Commit graph

565 commits

Author SHA1 Message Date
Dr. Stephen Henson
f365a3e2e5 Use cert_index and sigalg
Now the certificate and signature algorithm is set in one place we
can use it directly insetad of recalculating it. The old functions
ssl_get_server_send_pkey() and ssl_get_server_cert_index() are no
longer required.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
2017-02-15 02:23:54 +00:00
Dr. Stephen Henson
0972bc5ced Add sigalg for earlier TLS versions
Update tls_choose_sigalg to choose a signature algorithm for all
versions of TLS not just 1.3.

For TLS 1.2 we choose the highest preference signature algorithm
for the chosen ciphersuite.

For TLS 1.1 and earlier the signature algorithm is determined by
the ciphersuite alone. For RSA we use a special MD5+SHA1 signature
algorithm.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
2017-02-15 02:23:54 +00:00
Dr. Stephen Henson
4a419f6018 Change tls_choose_sigalg so it can set errors and alerts.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
2017-02-15 02:23:54 +00:00
Bernd Edlinger
57b0d651f0 Use TLSEXT_KEYNAME_LENGTH in tls_decrypt_ticket.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2618)
2017-02-14 14:37:59 -05:00
Dr. Stephen Henson
d0ff28f8a2 Replace SSL_PKEY_RSA_ENC, SSL_PKEY_RSA_SIGN
The original intent of SSL_PKEY_RSA_SIGN and SSL_PKEY_RSA_ENC was to
support two different keys for RSA signing and decrypt. However this
was never implemented and we only ever set one key and the other was
always NULL. Replace with single SSL_PKEY_RSA type.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2587)
2017-02-10 20:08:35 +00:00
Dr. Stephen Henson
8fd19b20be Check index >= 0 as 0 is a valid index.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2587)
2017-02-10 20:08:35 +00:00
Peter Wu
6d047e06e6 SSL_get_shared_sigalgs: handle negative idx parameter
When idx is negative (as is the case with do_print_sigalgs in
apps/s_cb.c), AddressSanitizer complains about a buffer overflow (read).
Even if the pointer is not dereferenced, this is undefined behavior.

Change the user not to use "-1" as index since the function is
documented to return 0 on out-of-range values.

Tested with `openssl s_server` and `curl -k https://localhost:4433`.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2349)
2017-02-09 09:48:46 +00:00
Richard Levitte
21f198ec48 Fix "no-ec"
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2547)
2017-02-03 20:37:23 +01:00
Dr. Stephen Henson
93a77f9e2c Add function tls_choose_sigalg().
New function tls_choose_sigalg(). This is a signature algorithm version
of ssl3_choose_cipher(): it picks and sets the appropriate signature
algorithm and certificate based on shared signature algorithms.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)
2017-02-02 14:45:09 +00:00
Todd Short
222da97918 Majority rules, use session_ctx vs initial_ctx
session_ctx and initial_ctx are aliases of each other, and with the
opaque data structures, there's no need to keep both around. Since
there were more references of session_ctx, replace all instances of
initial_ctx with session_ctx.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2334)
2017-01-31 20:41:55 -05:00
Dr. Stephen Henson
f1adb0068f Tidy up Suite B logic
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
2017-01-31 00:03:02 +00:00
Dr. Stephen Henson
6cbebb5516 Remove peer_md and use peer_sigalg instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
2017-01-31 00:03:02 +00:00
Dr. Stephen Henson
44b6318f48 Simplify sigalgs code.
Remove unnecessary lookup operations: use the indices and data in the
lookup table directly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
2017-01-31 00:03:02 +00:00
Dr. Stephen Henson
17ae384e49 Add digest and key indices to table.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
2017-01-31 00:03:01 +00:00
Dr. Stephen Henson
8f88cb53dd Add TLS 1.3 signing curve check
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
2017-01-31 00:03:00 +00:00
Dr. Stephen Henson
2b4418ebd6 Only allow PSS signatures with RSA keys and TLS 1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
2017-01-31 00:03:00 +00:00
Dr. Stephen Henson
f742cda820 Store table entry to peer signature algorithm.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
2017-01-31 00:02:59 +00:00
Dr. Stephen Henson
787ebcafcd Update macros.
Use TLS_MAX_SIGALGCNT for the maximum number of entries in the
signature algorithms array.

Use TLS_MAX_SIGSTRING_LEN for the maxiumum length of each signature
component instead of a magic number.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:18 +00:00
Dr. Stephen Henson
cdf516d988 Fix TLS 1.2 and no sigalgs.
For TLS 1.2 if we have no signature algorithms extension then lookup
using the complete table instead of (empty) shared signature algorithms
list so we pick up defaults.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:17 +00:00
Dr. Stephen Henson
4d43ee28d4 Replace TLS_SIGALGS with SIGALG_LOOKUP
Since every supported signature algorithm is now an entry in the
SIGALG_LOOKUP table we can replace shared signature algortihms with
pointers to constant table entries.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:17 +00:00
Dr. Stephen Henson
8a43a42a02 Support TLS 1.3 signature scheme names.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
edbfba1a34 Extend TLS 1.3 signature table.
Add additional entries in the TLS 1.2 signature table to include
the name, sig and hash NID (if any) and required curve (if any).

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
018031faa8 Use shared signature algorithm list to find type.
Lookup the signature type in the shared list: we can use this to
use PSS if the peer supports it for TLS 1.2.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
42ef7aead2 Add SSL_get_peer_signature_type_nid() function.
Add function to retrieve signature type: in the case of RSA
keys the signature type can be EVP_PKEY_RSA or EVP_PKEY_RSA_PSS.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
5554facbe7 Store peer signature type.
Store peer signature type in s->s3->tmp.peer_sigtype and check it
to see if the peer used PSS.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
b2eb699874 More complete PSS support.
Extend support for PSS key signatures by using the EVP_PKEY_RSA_PSS type
to distinguish them from PKCS1 signature types.

Allow setting of PSS signature algorithms using the string "PSS" or
"RSA-PSS".

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 12:59:28 +00:00
Dr. Stephen Henson
98c792d18c Use uint16_t for signature scheme.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 12:59:28 +00:00
Matt Caswell
40f805ad92 Various style fixes following review feedback
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:25 +00:00
Matt Caswell
61c3264970 Remove unneccessary comments
Now we're using an enum the values themselves are self explanatory

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:25 +00:00
Matt Caswell
ddf6ec0069 Make the "ticket" function return codes clearer
Remove "magic" return values and use an enum instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:23 +00:00
Matt Caswell
081912943f Use the correct session resumption mechanism
Don't attempt to add a TLS1.3 session to a TLS1.2 ClientHello session
ticket extensions. Similarly don't add a TLS1.2 session to a TLS1.3
psk extension.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:21 +00:00
Matt Caswell
1053a6e228 Implement Server side of PSK extension parsing
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:21 +00:00
Dr. Stephen Henson
a9669ddc64 Use correct signature algorithm list when sending or checking.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2290)
2017-01-26 16:44:18 +00:00
Rich Salz
3e37351834 If client doesn't send curves list, don't assume all.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1597)
2017-01-18 12:24:28 -05:00
Matt Caswell
5eeb6c6e56 Fix no-ec following sigalgs refactor
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:51 +00:00
Matt Caswell
7a531ee460 Fix tls1_set_sigalgs() length calculation
The length passed to tls1_set_sigalgs() is a multiple of two and there are
two char entries in the list for each sigalg. When we set
client_sigalgslen or conf_sigalgslen this is the number of ints in the list
where there is one entry per sigalg (i.e. half the length of the list passed
to the function).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:51 +00:00
Matt Caswell
42ab223000 Add some missing sigalgs
The SHA1 sigalgs were inadvertently missed off in the sigalgs refactor.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:51 +00:00
Matt Caswell
1b520cbb6a Fix a Travis failure
Declare a variable as static to silence the warning

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
fe3066ee40 Extend PSS signature support to TLSv1.2
TLSv1.3 introduces PSS based sigalgs. Offering these in a TLSv1.3 client
implies that the client is prepared to accept these sigalgs even in
TLSv1.2.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
710eb47fdd Add a TLS1.3 TODO for setting of sig algs
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
523fb3233a Ignore PKCS1 based sig algs in TLSv1.3
In TLSv1.3 we must use PSS based sig algs for RSA signing. Ignore any
shared sig algs which are PKCS1 based.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
0490431272 Verify that the sig algs extension has been sent for TLSv1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
63c1df0983 Remove some unneeded functions
The sigalgs work has made some old lookup tables and functions redundant
so remove them.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
536199ece0 Use NIDs instead of the old TLSv1.2 sigalgs hash and sig ids
We had an extra layer of indirection in looking up hashes and sigs based
on sigalgs which is now no longer necessary. This removes it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
2ec6cb3385 Remove a redundant function
The extensions refactor made this function redundant so we can remove it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
703bcee021 Convert Sigalgs processing to use ints
In TLSv1.2 an individual sig alg is represented by 1 byte for the hash
and 1 byte for the signature. In TLSv1.3 each sig alg is represented by
two bytes, where the two bytes together represent a single hash and
signature combination. This converts the internal representation of sigalgs
to use a single int for the pair, rather than a pair of bytes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Rich Salz
aff8c126fd Move extension data into sub-structs
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2052)
2017-01-09 22:26:47 -05:00
Matt Caswell
70af3d8ed7 Avoid repeatedly scanning the list of extensions
Because extensions were keyed by type which is sparse, we were continually
scanning the list to find the one we wanted. The way we stored them also
had the side effect that we were running initialisers/finalisers in a
different oder to the parsers. In this commit we change things so that we
instead key on an index value for each extension.

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:18:56 +00:00
Matt Caswell
ab83e31414 Move client construction of ClientHello extensions into new framework
Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:18:30 +00:00
Matt Caswell
6dd083fd68 Move client parsing of ServerHello extensions into new framework
Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:18:25 +00:00
Matt Caswell
7da160b0f4 Move ServerHello extension construction into the new extensions framework
This lays the foundation for a later move to have the extensions built and
placed into the correct message for TLSv1.3 (e.g. ServerHello or
EncryptedExtensions).

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:18:12 +00:00
Matt Caswell
6b473acabd Refactor ClientHello extension parsing
This builds on the work started in 1ab3836b3 and extends is so that
each extension has its own identified parsing functions, as well as an
allowed context identifying which messages and protocols it is relevant for.
Subsequent commits will do a similar job for the ServerHello extensions.
This will enable us to have common functions for processing extension blocks
no matter which of the multiple messages they are received from. In TLSv1.3
a number of different messages have extension blocks, and some extensions
have moved from one message to another when compared to TLSv1.2.

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:17:45 +00:00
Matt Caswell
bebc0c7d85 Use the TLSv1.3 nonce construction
This updates the record layer to use the TLSv1.3 style nonce construciton.
It also updates TLSProxy and ossltest to be able to recognise the new
layout.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-29 23:31:10 +00:00
Matt Caswell
884a790e17 Fix missing NULL checks in key_share processing
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 22:39:27 +00:00
Matt Caswell
f5ca0b04bb Fix some style issues identified during review
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:22 +00:00
Matt Caswell
c805f6189e Fix SSL_IS_TLS13(s)
The SSL_IS_TLS13() macro wasn't quite right. It would come back with true
in the case where we haven't yet negotiated TLSv1.3, but it could be
negotiated.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:22 +00:00
Matt Caswell
92760c21e6 Update state machine to be closer to TLS1.3
This is a major overhaul of the TLSv1.3 state machine. Currently it still
looks like TLSv1.2. This commit changes things around so that it starts
to look a bit less like TLSv1.2 and bit more like TLSv1.3.

After this commit we have:

ClientHello
+ key_share          ---->
                           ServerHello
                           +key_share
                           {CertificateRequest*}
                           {Certificate*}
                           {CertificateStatus*}
                     <---- {Finished}
{Certificate*}
{CertificateVerify*}
{Finished}           ---->
[ApplicationData]    <---> [Application Data]

Key differences between this intermediate position and the final TLSv1.3
position are:
- No EncryptedExtensions message yet
- No server side CertificateVerify message yet
- CertificateStatus still exists as a separate message
- A number of the messages are still in the TLSv1.2 format
- Still running on the TLSv1.2 record layer

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:21 +00:00
Matt Caswell
9362c93ebc Remove old style NewSessionTicket from TLSv1.3
TLSv1.3 has a NewSessionTicket message, but it is *completely* different to
the TLSv1.2 one and may as well have been called something else. This commit
removes the old style NewSessionTicket from TLSv1.3. We will have to add the
new style one back in later.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:21 +00:00
Matt Caswell
9a5198808a Move getting the curvelist for client and server out of the loop
No need to continually get the list of supported curves for the client
and server. Just do it once.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
94ed2c6739 Fixed various style issues in the key_share code
Numerous style issues as well as references to TLS1_3_VERSION instead of
SSL_IS_TLS13(s)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
323f212aa7 Check key_exchange data length is not 0
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
2ee1271d8f Ensure the whole key_share extension is well formatted
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
ef7daaf915 Validate that the provided key_share is in supported_groups
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
0f1e51ea11 Start using the key_share data to derive the PMS
The previous commits put in place the logic to exchange key_share data. We
now need to do something with that information. In <= TLSv1.2 the equivalent
of the key_share extension is the ServerKeyExchange and ClientKeyExchange
messages. With key_share those two messages are no longer necessary.

The commit removes the SKE and CKE messages from the TLSv1.3 state machine.
TLSv1.3 is completely different to TLSv1.2 in the messages that it sends
and the transitions that are allowed. Therefore, rather than extend the
existing <=TLS1.2 state transition functions, we create a whole new set for
TLSv1.3. Intially these are still based on the TLSv1.2 ones, but over time
they will be amended.

The new TLSv1.3 transitions remove SKE and CKE completely. There's also some
cleanup for some stuff which is not relevant to TLSv1.3 and is easy to
remove, e.g. the DTLS support (we're not doing DTLSv1.3 yet) and NPN.

I also disable EXTMS for TLSv1.3. Using it was causing some added
complexity, so rather than fix it I removed it, since eventually it will not
be needed anyway.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
d7c42d71ba Add processing of the key_share received in the ServerHello
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
bcec335856 Add key_share info to the ServerHello
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
b1834ad781 Add the key_share processing to the server side
At the moment the server doesn't yet do anything with this information.
We still need to send the server's key_share info back to the client. That
will happen in subsequent commits.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
d2c27a28c0 Generate the key_shares extension on the client side
In this commit we just generate the extension on the client side, but don't
yet do anything with it. Subsequent commits, will add the server side
capability.

At the moment we hard code a single key_share. In the future we should make
this configurable.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:45 +00:00
Richard Levitte
e72040c1dc Remove heartbeat support
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1669)
2016-11-13 16:24:02 -05:00
Matt Caswell
de4d764e32 Rename the Elliptic Curves extension to supported_groups
This is a skin deep change, which simply renames most places where we talk
about curves in a TLS context to groups. This is because TLS1.3 has renamed
the extension, and it can now include DH groups too. We still only support
curves, but this rename should pave the way for a future extension for DH
groups.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-10 15:05:36 +00:00
Matt Caswell
f2342b7ac3 Address some supported_versions review comments
Added some TODOs, refactored a couple of things and added a SSL_IS_TLS13()
macro.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 16:03:09 +00:00
Matt Caswell
16bce0e08b Address some review feedback comments for supported_versions
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 16:03:08 +00:00
Matt Caswell
cd99883755 Add server side support for supported_versions extension
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 16:03:08 +00:00
Matt Caswell
b5b253b1bf Add the ability to send the supported_versions extension
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 16:03:08 +00:00
Matt Caswell
902aca09f3 Make some CLIENTHELLO_MSG function arguments const
There were a few places where they could be declared const so this commit
does that.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 09:10:30 +00:00
Matt Caswell
3d33f3bbe4 Update a comment
The name and type of the argument to ssl_check_for_safari() has changed.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 09:10:30 +00:00
Matt Caswell
6438632420 Add some function documentation and update some existing comments
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 09:10:30 +00:00
Matt Caswell
de7d61d5c2 Improve some comment documentation following the extensions refactor
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 09:10:30 +00:00
Matt Caswell
b1b4b543ee Fix various style issues in the extension parsing refactor
Based on review feedback received.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 09:10:30 +00:00
Matt Caswell
1ab3836b3b Refactor ClientHello processing so that extensions get parsed earlier
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 09:10:29 +00:00
Matt Caswell
348240c676 Fix misc size_t issues causing Windows warnings in 64 bit
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
8b0e934afb Fix some missed size_t updates
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
d736bc1a7d Update misc function params in libssl for size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
ec60ccc1c1 Convert session_id_length and sid_ctx_len to size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
582a17d662 Add the SSL_METHOD for TLSv1.3 and all other base changes required
Includes addition of the various options to s_server/s_client. Also adds
one of the new TLS1.3 ciphersuites.

This isn't "real" TLS1.3!! It's identical to TLS1.2 apart from the protocol
and the ciphersuite...and the ciphersuite is just a renamed TLS1.2 one (not
a "real" TLS1.3 ciphersuite).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-02 13:08:21 +00:00
David Woodhouse
cde6145ba1 Add SSL_OP_NO_ENCRYPT_THEN_MAC
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-10-17 23:17:39 +01:00
Matt Caswell
a29fa98ceb Rename ssl_set_handshake_header2()
ssl_set_handshake_header2() was only ever a temporary name while we had
to have ssl_set_handshake_header() for code that hadn't been converted to
WPACKET yet. No code remains that needed that so we can rename it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-02 20:25:57 +01:00
Matt Caswell
e2726ce64d Remove ssl_set_handshake_header()
Remove the old ssl_set_handshake_header() implementations. Later we will
rename ssl_set_handshake_header2() to ssl_set_handshake_header().

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-02 20:25:57 +01:00
Matt Caswell
42cde22f48 Remove the tls12_get_sigandhash_old() function
This is no longer needed now that all messages use WPACKET

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-02 20:25:57 +01:00
Matt Caswell
ac8cc3efb2 Remove tls12_copy_sigalgs_old()
This was a temporary function needed during the conversion to WPACKET. All
callers have now been converted to the new way of doing this so this
function is no longer required.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 14:52:55 +01:00
Matt Caswell
7facdbd66f Fix a bug in the construction of the ClienHello SRTP extension
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 10:06:46 +01:00
Matt Caswell
7507e73d40 Fix heartbeat compilation error
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 10:06:46 +01:00
Matt Caswell
8157d44b62 Convert ServerHello construction to WPACKET
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 10:06:46 +01:00
Matt Caswell
2f97192c78 Fix a bug in Renegotiation extension construction
The conversion to WPACKET broke the construction of the renegotiation
extension.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-28 09:15:07 +01:00
Matt Caswell
c31dbed70c Fix a mem leak in NPN handling
If a server sent multiple NPN extensions in a single ClientHello then a
mem leak can occur. This will only happen where the client has requested
NPN in the first place. It does not occur during renegotiation. Therefore
the maximum that could be leaked in a single connection with a malicious
server is 64k (the maximum size of the ServerHello extensions section). As
this is client side, only occurs if NPN has been requested and does not
occur during renegotiation this is unlikely to be exploitable.

Issue reported by Shi Lei.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-22 09:27:45 +01:00
Matt Caswell
e408c09bbf Fix OCSP Status Request extension unbounded memory growth
A malicious client can send an excessively large OCSP Status Request
extension. If that client continually requests renegotiation,
sending a large OCSP Status Request extension each time, then there will
be unbounded memory growth on the server. This will eventually lead to a
Denial Of Service attack through memory exhaustion. Servers with a
default configuration are vulnerable even if they do not support OCSP.
Builds using the "no-ocsp" build time option are not affected.

I have also checked other extensions to see if they suffer from a similar
problem but I could not find any other issues.

CVE-2016-6304

Issue reported by Shi Lei.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-22 09:27:45 +01:00
Matt Caswell
08029dfa03 Convert WPACKET_put_bytes to use convenience macros
All the other functions that take an argument for the number of bytes
use convenience macros for this purpose. We should do the same with
WPACKET_put_bytes().

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-20 14:47:44 +01:00
Matt Caswell
418a18a2de Style tweaks following review feedback
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-20 10:16:56 +01:00
Matt Caswell
6400f33818 Convert ClientVerify Construction to WPACKET
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-20 10:16:56 +01:00
Matt Caswell
dd8710dc54 Fix OCSP_RESPID processing bug introduced by WPACKET changes
An OCSP_RESPID in a status request extension has 2 bytes for the length
not 1.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-14 10:26:36 +01:00
Matt Caswell
b2b3024e0e Add a WPACKET_sub_allocate_bytes() function
Updated the construction code to use the new function. Also added some
convenience macros for WPACKET_sub_memcpy().

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-14 00:02:34 +01:00
Matt Caswell
c0f9e23c6b Fix a few style nits in the wpacket code
Addressing more feedback comments.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-13 09:41:21 +01:00
Matt Caswell
de451856f0 Address WPACKET review comments
A few style tweaks here and there. The main change is that curr and
packet_len are now offsets into the buffer to account for the fact that
the pointers can change if the buffer grows. Also dropped support for the
WPACKET_set_packet_len() function. I thought that was going to be needed
but so far it hasn't been. It doesn't really work any more due to the
offsets change.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-13 09:41:21 +01:00
Matt Caswell
fb790f1673 Add WPACKET_sub_memcpy() function
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-13 09:41:21 +01:00
Matt Caswell
0217dd19c0 Move from explicit sub-packets to implicit ones
No need to declare an explicit sub-packet. Just start one.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-13 09:41:21 +01:00
Matt Caswell
ae2f7b37da Rename PACKETW to WPACKET
To avoid confusion with the read PACKET structure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-13 09:41:21 +01:00
Matt Caswell
2c7b4dbc1a Convert tls_construct_client_hello() to use PACKETW
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-13 09:41:21 +01:00
Dr. Stephen Henson
e97763c92c Sanity check ticket length.
If a ticket callback changes the HMAC digest to SHA512 the existing
sanity checks are not sufficient and an attacker could perform a DoS
attack with a malformed ticket. Add additional checks based on
HMAC size.

Thanks to Shi Lei for reporting this bug.

CVE-2016-6302

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-08-23 23:16:24 +01:00
Emilia Kasper
a230b26e09 Indent ssl/
Run util/openssl-format-source on ssl/

Some comments and hand-formatted tables were fixed up
manually by disabling auto-formatting.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-18 14:02:29 +02:00
Dr. Stephen Henson
ec24630ae2 Modify TLS support for new X25519 API.
When handling ECDH check to see if the curve is "custom" (X25519 is
currently the only curve of this type) and instead of setting a curve
NID just allocate a key of appropriate type.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-13 14:11:05 +01:00
Emilia Kasper
70c22888c1 Fix two bugs in clienthello processing
- Always process ALPN (previously there was an early return in the
  certificate status handling)
- Don't send a duplicate alert. Previously, both
  ssl_check_clienthello_tlsext_late and its caller would send an
  alert. Consolidate alert sending code in the caller.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-19 14:18:03 +02:00
FdaSilvaYY
9d22666eb8 Spelling
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1264)
2016-06-29 09:56:39 -04:00
FdaSilvaYY
f430ba31ac Spelling... and more spelling
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1245)
2016-06-22 00:26:10 +02:00
FdaSilvaYY
823146d65f Useless header include of openssl/rand.h
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1168)
2016-06-18 16:30:24 -04:00
Matt Caswell
e7653f3bab Fix comment
Fix a comment following commit c2c49969e2.

RT2388

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-14 10:41:00 +01:00
Todd Short
5c753de668 Fix session ticket and SNI
When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.

However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:

1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.

To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.

Fix these two cases, and add unit test code to validate ticket behavior.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1098)
2016-06-09 13:07:51 -04:00
Dr. Stephen Henson
77ab2b0193 remove encrypt then mac ifdefs
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-23 19:15:20 +01:00
Rich Salz
846e33c729 Copyright consolidation 01/10
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-05-17 14:19:19 -04:00
TJ Saunders
05df5c2036 Use AES256 for the default encryption algoritm for TLS session tickets
This involves providing more session ticket key data, for both the cipher and
the digest

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>

GH: #515, MR: #2153
2016-05-16 20:43:06 +02:00
TJ Saunders
4e2e1ec9d5 session tickets: Use sizeof() for the various fields
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>

GH: #515, MR: #2153
2016-05-16 20:42:21 +02:00
Kazuki Yamaguchi
b04f947941 Fix NPN protocol name list validation
Since 50932c4 "PACKETise ServerHello processing",
ssl_next_proto_validate() incorrectly allows empty protocol name.
draft-agl-tls-nextprotoneg-04[1] says "Implementations MUST ensure that
the empty string is not included and that no byte strings are
truncated."
This patch restores the old correct behavior.

[1] https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-16 11:45:25 +01:00
David Benjamin
f7aa318552 Don't send signature algorithms when client_version is below TLS 1.2.
Per RFC 5246,

    Note: this extension is not meaningful for TLS versions prior to 1.2.
    Clients MUST NOT offer it if they are offering prior versions.
    However, even if clients do offer it, the rules specified in [TLSEXT]
    require servers to ignore extensions they do not understand.

Although second sentence would suggest that there would be no interop
problems in always offering the extension, WebRTC has reported issues
with Bouncy Castle on < TLS 1.2 ClientHellos that still include
signature_algorithms. See also
https://bugs.chromium.org/p/webrtc/issues/detail?id=4223

RT#4390

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-09 17:46:23 +01:00
FdaSilvaYY
8483a003bf various spelling fixes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/952)
2016-04-28 14:22:26 -04:00
Matt Caswell
5951e840d9 Fix no-ocsp on Windows (and probably VMS)
The ocsp.h file did not have appropriate guards causing link failures on
Windows.

GH Issue 900

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-21 17:03:02 +01:00
Rich Salz
9021a5dfb3 Rename some lowercase API's
Make OBJ_name_cmp internal
Rename idea_xxx to IDEA_xxx
Rename get_rfc_xxx to BN_get_rfc_xxx
Rename v3_addr and v3_asid functions to X509v3_...

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-18 08:22:00 -04:00
Matt Caswell
0aeddcfa61 Make DH opaque
Move the dh_st structure into an internal header file and provide
relevant accessors for the internal fields.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-09 10:10:55 +01:00
Matt Caswell
3e41ac3528 Fix no-ocsp
Misc fixes for no-ocsp

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-06 14:57:45 +01:00
Rich Salz
e771eea6d8 Revert "various spelling fixes"
This reverts commit 620d540bd4.
It wasn't reviewed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-04 16:11:43 -04:00
FdaSilvaYY
620d540bd4 various spelling fixes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-04 15:06:32 -04:00
Todd Short
0351baae36 Fix ALPN - more fixes
* Clear proposed, along with selected, before looking at ClientHello
* Add test case for above
* Clear NPN seen after selecting ALPN on server
* Minor documentation updates

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-20 21:09:32 -04:00
Rich Salz
3c27208fab Remove #error from include files.
Don't have #error statements in header files, but instead wrap
the contents of that file in #ifndef OPENSSL_NO_xxx
This means it is now always safe to include the header file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-20 19:48:36 -04:00
Matt Caswell
d1247df266 Ensure that memory allocated for the ticket is freed
If a call to EVP_DecryptUpdate fails then a memory leak could occur.
Ensure that the memory is freed appropriately.

Issue reported by Guido Vranken.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-18 11:52:22 +00:00
Kurt Roeckx
3eb2aff401 Add support for minimum and maximum protocol version supported by a cipher
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Todd Short
817cd0d52f GH787: Fix ALPN
* Perform ALPN after the SNI callback; the SSL_CTX may change due to
  that processing
* Add flags to indicate that we actually sent ALPN, to properly error
  out if unexpectedly received.
* clean up ssl3_free() no need to explicitly clear when doing memset
* document ALPN functions

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-08 09:03:05 -05:00
Rob Percival
ed29e82ade Adds CT validation to SSL connections
Disabled by default, but can be enabled by setting the
ct_validation_callback on a SSL or SSL_CTX.

Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-04 10:50:10 -05:00
Rich Salz
ddb4c0477a Changes to DEFAULT curves
Change the ECC default curve list to be this, in order: x25519, secp256r1,
secp521r1, secp384r1, brainpoolP256r1, brainpoolP384r1, and brainpool512r1.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-04 09:50:49 -05:00
Emilia Kasper
062178678f Refactor ClientHello extension parsing
1) Simplify code with better PACKET methods.

2) Make broken SNI parsing explicit. SNI was intended to be extensible
to new name types but RFC 4366 defined the syntax inextensibly, and
OpenSSL has never parsed SNI in a way that would allow adding a new name
type. RFC 6066 fixed the definition but due to broken implementations
being widespread, it appears impossible to ever extend SNI.

3) Annotate resumption behaviour. OpenSSL doesn't currently handle all
extensions correctly upon resumption. Annotate for further clean-up.

4) Send an alert on ALPN protocol mismatch.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-03-03 13:53:26 +01:00
Dr. Stephen Henson
1db3107ada TLS support for X25519
Add X25519 to TLS supported curve list.
Reject attempts to configure keys which cannot be used
for signing.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-28 22:54:54 +00:00
Emilia Kasper
aa474d1fb1 TLS: reject duplicate extensions
Adapted from BoringSSL. Added a test.

The extension parsing code is already attempting to already handle this for
some individual extensions, but it is doing so inconsistently. Duplicate
efforts in individual extension parsing will be cleaned up in a follow-up.

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-02-19 17:24:44 +01:00
Rich Salz
d63a5e5e7d Remove outdated DEBUG flags.
Add -DBIO_DEBUG to --strict-warnings.
Remove comments about outdated debugging ifdef guards.
Remove md_rand ifdef guarding an assert; it doesn't seem used.
Remove the conf guards in conf_api since we use OPENSSL_assert, not assert.
For pkcs12 stuff put OPENSSL_ in front of the macro name.
Merge TLS_DEBUG into SSL_DEBUG.
Various things just turned on/off asserts, mainly for checking non-NULL
arguments, which is now removed: camellia, bn_ctx, crypto/modes.
Remove some old debug code, that basically just printed things to stderr:
  DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG,
  RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG.
Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-18 17:14:50 -05:00
Matt Caswell
35b1a433ed Fix memory leaks in tls_decrypt_ticket
Certain code paths in tls_decrypt_ticket could return early without first
freeing the HMAC_CTX or the EVP_CIPHER_CTX.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-18 15:21:47 +00:00
Dr. Stephen Henson
2235b7f2dd Simplify tls1_set_ec_id.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-16 14:01:40 +00:00
Dr. Stephen Henson
2fa2d15ac8 Use nid_list table to lookup curve IDs.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-16 14:01:40 +00:00
Dr. Stephen Henson
2dc1aeed3b Add explanation and warning to TLS id table.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-16 14:01:40 +00:00
Dr. Stephen Henson
ce0c1f2bb2 Remove static ECDH support.
Remove support for static ECDH ciphersuites. They require ECDH keys
in certificates and don't support forward secrecy.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-11 20:54:01 +00:00
Dr. Stephen Henson
221c7b55e3 Don't check self signed certificate signature security.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 19:00:41 +00:00
Rich Salz
22e3dcb780 Remove TLS heartbeat, disable DTLS heartbeat
To enable heartbeats for DTLS, configure with enable-heartbeats.
Heartbeats for TLS have been completely removed.

This addresses RT 3647

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 12:57:26 -05:00
Emilia Kasper
b698174493 constify PACKET
PACKET contents should be read-only. To achieve this, also
- constify two user callbacks
- constify BUF_reverse.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-01 16:21:57 +01:00
Rich Salz
349807608f Remove /* foo.c */ comments
This was done by the following
        find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
        print unless $. == 1 && m@/\* .*\.[ch] \*/@;
        close ARGV if eof; # Close file to reset $.

And then some hand-editing of other files.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-26 16:40:43 -05:00
Dr. Stephen Henson
3aeb934865 make EVP_PKEY opaque
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-20 03:24:59 +00:00