Commit graph

396 commits

Author SHA1 Message Date
Matt Caswell
ec15acb6bc Construct the client side psk extension for TLSv1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:19 +00:00
Matt Caswell
c7f47786a5 Move state machine knowledge out of the record layer
The record layer was making decisions that should really be left to the
state machine around unexpected handshake messages that are received after
the initial handshake (i.e. renegotiation related messages). This commit
removes that code from the record layer and updates the state machine
accordingly. This simplifies the state machine and paves the way for
handling other messages post-handshake such as the NewSessionTicket in
TLSv1.3.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:17:00 +00:00
Matt Caswell
0386aad1ab Remove use of the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag
This flag is never set by anything so remove it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 09:36:55 +00:00
Rich Salz
1ed327f7df Review comments
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2052)
2017-01-09 22:26:47 -05:00
Rich Salz
aff8c126fd Move extension data into sub-structs
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2052)
2017-01-09 22:26:47 -05:00
Matt Caswell
92760c21e6 Update state machine to be closer to TLS1.3
This is a major overhaul of the TLSv1.3 state machine. Currently it still
looks like TLSv1.2. This commit changes things around so that it starts
to look a bit less like TLSv1.2 and bit more like TLSv1.3.

After this commit we have:

ClientHello
+ key_share          ---->
                           ServerHello
                           +key_share
                           {CertificateRequest*}
                           {Certificate*}
                           {CertificateStatus*}
                     <---- {Finished}
{Certificate*}
{CertificateVerify*}
{Finished}           ---->
[ApplicationData]    <---> [Application Data]

Key differences between this intermediate position and the final TLSv1.3
position are:
- No EncryptedExtensions message yet
- No server side CertificateVerify message yet
- CertificateStatus still exists as a separate message
- A number of the messages are still in the TLSv1.2 format
- Still running on the TLSv1.2 record layer

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:21 +00:00
Matt Caswell
0f1e51ea11 Start using the key_share data to derive the PMS
The previous commits put in place the logic to exchange key_share data. We
now need to do something with that information. In <= TLSv1.2 the equivalent
of the key_share extension is the ServerKeyExchange and ClientKeyExchange
messages. With key_share those two messages are no longer necessary.

The commit removes the SKE and CKE messages from the TLSv1.3 state machine.
TLSv1.3 is completely different to TLSv1.2 in the messages that it sends
and the transitions that are allowed. Therefore, rather than extend the
existing <=TLS1.2 state transition functions, we create a whole new set for
TLSv1.3. Intially these are still based on the TLSv1.2 ones, but over time
they will be amended.

The new TLSv1.3 transitions remove SKE and CKE completely. There's also some
cleanup for some stuff which is not relevant to TLSv1.3 and is easy to
remove, e.g. the DTLS support (we're not doing DTLSv1.3 yet) and NPN.

I also disable EXTMS for TLSv1.3. Using it was causing some added
complexity, so rather than fix it I removed it, since eventually it will not
be needed anyway.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Richard Levitte
b612799a80 Revert "Remove heartbeats completely"
Done too soon, this is for future OpenSSL 1.2.0

This reverts commit 6c62f9e163.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-15 14:53:33 +01:00
Richard Levitte
6c62f9e163 Remove heartbeats completely
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1669)
2016-11-15 10:45:21 +01:00
Richard Levitte
e72040c1dc Remove heartbeat support
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1669)
2016-11-13 16:24:02 -05:00
Matt Caswell
de4d764e32 Rename the Elliptic Curves extension to supported_groups
This is a skin deep change, which simply renames most places where we talk
about curves in a TLS context to groups. This is because TLS1.3 has renamed
the extension, and it can now include DH groups too. We still only support
curves, but this rename should pave the way for a future extension for DH
groups.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-10 15:05:36 +00:00
Matt Caswell
54105ddd23 Rename all "read" variables with "readbytes"
Travis is reporting one file at a time shadowed variable warnings where
"read" has been used. This attempts to go through all of libssl and replace
"read" with "readbytes" to fix all the problems in one go.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
348240c676 Fix misc size_t issues causing Windows warnings in 64 bit
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
8b0e934afb Fix some missed size_t updates
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
6db6bc5a8f Convert some libssl local functions to size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
8c1a534305 Convert master_secret_size code to size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
7ee8627f6e Convert libssl writing for size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
eda757514e Further libssl size_t-ify of reading
Writing still to be done

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
582a17d662 Add the SSL_METHOD for TLSv1.3 and all other base changes required
Includes addition of the various options to s_server/s_client. Also adds
one of the new TLS1.3 ciphersuites.

This isn't "real" TLS1.3!! It's identical to TLS1.2 apart from the protocol
and the ciphersuite...and the ciphersuite is just a renamed TLS1.2 one (not
a "real" TLS1.3 ciphersuite).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-02 13:08:21 +00:00
Matt Caswell
4a01c59f36 Harmonise setting the header and closing construction
Ensure all message types work the same way including CCS so that the state
machine doesn't need to know about special cases. Put all the special logic
into ssl_set_handshake_header() and ssl_close_construct_packet().

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-03 16:25:48 +01:00
Matt Caswell
a29fa98ceb Rename ssl_set_handshake_header2()
ssl_set_handshake_header2() was only ever a temporary name while we had
to have ssl_set_handshake_header() for code that hadn't been converted to
WPACKET yet. No code remains that needed that so we can rename it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-02 20:25:57 +01:00
Matt Caswell
e2726ce64d Remove ssl_set_handshake_header()
Remove the old ssl_set_handshake_header() implementations. Later we will
rename ssl_set_handshake_header2() to ssl_set_handshake_header().

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-02 20:25:57 +01:00
Matt Caswell
28ff8ef3f7 Convert CertificateRequest construction to WPACKET
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 14:52:55 +01:00
Matt Caswell
150e298551 Delete some unneeded code
Some functions were being called from both code that used WPACKETs and code
that did not. Now that more code has been converted to use WPACKETs some of
that duplication can be removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 10:06:46 +01:00
Matt Caswell
08029dfa03 Convert WPACKET_put_bytes to use convenience macros
All the other functions that take an argument for the number of bytes
use convenience macros for this purpose. We should do the same with
WPACKET_put_bytes().

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-20 14:47:44 +01:00
Matt Caswell
de451856f0 Address WPACKET review comments
A few style tweaks here and there. The main change is that curr and
packet_len are now offsets into the buffer to account for the fact that
the pointers can change if the buffer grows. Also dropped support for the
WPACKET_set_packet_len() function. I thought that was going to be needed
but so far it hasn't been. It doesn't really work any more due to the
offsets change.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-13 09:41:21 +01:00
Matt Caswell
0217dd19c0 Move from explicit sub-packets to implicit ones
No need to declare an explicit sub-packet. Just start one.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-13 09:41:21 +01:00
Matt Caswell
ae2f7b37da Rename PACKETW to WPACKET
To avoid confusion with the read PACKET structure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-13 09:41:21 +01:00
Matt Caswell
2c7b4dbc1a Convert tls_construct_client_hello() to use PACKETW
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-13 09:41:21 +01:00
Rich Salz
ef28891bab Put DES into "not default" category.
Add CVE to CHANGES

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-08-24 14:05:52 +01:00
Rich Salz
d33726b92e To avoid SWEET32 attack, move 3DES to weak
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-08-24 14:05:52 +01:00
Emilia Kasper
a230b26e09 Indent ssl/
Run util/openssl-format-source on ssl/

Some comments and hand-formatted tables were fixed up
manually by disabling auto-formatting.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-18 14:02:29 +02:00
Remi Gacogne
fddfc0afc8 Add missing session id and tlsext_status accessors
* SSL_SESSION_set1_id()
 * SSL_SESSION_get0_id_context()
 * SSL_CTX_get_tlsext_status_cb()
 * SSL_CTX_get_tlsext_status_arg()

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-17 10:38:20 +01:00
Dr. Stephen Henson
0a699a0723 Fix no-ec
Fix no-ec builds by having separate functions to create keys based on
an existing EVP_PKEY and a curve id.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-15 14:07:33 +01:00
Dr. Stephen Henson
ec24630ae2 Modify TLS support for new X25519 API.
When handling ECDH check to see if the curve is "custom" (X25519 is
currently the only curve of this type) and instead of setting a curve
NID just allocate a key of appropriate type.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-13 14:11:05 +01:00
David Woodhouse
387cf21345 Fix cipher support for DTLS1_BAD_VER
Commit 3eb2aff40 ("Add support for minimum and maximum protocol version
supported by a cipher") disabled all ciphers for DTLS1_BAD_VER.

That wasn't helpful. Give them back.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-04 20:56:23 +01:00
Dr. Stephen Henson
52eede5a97 Sanity check in ssl_get_algorithm2().
RT#4600

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-20 00:09:46 +01:00
Matt Caswell
0907d7105c Split out PSK preamble and RSA from process CKE code
The tls_process_client_key_exchange() function is far too long. This
splits out the PSK preamble processing, and the RSA processing into
separate functions.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-18 22:55:07 +01:00
FdaSilvaYY
3c82e437bb Add checks on sk_TYPE_push() returned result
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-06-23 14:03:29 +01:00
Matt Caswell
30b967651c Add SSL_CTX_get_tlsext_status_type()
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-07 17:05:52 +01:00
Matt Caswell
93a9d5975e Return the value of tlsext_status_type in the return not arg
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-07 17:05:52 +01:00
Alessandro Ghedini
4300aaf351 Add SSL_get_tlsext_status_type() method
The tlsext_status_type field in SSL is used by e.g. OpenResty to determine
if the client requested the certificate status, but SSL is now opaque.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-06-07 17:05:52 +01:00
Rich Salz
846e33c729 Copyright consolidation 01/10
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-05-17 14:19:19 -04:00
Kurt Roeckx
d139723b0e session tickets: use more sizeof
Reviewed-by: Matt Caswell <matt@openssl.org>

MR: #2153
2016-05-16 20:43:20 +02:00
TJ Saunders
4e2e1ec9d5 session tickets: Use sizeof() for the various fields
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>

GH: #515, MR: #2153
2016-05-16 20:42:21 +02:00
jfigus
ba261f718b Propagate tlsext_status_type from SSL_CTX to SSL
To allow OCSP stapling to work with libcurl.

Github PR #200

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-16 14:42:30 +01:00
Dmitry Belyavsky
48c16012e7 Don't use GOST ciphersuites with DTLS.
RT#4438

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-12 12:02:38 +01:00
Rich Salz
4a8e9c22f4 Move 3DES from HIGH to MEDIUM
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-05-05 17:31:53 -04:00
FdaSilvaYY
8483a003bf various spelling fixes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/952)
2016-04-28 14:22:26 -04:00
Rich Salz
e771eea6d8 Revert "various spelling fixes"
This reverts commit 620d540bd4.
It wasn't reviewed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-04 16:11:43 -04:00