Allo RSA certificate to be used for RSA-PSS signatures: this needs
to be explicit because RSA and RSA-PSS certificates are now distinct
types.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)
Removed e_os.h from all bar three headers (apps/apps.h crypto/bio/bio_lcl.h and
ssl/ssl_locl.h).
Added e_os.h into the files that need it now.
Directly reference internal/nelem.h when required.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4188)
The functiontls12_get_pkey_idx is only used to see if a certificate index is
enabled: call ssl_cert_is_disabled instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3858)
In draft-ietf-tls-tls13-20 Appendix B we find that:
This section describes protocol types and constants. Values listed
as _RESERVED were used in previous versions of TLS and are listed
here for completeness. TLS 1.3 implementations MUST NOT send them
but might receive them from older TLS implementations.
Similarly, in section 4.2.3 we see:
Legacy algorithms Indicates algorithms which are being deprecated
because they use algorithms with known weaknesses, specifically
SHA-1 which is used in this context with either with RSA using
RSASSA-PKCS1-v1_5 or ECDSA. These values refer solely to
signatures which appear in certificates (see Section 4.4.2.2) and
are not defined for use in signed TLS handshake messages.
Endpoints SHOULD NOT negotiate these algorithms but are permitted
to do so solely for backward compatibility. Clients offering
these values MUST list them as the lowest priority (listed after
all other algorithms in SignatureSchemeList). TLS 1.3 servers
MUST NOT offer a SHA-1 signed certificate unless no valid
certificate chain can be produced without it (see
Section 4.4.2.2).
However, we are currently sending the SHA2-based DSA signature schemes
and many SHA1-based schemes, which is in contradiction with the specification.
Because TLS 1.3 support will appear in OpenSSL 1.1, we are bound by
stability requirements to continue to offer the DSA signature schemes
and the deprecated hash algorithms. at least until OpenSSL 1.2.
However, for pure TLS 1.3 clients that do not offer lower TLS versions,
we can be compliant. Do so, and leave a note to revisit the issue when
we are permitted to break with sacred historical tradition.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3326)
Also remove nested OPENSSL_NO_EC conditional; it was properly indented,
but a no-op.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3693)
This used to work but was inadvertently removed as part of the TLSv1.3
work. This adds it back.
Fixes#3633
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3639)
We are quite inconsistent about which alerts get sent. Specifically, these
alerts should be used (normally) in the following circumstances:
SSL_AD_DECODE_ERROR = The peer sent a syntactically incorrect message
SSL_AD_ILLEGAL_PARAMETER = The peer sent a message which was syntactically
correct, but a parameter given is invalid for the context
SSL_AD_HANDSHAKE_FAILURE = The peer's messages were syntactically and
semantically correct, but the parameters provided were unacceptable to us
(e.g. because we do not support the requested parameters)
SSL_AD_INTERNAL_ERROR = We messed up (e.g. malloc failure)
The standards themselves aren't always consistent but I think the above
represents the best interpretation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3480)
Ensure that there are ciphersuites enabled for the maximum supported
version we will accept in a ClientHello.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3316)
ECDHE is not properly defined for SSLv3. Commit fe55c4a2 prevented ECDHE
from being selected in that protocol. However, historically, servers do
still select ECDHE anyway so that commit causes interoperability problems.
Clients that previously worked when talking to an SSLv3 server could now
fail.
This commit introduces an exception which enables a client to continue in
SSLv3 if the server selected ECDHE.
[extended tests]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3204)
Add functions to add/retrieve the certificate_authorities. The older
client_CA functions mainly just call the new versions now.
Rename fields sice new extension can be generated by client and server.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3015)
Fix some comments too
[skip ci]
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3069)
that refers to space
deallocated by a call to the free function in tls_decrypt_ticket.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2897)
(cherry picked from commit 13ed1afa92)
Change tls12_sigalg_allowed() so it is passed a SIGALG_LOOKUP parameter,
this avoids multiple lookups.
When we copy signature algorithms return an error if no valid TLS message
signing algorithm is present. For TLS 1.3 this means we need at least one
signature algorithm other than RSA PKCS#1 or SHA1 both of which can only be
used to sign certificates and not TLS messages.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2840)
The certificate types used to be held in a fixed length array or (if
it was too long) a malloced buffer. This was done to retain binary
compatibility. The code can be simplified now SSL is opaque by always
using a malloced buffer.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2733)
Set default validity flags if signature algorithms extension
is not present. Preserve flags when checking chains.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2679)
For client auth call tls_choose_sigalg to select the certificate
and signature algorithm. Use the selected algorithm in
tls_construct_cert_verify.
Remove obsolete tls12_get_sigandhash.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2643)
Select appropriate signature algorithm and certificate for client
authentication using tls_choose_sigalg.
A lot of selection logic is very similar except not finding a
certificate is not a fatal error: we just do not present a
certificate.
For TLS 1.2 and earlier we only check the current certificate
is suitable (for compatibility with previous logic) for TLS 1.3
(where there are no compatibility issues) we support multiple
client certificates for different algorithms.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2643)
Now the certificate and signature algorithm is set in one place we
can use it directly insetad of recalculating it. The old functions
ssl_get_server_send_pkey() and ssl_get_server_cert_index() are no
longer required.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
Update tls_choose_sigalg to choose a signature algorithm for all
versions of TLS not just 1.3.
For TLS 1.2 we choose the highest preference signature algorithm
for the chosen ciphersuite.
For TLS 1.1 and earlier the signature algorithm is determined by
the ciphersuite alone. For RSA we use a special MD5+SHA1 signature
algorithm.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
The original intent of SSL_PKEY_RSA_SIGN and SSL_PKEY_RSA_ENC was to
support two different keys for RSA signing and decrypt. However this
was never implemented and we only ever set one key and the other was
always NULL. Replace with single SSL_PKEY_RSA type.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2587)
