summaryrefslogtreecommitdiffstats
path: root/ssl/t1_lib.c
Commit message (Collapse)AuthorAgeFilesLines
* Fix EAP-FASTMatt Caswell2018-06-071-5/+7
| | | | | | | | | Commit 61fb59238d broke EAP-FAST support. This fixes it. Fixes #6395 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6428)
* Send GOST SignatureAlgorithms when TLS 1.2 in useDmitry Belyavskiy2018-05-301-1/+6
| | | | | | Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6168)
* Bugfix: GOST2012 certificates for GOST ciphersuites were broken.Dmitry Belyavskiy2018-05-301-0/+15
| | | | | | Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6168)
* Set sess to NULL after freeing it.Kurt Roeckx2018-05-121-0/+1
| | | | | | | | | Found by OSS-fuzz Bug introduced in commit 61fb59238dad6452a37ec14513fae617a4faef29 Reviewed-by: Matt Caswell <matt@openssl.org> GH: #6235
* Rework the decrypt ticket callbackMatt Caswell2018-05-111-46/+84
| | | | | | | | | | | Don't call the decrypt ticket callback if we've already encountered a fatal error. Do call it if we have an empty ticket present. Change the return code to have 5 distinct returns codes and separate it from the input status value. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6198)
* Fix ticket callbacks in TLSv1.3Matt Caswell2018-05-111-77/+66
| | | | | | | | | | | The return value from the ticket_key callback was not properly handled in TLSv1.3, so that a ticket was *always* renewed even if the callback requested that it should not be. Also the ticket decrypt callback was not being called at all in TLSv1.3. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6198)
* Fix the MAX_CURVELIST definitionMatt Caswell2018-04-251-1/+1
| | | | | | | | | | The MAX_CURVELIST macro defines the total number of in-built SSL/TLS curves that we support. However it has not been updated as new curves are added. Fixes #5232 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/6065)
* Allow TLSv1.3 EC certs to use compressed pointsMatt Caswell2018-04-241-7/+7
| | | | | | | | | | | | | The spec does not prohib certs form using compressed points. It only requires that points in a key share are uncompressed. It says nothing about point compression for certs, so we should not fail if a cert uses a compressed point. Fixes #5743 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/6055)
* Set error code on alloc failuresRich Salz2018-04-031-10/+16
| | | | | | | Almost all *alloc failures now set an error code. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5842)
* Tolerate a Certificate using a non-supported group on server sideMatt Caswell2018-03-281-9/+15
| | | | | | | | | | | | If a server has been configured to use an ECDSA certificate, we should allow it regardless of whether the server's own supported groups list includes the certificate's group. Fixes #2033 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5601)
* Place ticket keys into secure memoryTodd Short2018-03-191-3/+3
| | | | | | | | Place the session ticket AES and HMAC keys into secure memory. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2351)
* Always call the new_session_cb when issuing a NewSessionTicket in TLSv1.3Matt Caswell2018-03-191-3/+4
| | | | | | | | | | | | | | Conceptually in TLSv1.3 there can be multiple sessions associated with a single connection. Each NewSessionTicket issued can be considered a separate session. We can end up issuing multiple NewSessionTickets on a single connection at the moment (e.g. in a post-handshake auth scenario). Each of those issued tickets should have the new_session_cb called, it should go into the session cache separately and it should have a unique id associated with it (so that they can be found individually in the cache). Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5644)
* Session Ticket app dataTodd Short2018-03-121-30/+54
| | | | | | | | Adds application data into the encrypted session ticket Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3802)
* Add X448/Ed448 support to libsslMatt Caswell2018-03-051-1/+9
| | | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/5470)
* Sanity check the ticket length before using key name/IVMatt Caswell2018-02-211-6/+12
| | | | | | | | | | | This could in theory result in an overread - but due to the over allocation of the underlying buffer does not represent a security issue. Thanks to Fedor Indutny for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/5414)
* The function ssl_get_min_max_version() can failMatt Caswell2018-02-121-2/+5
| | | | | | | | | We should always check the return code. This fixes a coverity issue. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5308)
* Fix uninitialized read in sigalg parsing codeBenjamin Kaduk2018-01-251-1/+1
| | | | | | | | The check for a duplicate value was reading one entry past where it was supposed to, getting an uninitialized value. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5172)
* Add support for the TLS 1.3 signature_algorithms_cert extensionBenjamin Kaduk2018-01-251-45/+63
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The new extension is like signature_algorithms, but only for the signature *on* the certificate we will present to the peer (the old signature_algorithms extension is still used for signatures that we *generate*, i.e., those over TLS data structures). We do not need to generate this extension, since we are the same implementation as our X.509 stack and can handle the same types of signatures, but we need to be prepared to receive it, and use the received information when selecting what certificate to present. There is a lot of interplay between signature_algorithms_cert and signature_algorithms, since both affect what certificate we can use, and thus the resulting signature algorithm used for TLS messages. So, apply signature_algorithms_cert (if present) as a filter on what certificates we can consider when choosing a certificate+sigalg pair. As part of this addition, we also remove the fallback code that let keys of type EVP_PKEY_RSA be used to generate RSA-PSS signatures -- the new rsa_pss_pss_* and rsa_pss_rsae_* signature schemes have pulled the key type into what is covered by the signature algorithm, so we should not apply this sort of compatibility workaround. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5068)
* Propagate TLS 1.3 sigalgs through tls1_set_sigalgs()Benjamin Kaduk2018-01-251-14/+55
| | | | | | | | | | | | | | | | | | | | Our historical SSL{,_CTX}_set_sigalgs() APIs take an array of NID pairs (hash and signature), and our parser for manually specifying unified sigalgs (that do not necessarily correspond to an actual signature+hash pair) was transiting via (the implementation of) this historical API. The TLS 1.3 draft-23 has introduced signature schemes that have identical signature type and hash type, differing only in the (RSA) public key OID, which prevents the rsa_pss_pss_* schemes from being properly identified and sent on the wire. To fix the issue, parse sigalg strings directly into SIGALG_LOOKUP objects, and pass around an array of uint16 wire protocol values instead of NID pairs. The old interface is retained for API compatibility but will become less and less useful with time. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5068)
* Add TLS 1.3 draft-23 PSS signature algorithmsBenjamin Kaduk2018-01-251-6/+18
| | | | | | | | | | | | | | | | | | | | | | We now have a split in the signature algorithms codepoint space for whether the certificate's key is for rsaEncryption or a PSS-specific key, which should let us get rid of some special-casing that we previously needed to try to coax rsaEncryption keys into performing PSS. (This will be done in a subsequent commit.) Send the new PSS-with-PSS-specific key first in our list, so that we prefer the new technology to the old one. We need to update the expected certificate type in one test, since the "RSA-PSS+SHA256" form now corresponds to a public key of type rsaEncryption, so we should expect the server certificate type to be just "RSA". If we want to get a server certificate type of "RSA-PSS", we need to use a new signature algorithm that cannot be represented as signature+hash, so add a test for that as well. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5068)
* Update copyright years on all files merged since Jan 1st 2018Richard Levitte2018-01-091-1/+1
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5038)
* Use the index that matches the key type (either SSL_PKEY_RSA_PSS_SIGN or ↵Noah Robbin2018-01-081-4/+23
| | | | | | | | | | SSL_PKEY_RSA). Extract the RSA key using EVP_PKEY_get0. Type is checked externally to be either EVP_PKEY_RSA_PSS or EVP_PKEY_RSA. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4389)
* Use size of server key when selecting signature algorithm.Noah Robbin2018-01-081-0/+34
| | | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4389)
* Convert the state machine code to use SSLfatal()Matt Caswell2017-12-041-40/+49
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4778)
* Resolve warnings in VC-WIN32 build, which allows to add /WX.Andy Polyakov2017-11-131-1/+1
| | | | | | | | It's argued that /WX allows to keep better focus on new code, which motivates its comeback... Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4721)
* Implement Maximum Fragment Length TLS extension.FdaSilvaYY2017-11-051-0/+31
| | | | | | | | | Based on patch from Tomasz Moń: https://groups.google.com/forum/#!topic/mailing.openssl.dev/fQxXvCg1uQY Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/1008)
* Various clean-upsKaoruToda2017-10-201-2/+4
| | | | | | | | | | | | | | | | | | Add a check for NULL return in t1_lib.c. Since return type of ssl_cert_lookup_by_idx is pointer and unify coding style, I changed from zero to NULL in ssl_cert.c. Remove unnecessary space for ++. Fix incorrect condition Expression is always false because 'else if' condition matches previous condition. SInce the next line of 'else if' condition has substituted TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2, the 'else if' condition should compare with NID_X9_62_characteristic_two_field. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4562)
* Merge tls1_check_curve into tls1_check_group_idDr. Stephen Henson2017-10-061-31/+19
| | | | | | | | | The function tls_check_curve is only called on clients and contains almost identical functionaity to tls1_check_group_id when called from a client. Merge the two. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4475)
* Change curves to groups where relevantDr. Stephen Henson2017-10-061-3/+3
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4475)
* Use separate functions for supported and peer groups listsDr. Stephen Henson2017-10-061-35/+26
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4475)
* Add and use function tls1_in_list to avoid code duplication.Dr. Stephen Henson2017-09-261-30/+30
| | | | | | | [extended tests] Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/=4412)
* Use tls1_group_id_lookup in tls1_curve_allowedDr. Stephen Henson2017-09-261-5/+3
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/=4412)
* Rename tls1_get_curvelist.Dr. Stephen Henson2017-09-261-41/+35
| | | | | | | | | Rename tls1_get_curvelist to tls1_get_grouplist, change to void as it can never fail and remove unnecessary return value checks. Clean up the code. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/=4412)
* Rewrite compression and group checks.Dr. Stephen Henson2017-09-261-134/+122
| | | | | | | | | | | | | | | Replace existing compression and groups check with two functions. tls1_check_pkey_comp() checks a keys compression algorithms is consistent with extensions. tls1_check_group_id() checks is a group is consistent with extensions and preferences. Rename tls1_ec_nid2curve_id() to tls1_nid2group_id() and make it static. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/=4412)
* Replace tls1_ec_curve_id2nid.Dr. Stephen Henson2017-09-261-7/+3
| | | | | | | | Replace tls1_ec_curve_id2nid() with tls_group_id_lookup() which returns the TLS_GROUP_INFO for the group. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/=4412)
* Rename tls_curve_info to TLS_GROUP_INFO, move to ssl_locl.hDr. Stephen Henson2017-09-261-9/+3
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/=4412)
* Return group id in tls1_shared_groupDr. Stephen Henson2017-09-261-17/+14
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/=4412)
* Return correct Suite B curve, fix comment.Dr. Stephen Henson2017-09-261-2/+2
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/=4412)
* Use curve_id not the nidKurt Roeckx2017-09-231-4/+4
| | | | | | | Found by OSS-Fuzz and the tests Reviewed-by: Andy Polyakov <appro@openssl.org> GH: #4410
* Store groups as uint16_tDr. Stephen Henson2017-09-221-100/+101
| | | | | | | | | Instead of storing supported groups in on-the-wire format store them as parsed uint16_t values. This simplifies handling of groups as the values can be directly used instead of being converted. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4406)
* Fix strict-warnings buildPatrick Steuer2017-09-211-1/+1
| | | | | | | | | | | Compilation failed due to -Werror=misleading-indentation. Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4395)
* Allow RSA certificates to be used for RSA-PSSDr. Stephen Henson2017-09-201-10/+30
| | | | | | | | | Allo RSA certificate to be used for RSA-PSS signatures: this needs to be explicit because RSA and RSA-PSS certificates are now distinct types. Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4368)
* Add RSA-PSS key certificate type.Dr. Stephen Henson2017-09-201-0/+2
| | | | | | | | Recognise RSA-PSS certificate algorithm and add a new certificate type. Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4368)
* e_os.h removal from other headers and source files.Pauli2017-08-301-1/+2
| | | | | | | | | | | | | Removed e_os.h from all bar three headers (apps/apps.h crypto/bio/bio_lcl.h and ssl/ssl_locl.h). Added e_os.h into the files that need it now. Directly reference internal/nelem.h when required. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4188)
* Use cert tables in ssl_set_sig_maskDr. Stephen Henson2017-07-131-33/+12
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3858)
* Use certificate tables instead of ssl_cert_typeDr. Stephen Henson2017-07-131-4/+10
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3858)
* Use certificate tables instead of ssl_cipher_get_cert_index.Dr. Stephen Henson2017-07-131-64/+51
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3858)
* Replace tls12_get_pkey_idxDr. Stephen Henson2017-07-131-40/+3
| | | | | | | The functiontls12_get_pkey_idx is only used to see if a certificate index is enabled: call ssl_cert_is_disabled instead. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3858)
* Update SSL_export_keying_material() for TLSv1.3Matt Caswell2017-06-291-1/+1
| | | | | | | Fixes #3680 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3782)
* Disallow DSA/SHA1/etc. for pure TLS 1.3 ClientHellosBenjamin Kaduk2017-06-241-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In draft-ietf-tls-tls13-20 Appendix B we find that: This section describes protocol types and constants. Values listed as _RESERVED were used in previous versions of TLS and are listed here for completeness. TLS 1.3 implementations MUST NOT send them but might receive them from older TLS implementations. Similarly, in section 4.2.3 we see: Legacy algorithms Indicates algorithms which are being deprecated because they use algorithms with known weaknesses, specifically SHA-1 which is used in this context with either with RSA using RSASSA-PKCS1-v1_5 or ECDSA. These values refer solely to signatures which appear in certificates (see Section 4.4.2.2) and are not defined for use in signed TLS handshake messages. Endpoints SHOULD NOT negotiate these algorithms but are permitted to do so solely for backward compatibility. Clients offering these values MUST list them as the lowest priority (listed after all other algorithms in SignatureSchemeList). TLS 1.3 servers MUST NOT offer a SHA-1 signed certificate unless no valid certificate chain can be produced without it (see Section 4.4.2.2). However, we are currently sending the SHA2-based DSA signature schemes and many SHA1-based schemes, which is in contradiction with the specification. Because TLS 1.3 support will appear in OpenSSL 1.1, we are bound by stability requirements to continue to offer the DSA signature schemes and the deprecated hash algorithms. at least until OpenSSL 1.2. However, for pure TLS 1.3 clients that do not offer lower TLS versions, we can be compliant. Do so, and leave a note to revisit the issue when we are permitted to break with sacred historical tradition. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3326)
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-10 00:29:52 +0000