- 11 1月, 2017 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2157)
-
- 10 1月, 2017 2 次提交
-
-
由 Rich Salz 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2052)
-
由 Rich Salz 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2052)
-
- 06 1月, 2017 6 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2020)
-
由 Matt Caswell 提交于
al can be used uninitialised in an error path. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2020)
-
由 Matt Caswell 提交于
We remove the separate CertificateStatus message for TLSv1.3, and instead send back the response in the appropriate Certificate message extension. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2020)
-
由 Matt Caswell 提交于
Also updates TLSProxy to be able to understand the format and parse the contained extensions. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2020)
-
由 Matt Caswell 提交于
Continuing from the previous commit we also need to extend the extensions framework to supply the Certificate we just read during parsing. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2020)
-
由 Matt Caswell 提交于
The Certificate message in TLS1.3 has an extensions block for each Certificate. Therefore we need to extend tls_construct_extensions() to pass in the certificate we are working on. We also pass in the position in the chain (with 0 being the first certificate). Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2020)
-
- 20 12月, 2016 1 次提交
-
-
由 Richard Levitte 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2116)
-
- 09 12月, 2016 10 次提交
-
-
由 Kurt Roeckx 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> GH: #2050
-
由 Matt Caswell 提交于
Travis was indicating a bogus uninit var warning. This fixes it. Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich Salz Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
The existing code used the magic number -1 to represent the absence of a status_type in the extension. This commit replaces it with a macro. Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich Salz Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich Salz Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
When we call tls_collect_extensions() we need to free up the raw extensions data later. Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich Salz Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
In TLS1.3 some ServerHello extensions remain in the ServerHello, while others move to the EncryptedExtensions message. This commit performs that move. Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich Salz Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich Salz Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich Salz Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
At this stage the message is just empty. We need to fill it in with extension data. Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich Salz Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
There are some minor differences in the format of a ServerHello in TLSv1.3. Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich Salz Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 24 11月, 2016 2 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Don't use what is in supported_versions for the RSA pre-master Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 23 11月, 2016 6 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
In one case we weren't always sending an unexpected message alert if we don't get what we expect. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
There is a set of miscellaneous processing for OCSP, CT etc at the end of the ServerDone processing. In TLS1.3 we don't have a ServerDone, so this needs to move elsewhere. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
This is a major overhaul of the TLSv1.3 state machine. Currently it still looks like TLSv1.2. This commit changes things around so that it starts to look a bit less like TLSv1.2 and bit more like TLSv1.3. After this commit we have: ClientHello + key_share ----> ServerHello +key_share {CertificateRequest*} {Certificate*} {CertificateStatus*} <---- {Finished} {Certificate*} {CertificateVerify*} {Finished} ----> [ApplicationData] <---> [Application Data] Key differences between this intermediate position and the final TLSv1.3 position are: - No EncryptedExtensions message yet - No server side CertificateVerify message yet - CertificateStatus still exists as a separate message - A number of the messages are still in the TLSv1.2 format - Still running on the TLSv1.2 record layer Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
TLSv1.3 has a NewSessionTicket message, but it is *completely* different to the TLSv1.2 one and may as well have been called something else. This commit removes the old style NewSessionTicket from TLSv1.3. We will have to add the new style one back in later. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 16 11月, 2016 2 次提交
-
-
由 Matt Caswell 提交于
Numerous style issues as well as references to TLS1_3_VERSION instead of SSL_IS_TLS13(s) Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
The previous commits put in place the logic to exchange key_share data. We now need to do something with that information. In <= TLSv1.2 the equivalent of the key_share extension is the ServerKeyExchange and ClientKeyExchange messages. With key_share those two messages are no longer necessary. The commit removes the SKE and CKE messages from the TLSv1.3 state machine. TLSv1.3 is completely different to TLSv1.2 in the messages that it sends and the transitions that are allowed. Therefore, rather than extend the existing <=TLS1.2 state transition functions, we create a whole new set for TLSv1.3. Intially these are still based on the TLSv1.2 ones, but over time they will be amended. The new TLSv1.3 transitions remove SKE and CKE completely. There's also some cleanup for some stuff which is not relevant to TLSv1.3 and is easy to remove, e.g. the DTLS support (we're not doing DTLSv1.3 yet) and NPN. I also disable EXTMS for TLSv1.3. Using it was causing some added complexity, so rather than fix it I removed it, since eventually it will not be needed anyway. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 10 11月, 2016 3 次提交
-
-
由 Matt Caswell 提交于
Added some TODOs, refactored a couple of things and added a SSL_IS_TLS13() macro. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 08 11月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
This partially reverts commit c636c1c4. It also tweaks the documentation and comments in this area. On the client side the documented interface for SSL_CTX_set_verify()/SSL_set_verify() is that setting the flag SSL_VERIFY_PEER causes verfication of the server certificate to take place. Previously what was implemented was that if *any* flag was set then verification would take place. The above commit improved the semantics to be as per the documented interface. However, we have had a report of at least one application where an application was incorrectly using the interface and used *only* SSL_VERIFY_FAIL_IF_NO_PEER_CERT on the client side. In OpenSSL prior to the above commit this still caused verification of the server certificate to take place. After this commit the application silently failed to verify the server certificate. Ideally SSL_CTX_set_verify()/SSL_set_verify() could be modified to indicate if invalid flags were being used. However these are void functions! The simplest short term solution is to revert to the previous behaviour which at least means we "fail closed" rather than "fail open". Thanks to Cory Benfield for reporting this issue. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 04 11月, 2016 6 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-