于
Previously we were failing to issue new tickets if a resumption attempt failed. Fixes #6654 Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6722)
-
由 Matt Caswell 提交于
If we issue new tickets due to post-handshake authentication there is no reason to remove previous tickets from the cache. The code that did that only removed the last session anyway - so if more than one ticket got issued then those other tickets are still valid. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6722)
-
- 14 7月, 2018 3 次提交
-
-
由 Matt Caswell 提交于
Check that we are either configured for PSK, or that we have a TLSv1.3 capable certificate type. DSA certs can't be used in TLSv1.3 and we don't (currently) allow GOST ones either (owing to the lack of standard sig algs). Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6650)
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6650)
-
由 Matt Caswell 提交于
Fixes #6513 Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6650)
-
- 06 7月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
Previoulsy we just had max_early_data which controlled both the value of max early_data that we advertise in tickets *and* the amount of early_data that we are willing to receive from clients. This doesn't work too well in the case where we want to reduce a previously advertised max_early_data value. In that case clients with old, stale tickets may attempt to send us more early data than we are willing to receive. Instead of rejecting the early data we abort the connection if that happens. To avoid this we introduce a new "recv_max_early_data" value. The old max_early_data becomes the value that is advertised in tickets while recv_max_early_data is the maximum we will tolerate from clients. Fixes #6647 Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6655)
-
- 03 7月, 2018 2 次提交
-
-
由 Matt Caswell 提交于
Tickets are supposed to be single use so we remove them from the cache on use. Fixes #6377 Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6601)
-
由 Matt Caswell 提交于
In TLSv1.2 and below we should remove an old session from the client session cache in the event that we receive a new session ticket from the server. Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6601)
-
- 02 7月, 2018 5 次提交
-
-
由 Matt Caswell 提交于
This also adds the ability to control this through s_server Reviewed-by: NViktor Dukhovni <viktor@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6469)
-
由 Matt Caswell 提交于
Reviewed-by: NViktor Dukhovni <viktor@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6469)
-
由 Matt Caswell 提交于
Fixes #6389 Reviewed-by: NViktor Dukhovni <viktor@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6469)
-
由 Matt Caswell 提交于
Fixes #6574 Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6593)
-
由 Benjamin Kaduk 提交于
We need to check the provided SSL_SESSION* for NULL before attempting to derference it to see if it's a TLS 1.3 session. Reviewed-by: NKurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6622)
-
- 29 6月, 2018 1 次提交
-
-
由 Pauli 提交于
In ssl/t1_lib.c. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6613)
-
- 27 6月, 2018 2 次提交
-
-
由 Matt Caswell 提交于
Currently if you encounter application data while waiting for a close_notify from the peer, and you have called SSL_shutdown() then you will get a -1 return (fatal error) and SSL_ERROR_SYSCALL from SSL_get_error(). This isn't accurate (it should be SSL_ERROR_SSL) and isn't persistent (you can call SSL_shutdown() again and it might then work). We change this into a proper fatal error that is persistent. Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: NKurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6340)
-
由 Matt Caswell 提交于
In the case where we are shutdown for writing and awaiting a close_notify back from a subsequent SSL_shutdown() call we skip over handshake data that is received. This should not be treated as an error - instead it should be signalled with SSL_ERROR_WANT_READ. Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: NKurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6340)
-