Commit graph

445 commits

Author SHA1 Message Date
Dr. Stephen Henson
8a43a42a02 Support TLS 1.3 signature scheme names.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
edbfba1a34 Extend TLS 1.3 signature table.
Add additional entries in the TLS 1.2 signature table to include
the name, sig and hash NID (if any) and required curve (if any).

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
018031faa8 Use shared signature algorithm list to find type.
Lookup the signature type in the shared list: we can use this to
use PSS if the peer supports it for TLS 1.2.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
42ef7aead2 Add SSL_get_peer_signature_type_nid() function.
Add function to retrieve signature type: in the case of RSA
keys the signature type can be EVP_PKEY_RSA or EVP_PKEY_RSA_PSS.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
5554facbe7 Store peer signature type.
Store peer signature type in s->s3->tmp.peer_sigtype and check it
to see if the peer used PSS.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
b2eb699874 More complete PSS support.
Extend support for PSS key signatures by using the EVP_PKEY_RSA_PSS type
to distinguish them from PKCS1 signature types.

Allow setting of PSS signature algorithms using the string "PSS" or
"RSA-PSS".

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 12:59:28 +00:00
Dr. Stephen Henson
98c792d18c Use uint16_t for signature scheme.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 12:59:28 +00:00
Matt Caswell
40f805ad92 Various style fixes following review feedback
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:25 +00:00
Matt Caswell
61c3264970 Remove unneccessary comments
Now we're using an enum the values themselves are self explanatory

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:25 +00:00
Matt Caswell
ddf6ec0069 Make the "ticket" function return codes clearer
Remove "magic" return values and use an enum instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:23 +00:00
Matt Caswell
081912943f Use the correct session resumption mechanism
Don't attempt to add a TLS1.3 session to a TLS1.2 ClientHello session
ticket extensions. Similarly don't add a TLS1.2 session to a TLS1.3
psk extension.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:21 +00:00
Matt Caswell
1053a6e228 Implement Server side of PSK extension parsing
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:21 +00:00
Dr. Stephen Henson
a9669ddc64 Use correct signature algorithm list when sending or checking.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2290)
2017-01-26 16:44:18 +00:00
Rich Salz
3e37351834 If client doesn't send curves list, don't assume all.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1597)
2017-01-18 12:24:28 -05:00
Matt Caswell
5eeb6c6e56 Fix no-ec following sigalgs refactor
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:51 +00:00
Matt Caswell
7a531ee460 Fix tls1_set_sigalgs() length calculation
The length passed to tls1_set_sigalgs() is a multiple of two and there are
two char entries in the list for each sigalg. When we set
client_sigalgslen or conf_sigalgslen this is the number of ints in the list
where there is one entry per sigalg (i.e. half the length of the list passed
to the function).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:51 +00:00
Matt Caswell
42ab223000 Add some missing sigalgs
The SHA1 sigalgs were inadvertently missed off in the sigalgs refactor.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:51 +00:00
Matt Caswell
1b520cbb6a Fix a Travis failure
Declare a variable as static to silence the warning

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
fe3066ee40 Extend PSS signature support to TLSv1.2
TLSv1.3 introduces PSS based sigalgs. Offering these in a TLSv1.3 client
implies that the client is prepared to accept these sigalgs even in
TLSv1.2.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
710eb47fdd Add a TLS1.3 TODO for setting of sig algs
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
523fb3233a Ignore PKCS1 based sig algs in TLSv1.3
In TLSv1.3 we must use PSS based sig algs for RSA signing. Ignore any
shared sig algs which are PKCS1 based.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
0490431272 Verify that the sig algs extension has been sent for TLSv1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
63c1df0983 Remove some unneeded functions
The sigalgs work has made some old lookup tables and functions redundant
so remove them.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
536199ece0 Use NIDs instead of the old TLSv1.2 sigalgs hash and sig ids
We had an extra layer of indirection in looking up hashes and sigs based
on sigalgs which is now no longer necessary. This removes it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
2ec6cb3385 Remove a redundant function
The extensions refactor made this function redundant so we can remove it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
703bcee021 Convert Sigalgs processing to use ints
In TLSv1.2 an individual sig alg is represented by 1 byte for the hash
and 1 byte for the signature. In TLSv1.3 each sig alg is represented by
two bytes, where the two bytes together represent a single hash and
signature combination. This converts the internal representation of sigalgs
to use a single int for the pair, rather than a pair of bytes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Rich Salz
aff8c126fd Move extension data into sub-structs
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2052)
2017-01-09 22:26:47 -05:00
Matt Caswell
70af3d8ed7 Avoid repeatedly scanning the list of extensions
Because extensions were keyed by type which is sparse, we were continually
scanning the list to find the one we wanted. The way we stored them also
had the side effect that we were running initialisers/finalisers in a
different oder to the parsers. In this commit we change things so that we
instead key on an index value for each extension.

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:18:56 +00:00
Matt Caswell
ab83e31414 Move client construction of ClientHello extensions into new framework
Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:18:30 +00:00
Matt Caswell
6dd083fd68 Move client parsing of ServerHello extensions into new framework
Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:18:25 +00:00
Matt Caswell
7da160b0f4 Move ServerHello extension construction into the new extensions framework
This lays the foundation for a later move to have the extensions built and
placed into the correct message for TLSv1.3 (e.g. ServerHello or
EncryptedExtensions).

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:18:12 +00:00
Matt Caswell
6b473acabd Refactor ClientHello extension parsing
This builds on the work started in 1ab3836b3 and extends is so that
each extension has its own identified parsing functions, as well as an
allowed context identifying which messages and protocols it is relevant for.
Subsequent commits will do a similar job for the ServerHello extensions.
This will enable us to have common functions for processing extension blocks
no matter which of the multiple messages they are received from. In TLSv1.3
a number of different messages have extension blocks, and some extensions
have moved from one message to another when compared to TLSv1.2.

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:17:45 +00:00
Matt Caswell
bebc0c7d85 Use the TLSv1.3 nonce construction
This updates the record layer to use the TLSv1.3 style nonce construciton.
It also updates TLSProxy and ossltest to be able to recognise the new
layout.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-29 23:31:10 +00:00
Matt Caswell
884a790e17 Fix missing NULL checks in key_share processing
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 22:39:27 +00:00
Matt Caswell
f5ca0b04bb Fix some style issues identified during review
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:22 +00:00
Matt Caswell
c805f6189e Fix SSL_IS_TLS13(s)
The SSL_IS_TLS13() macro wasn't quite right. It would come back with true
in the case where we haven't yet negotiated TLSv1.3, but it could be
negotiated.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:22 +00:00
Matt Caswell
92760c21e6 Update state machine to be closer to TLS1.3
This is a major overhaul of the TLSv1.3 state machine. Currently it still
looks like TLSv1.2. This commit changes things around so that it starts
to look a bit less like TLSv1.2 and bit more like TLSv1.3.

After this commit we have:

ClientHello
+ key_share          ---->
                           ServerHello
                           +key_share
                           {CertificateRequest*}
                           {Certificate*}
                           {CertificateStatus*}
                     <---- {Finished}
{Certificate*}
{CertificateVerify*}
{Finished}           ---->
[ApplicationData]    <---> [Application Data]

Key differences between this intermediate position and the final TLSv1.3
position are:
- No EncryptedExtensions message yet
- No server side CertificateVerify message yet
- CertificateStatus still exists as a separate message
- A number of the messages are still in the TLSv1.2 format
- Still running on the TLSv1.2 record layer

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:21 +00:00
Matt Caswell
9362c93ebc Remove old style NewSessionTicket from TLSv1.3
TLSv1.3 has a NewSessionTicket message, but it is *completely* different to
the TLSv1.2 one and may as well have been called something else. This commit
removes the old style NewSessionTicket from TLSv1.3. We will have to add the
new style one back in later.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:21 +00:00
Matt Caswell
9a5198808a Move getting the curvelist for client and server out of the loop
No need to continually get the list of supported curves for the client
and server. Just do it once.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
94ed2c6739 Fixed various style issues in the key_share code
Numerous style issues as well as references to TLS1_3_VERSION instead of
SSL_IS_TLS13(s)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
323f212aa7 Check key_exchange data length is not 0
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
2ee1271d8f Ensure the whole key_share extension is well formatted
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
ef7daaf915 Validate that the provided key_share is in supported_groups
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
0f1e51ea11 Start using the key_share data to derive the PMS
The previous commits put in place the logic to exchange key_share data. We
now need to do something with that information. In <= TLSv1.2 the equivalent
of the key_share extension is the ServerKeyExchange and ClientKeyExchange
messages. With key_share those two messages are no longer necessary.

The commit removes the SKE and CKE messages from the TLSv1.3 state machine.
TLSv1.3 is completely different to TLSv1.2 in the messages that it sends
and the transitions that are allowed. Therefore, rather than extend the
existing <=TLS1.2 state transition functions, we create a whole new set for
TLSv1.3. Intially these are still based on the TLSv1.2 ones, but over time
they will be amended.

The new TLSv1.3 transitions remove SKE and CKE completely. There's also some
cleanup for some stuff which is not relevant to TLSv1.3 and is easy to
remove, e.g. the DTLS support (we're not doing DTLSv1.3 yet) and NPN.

I also disable EXTMS for TLSv1.3. Using it was causing some added
complexity, so rather than fix it I removed it, since eventually it will not
be needed anyway.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
d7c42d71ba Add processing of the key_share received in the ServerHello
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
bcec335856 Add key_share info to the ServerHello
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
b1834ad781 Add the key_share processing to the server side
At the moment the server doesn't yet do anything with this information.
We still need to send the server's key_share info back to the client. That
will happen in subsequent commits.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
d2c27a28c0 Generate the key_shares extension on the client side
In this commit we just generate the extension on the client side, but don't
yet do anything with it. Subsequent commits, will add the server side
capability.

At the moment we hard code a single key_share. In the future we should make
this configurable.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:45 +00:00
Richard Levitte
e72040c1dc Remove heartbeat support
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1669)
2016-11-13 16:24:02 -05:00
Matt Caswell
de4d764e32 Rename the Elliptic Curves extension to supported_groups
This is a skin deep change, which simply renames most places where we talk
about curves in a TLS context to groups. This is because TLS1.3 has renamed
the extension, and it can now include DH groups too. We still only support
curves, but this rename should pave the way for a future extension for DH
groups.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-10 15:05:36 +00:00