2016-05-18 02:18:30 +08:00
|
|
|
/*
|
Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA
Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.
Update SSL_CTX_set_verify()/SSL_set_verify() mode:
* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.
* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.
Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options
Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha
Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code
Update documentation
Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests
DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error
Update handshake context to deal with PHA.
The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.
After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.
This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
2017-12-19 05:52:28 +08:00
|
|
|
* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
2015-09-11 18:23:20 +08:00
|
|
|
*
|
2016-05-18 02:18:30 +08:00
|
|
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
* https://www.openssl.org/source/license.html
|
2015-09-11 18:23:20 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
/*****************************************************************************
|
|
|
|
* *
|
|
|
|
* The following definitions are PRIVATE to the state machine. They should *
|
|
|
|
* NOT be used outside of the state machine. *
|
|
|
|
* *
|
|
|
|
*****************************************************************************/
|
|
|
|
|
|
|
|
/* Max message length definitions */
|
|
|
|
|
|
|
|
/* The spec allows for a longer length than this, but we limit it */
|
|
|
|
#define HELLO_VERIFY_REQUEST_MAX_LENGTH 258
|
2017-03-09 23:03:07 +08:00
|
|
|
#define END_OF_EARLY_DATA_MAX_LENGTH 0
|
2015-09-11 18:23:20 +08:00
|
|
|
#define SERVER_HELLO_MAX_LENGTH 20000
|
2017-02-01 21:31:27 +08:00
|
|
|
#define HELLO_RETRY_REQUEST_MAX_LENGTH 20000
|
2016-11-23 23:20:22 +08:00
|
|
|
#define ENCRYPTED_EXTENSIONS_MAX_LENGTH 20000
|
2015-09-11 18:23:20 +08:00
|
|
|
#define SERVER_KEY_EXCH_MAX_LENGTH 102400
|
|
|
|
#define SERVER_HELLO_DONE_MAX_LENGTH 0
|
2017-02-09 20:07:31 +08:00
|
|
|
#define KEY_UPDATE_MAX_LENGTH 1
|
2015-09-11 18:23:20 +08:00
|
|
|
#define CCS_MAX_LENGTH 1
|
|
|
|
/* Max should actually be 36 but we are generous */
|
|
|
|
#define FINISHED_MAX_LENGTH 64
|
|
|
|
|
2017-02-14 19:20:44 +08:00
|
|
|
/* The maximum number of incoming KeyUpdate messages we will accept */
|
|
|
|
#define MAX_KEY_UPDATE_MESSAGES 32
|
|
|
|
|
2017-02-27 19:19:57 +08:00
|
|
|
/* Dummy message type */
|
|
|
|
#define SSL3_MT_DUMMY -1
|
|
|
|
|
2017-12-05 18:14:35 +08:00
|
|
|
extern const unsigned char hrrrandom[];
|
|
|
|
|
2015-09-11 18:23:20 +08:00
|
|
|
/* Message processing return codes */
|
2015-10-26 19:46:33 +08:00
|
|
|
typedef enum {
|
2015-09-11 18:23:20 +08:00
|
|
|
/* Something bad happened */
|
|
|
|
MSG_PROCESS_ERROR,
|
|
|
|
/* We've finished reading - swap to writing */
|
|
|
|
MSG_PROCESS_FINISHED_READING,
|
|
|
|
/*
|
|
|
|
* We've completed the main processing of this message but there is some
|
|
|
|
* post processing to be done.
|
|
|
|
*/
|
|
|
|
MSG_PROCESS_CONTINUE_PROCESSING,
|
|
|
|
/* We've finished this message - read the next message */
|
|
|
|
MSG_PROCESS_CONTINUE_READING
|
2015-10-26 19:46:33 +08:00
|
|
|
} MSG_PROCESS_RETURN;
|
2015-09-11 18:23:20 +08:00
|
|
|
|
2016-10-03 22:35:17 +08:00
|
|
|
typedef int (*confunc_f) (SSL *s, WPACKET *pkt);
|
|
|
|
|
2018-02-08 22:48:51 +08:00
|
|
|
int ssl3_take_mac(SSL *s);
|
2017-09-22 23:06:52 +08:00
|
|
|
int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
|
2017-02-02 01:10:45 +08:00
|
|
|
size_t num_groups, int checkallow);
|
2017-09-11 22:43:56 +08:00
|
|
|
int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
|
|
|
|
size_t hashlen, const unsigned char *hrr,
|
|
|
|
size_t hrrlen);
|
2017-11-22 01:18:43 +08:00
|
|
|
int parse_ca_names(SSL *s, PACKET *pkt);
|
2017-03-09 02:17:17 +08:00
|
|
|
int construct_ca_names(SSL *s, WPACKET *pkt);
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
|
2017-06-17 02:23:47 +08:00
|
|
|
const void *param, size_t paramlen);
|
2017-03-09 02:17:17 +08:00
|
|
|
|
2015-09-11 18:23:20 +08:00
|
|
|
/*
|
|
|
|
* TLS/DTLS client state machine functions
|
|
|
|
*/
|
2015-10-26 19:54:17 +08:00
|
|
|
int ossl_statem_client_read_transition(SSL *s, int mt);
|
|
|
|
WRITE_TRAN ossl_statem_client_write_transition(SSL *s);
|
|
|
|
WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst);
|
|
|
|
WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst);
|
2016-09-30 18:17:57 +08:00
|
|
|
int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt,
|
2016-10-03 22:35:17 +08:00
|
|
|
confunc_f *confunc, int *mt);
|
2016-09-06 19:05:25 +08:00
|
|
|
size_t ossl_statem_client_max_message_size(SSL *s);
|
2015-10-26 19:54:17 +08:00
|
|
|
MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt);
|
|
|
|
WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst);
|
2015-09-11 18:23:20 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* TLS/DTLS server state machine functions
|
|
|
|
*/
|
2015-10-26 19:54:17 +08:00
|
|
|
int ossl_statem_server_read_transition(SSL *s, int mt);
|
|
|
|
WRITE_TRAN ossl_statem_server_write_transition(SSL *s);
|
|
|
|
WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst);
|
|
|
|
WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst);
|
2016-09-30 18:17:57 +08:00
|
|
|
int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
|
2016-10-03 22:35:17 +08:00
|
|
|
confunc_f *confunc,int *mt);
|
2016-09-06 19:05:25 +08:00
|
|
|
size_t ossl_statem_server_max_message_size(SSL *s);
|
2015-10-26 19:54:17 +08:00
|
|
|
MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt);
|
|
|
|
WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst);
|
2015-09-11 18:23:20 +08:00
|
|
|
|
|
|
|
/* Functions for getting new message data */
|
|
|
|
__owur int tls_get_message_header(SSL *s, int *mt);
|
2016-09-06 19:05:25 +08:00
|
|
|
__owur int tls_get_message_body(SSL *s, size_t *len);
|
|
|
|
__owur int dtls_get_message(SSL *s, int *mt, size_t *len);
|
2015-09-11 18:23:20 +08:00
|
|
|
|
|
|
|
/* Message construction and processing functions */
|
2017-11-22 01:18:43 +08:00
|
|
|
__owur int tls_process_initial_server_flight(SSL *s);
|
2015-10-26 19:46:33 +08:00
|
|
|
__owur MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt);
|
|
|
|
__owur MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt);
|
2016-09-30 06:28:29 +08:00
|
|
|
__owur int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt);
|
|
|
|
__owur int dtls_construct_change_cipher_spec(SSL *s, WPACKET *pkt);
|
2015-09-11 18:23:20 +08:00
|
|
|
|
2016-09-30 17:50:57 +08:00
|
|
|
__owur int tls_construct_finished(SSL *s, WPACKET *pkt);
|
2017-02-08 17:15:22 +08:00
|
|
|
__owur int tls_construct_key_update(SSL *s, WPACKET *pkt);
|
2017-02-09 20:07:31 +08:00
|
|
|
__owur MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt);
|
2017-11-27 23:20:06 +08:00
|
|
|
__owur WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs,
|
|
|
|
int stop);
|
2015-10-26 19:46:33 +08:00
|
|
|
__owur WORK_STATE dtls_wait_for_dry(SSL *s);
|
2015-09-11 18:23:20 +08:00
|
|
|
|
|
|
|
/* some client-only functions */
|
2016-09-30 06:28:29 +08:00
|
|
|
__owur int tls_construct_client_hello(SSL *s, WPACKET *pkt);
|
2015-10-26 19:46:33 +08:00
|
|
|
__owur MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt);
|
|
|
|
__owur MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt);
|
|
|
|
__owur MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt);
|
2017-11-22 01:18:43 +08:00
|
|
|
__owur int tls_process_cert_status_body(SSL *s, PACKET *pkt);
|
2015-10-26 19:46:33 +08:00
|
|
|
__owur MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt);
|
|
|
|
__owur MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt);
|
2016-12-05 22:59:25 +08:00
|
|
|
__owur int tls_construct_cert_verify(SSL *s, WPACKET *pkt);
|
2015-10-26 19:46:33 +08:00
|
|
|
__owur WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst);
|
2016-09-30 06:28:29 +08:00
|
|
|
__owur int tls_construct_client_certificate(SSL *s, WPACKET *pkt);
|
2015-09-11 18:23:20 +08:00
|
|
|
__owur int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
|
2016-09-30 06:28:29 +08:00
|
|
|
__owur int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt);
|
2015-09-11 18:23:20 +08:00
|
|
|
__owur int tls_client_key_exchange_post_work(SSL *s);
|
2016-12-02 22:46:54 +08:00
|
|
|
__owur int tls_construct_cert_status_body(SSL *s, WPACKET *pkt);
|
2016-09-30 06:28:29 +08:00
|
|
|
__owur int tls_construct_cert_status(SSL *s, WPACKET *pkt);
|
2016-08-06 01:03:17 +08:00
|
|
|
__owur MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt);
|
2015-10-26 19:46:33 +08:00
|
|
|
__owur MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt);
|
2015-09-11 18:23:20 +08:00
|
|
|
__owur int ssl3_check_cert_and_algorithm(SSL *s);
|
2016-08-06 01:03:17 +08:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2016-09-30 06:28:29 +08:00
|
|
|
__owur int tls_construct_next_proto(SSL *s, WPACKET *pkt);
|
2016-08-06 01:03:17 +08:00
|
|
|
#endif
|
2017-01-11 07:02:28 +08:00
|
|
|
__owur MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt);
|
2015-10-26 19:46:33 +08:00
|
|
|
__owur MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt);
|
2017-03-09 23:03:07 +08:00
|
|
|
__owur int tls_construct_end_of_early_data(SSL *s, WPACKET *pkt);
|
2015-09-11 18:23:20 +08:00
|
|
|
|
|
|
|
/* some server-only functions */
|
2015-10-26 19:46:33 +08:00
|
|
|
__owur MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt);
|
|
|
|
__owur WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst);
|
2016-09-30 06:28:29 +08:00
|
|
|
__owur int tls_construct_server_hello(SSL *s, WPACKET *pkt);
|
|
|
|
__owur int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt);
|
|
|
|
__owur int tls_construct_server_certificate(SSL *s, WPACKET *pkt);
|
|
|
|
__owur int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt);
|
|
|
|
__owur int tls_construct_certificate_request(SSL *s, WPACKET *pkt);
|
|
|
|
__owur int tls_construct_server_done(SSL *s, WPACKET *pkt);
|
2015-10-26 19:46:33 +08:00
|
|
|
__owur MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt);
|
|
|
|
__owur MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt);
|
|
|
|
__owur WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst);
|
|
|
|
__owur MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt);
|
2016-08-06 01:03:17 +08:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2015-10-26 19:46:33 +08:00
|
|
|
__owur MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt);
|
2016-08-06 01:03:17 +08:00
|
|
|
#endif
|
2016-09-30 06:28:29 +08:00
|
|
|
__owur int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt);
|
2017-03-09 23:03:07 +08:00
|
|
|
MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt);
|
2016-11-25 00:59:48 +08:00
|
|
|
|
2016-11-28 17:31:59 +08:00
|
|
|
|
|
|
|
/* Extension processing */
|
|
|
|
|
2017-05-17 17:31:46 +08:00
|
|
|
typedef enum ext_return_en {
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN_FAIL,
|
|
|
|
EXT_RETURN_SENT,
|
|
|
|
EXT_RETURN_NOT_SENT
|
|
|
|
} EXT_RETURN;
|
|
|
|
|
2017-11-04 00:38:48 +08:00
|
|
|
__owur int tls_validate_all_contexts(SSL *s, unsigned int thisctx,
|
|
|
|
RAW_EXTENSION *exts);
|
2017-04-05 18:59:23 +08:00
|
|
|
__owur int extension_is_relevant(SSL *s, unsigned int extctx,
|
|
|
|
unsigned int thisctx);
|
2016-11-28 17:31:59 +08:00
|
|
|
__owur int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
RAW_EXTENSION **res, size_t *len, int init);
|
2016-12-08 19:42:38 +08:00
|
|
|
__owur int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
RAW_EXTENSION *exts, X509 *x, size_t chainidx);
|
2016-11-25 02:25:10 +08:00
|
|
|
__owur int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx, int fin);
|
2017-04-05 18:59:23 +08:00
|
|
|
__owur int should_add_extension(SSL *s, unsigned int extctx,
|
|
|
|
unsigned int thisctx, int max_version);
|
2016-11-25 02:25:10 +08:00
|
|
|
__owur int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-25 06:54:59 +08:00
|
|
|
|
2017-01-19 00:28:23 +08:00
|
|
|
__owur int tls_psk_do_binder(SSL *s, const EVP_MD *md,
|
|
|
|
const unsigned char *msgstart,
|
|
|
|
size_t binderoffset, const unsigned char *binderin,
|
|
|
|
unsigned char *binderout,
|
2017-06-12 16:18:24 +08:00
|
|
|
SSL_SESSION *sess, int sign, int external);
|
2017-01-19 00:28:23 +08:00
|
|
|
|
2016-11-25 06:54:59 +08:00
|
|
|
/* Server Extension processing */
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2017-11-06 00:46:48 +08:00
|
|
|
int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-25 06:54:59 +08:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-25 06:54:59 +08:00
|
|
|
#endif
|
2017-02-21 00:35:03 +08:00
|
|
|
int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-25 06:54:59 +08:00
|
|
|
#ifndef OPENSSL_NO_EC
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidxl);
|
2016-11-25 06:54:59 +08:00
|
|
|
#endif
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
Add support for the TLS 1.3 signature_algorithms_cert extension
The new extension is like signature_algorithms, but only for the
signature *on* the certificate we will present to the peer (the
old signature_algorithms extension is still used for signatures that
we *generate*, i.e., those over TLS data structures).
We do not need to generate this extension, since we are the same
implementation as our X.509 stack and can handle the same types
of signatures, but we need to be prepared to receive it, and use the received
information when selecting what certificate to present.
There is a lot of interplay between signature_algorithms_cert and
signature_algorithms, since both affect what certificate we can
use, and thus the resulting signature algorithm used for TLS messages.
So, apply signature_algorithms_cert (if present) as a filter on what
certificates we can consider when choosing a certificate+sigalg
pair.
As part of this addition, we also remove the fallback code that let
keys of type EVP_PKEY_RSA be used to generate RSA-PSS signatures -- the
new rsa_pss_pss_* and rsa_pss_rsae_* signature schemes have pulled
the key type into what is covered by the signature algorithm, so
we should not apply this sort of compatibility workaround.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5068)
2018-01-12 01:47:12 +08:00
|
|
|
int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
|
|
|
|
X509 *x, size_t chainidx);
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#endif
|
2016-11-25 06:54:59 +08:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-25 06:54:59 +08:00
|
|
|
#endif
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-25 06:54:59 +08:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-25 06:54:59 +08:00
|
|
|
#endif
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-09-11 22:43:56 +08:00
|
|
|
int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
|
|
|
size_t chainidx);
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA
Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.
Update SSL_CTX_set_verify()/SSL_set_verify() mode:
* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.
* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.
Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options
Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha
Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code
Update documentation
Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests
DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error
Update handshake context to deal with PHA.
The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.
After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.
This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
2017-12-19 05:52:28 +08:00
|
|
|
int tls_parse_ctos_post_handshake_auth(SSL *, PACKET *pkt, unsigned int context,
|
|
|
|
X509 *x, size_t chainidx);
|
2016-11-25 18:22:02 +08:00
|
|
|
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-11-06 00:46:48 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#ifndef OPENSSL_NO_EC
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#endif
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#endif
|
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#endif
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#endif
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2017-11-04 00:38:48 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
|
|
|
size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-09-11 22:43:56 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
|
|
|
|
X509 *x, size_t chainidx);
|
2016-11-25 18:22:02 +08:00
|
|
|
/*
|
|
|
|
* Not in public headers as this is not an official extension. Only used when
|
|
|
|
* SSL_OP_CRYPTOPRO_TLSEXT_BUG is set.
|
|
|
|
*/
|
|
|
|
#define TLSEXT_TYPE_cryptopro_bug 0xfde8
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-25 20:34:29 +08:00
|
|
|
|
|
|
|
/* Client Extension processing */
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2017-11-06 00:46:48 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#endif
|
|
|
|
#ifndef OPENSSL_NO_EC
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#endif
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#endif
|
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#endif
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#endif
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#ifndef OPENSSL_NO_CT
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#endif
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
|
|
|
|
unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-05-09 20:44:25 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA
Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.
Update SSL_CTX_set_verify()/SSL_set_verify() mode:
* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.
* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.
Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options
Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha
Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code
Update documentation
Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests
DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error
Update handshake context to deal with PHA.
The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.
After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.
This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
2017-12-19 05:52:28 +08:00
|
|
|
EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt, unsigned int context,
|
|
|
|
X509 *x, size_t chainidx);
|
|
|
|
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2017-02-23 19:53:12 +08:00
|
|
|
int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2017-11-06 00:46:48 +08:00
|
|
|
int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-25 20:34:29 +08:00
|
|
|
#ifndef OPENSSL_NO_EC
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-25 20:34:29 +08:00
|
|
|
#endif
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
|
2017-11-22 01:18:43 +08:00
|
|
|
X509 *x, size_t chainidx);
|
2016-11-26 00:28:02 +08:00
|
|
|
#endif
|
2016-11-25 20:34:29 +08:00
|
|
|
#ifndef OPENSSL_NO_CT
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-25 20:34:29 +08:00
|
|
|
#endif
|
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-25 20:34:29 +08:00
|
|
|
#endif
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-25 20:34:29 +08:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2016-11-25 20:34:29 +08:00
|
|
|
#endif
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-11-04 00:38:48 +08:00
|
|
|
int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
|
|
|
|
X509 *x, size_t chainidx);
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-03-03 01:37:03 +08:00
|
|
|
int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-02-01 01:00:12 +08:00
|
|
|
int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
2017-11-22 01:18:43 +08:00
|
|
|
size_t chainidx);
|
2017-08-01 22:45:29 +08:00
|
|
|
|
2017-11-22 01:18:43 +08:00
|
|
|
int tls_handle_alpn(SSL *s);
|
Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA
Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.
Update SSL_CTX_set_verify()/SSL_set_verify() mode:
* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.
* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.
Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options
Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha
Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code
Update documentation
Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests
DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error
Update handshake context to deal with PHA.
The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.
After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.
This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
2017-12-19 05:52:28 +08:00
|
|
|
|
|
|
|
int tls13_save_handshake_digest_for_pha(SSL *s);
|
|
|
|
int tls13_restore_handshake_digest_for_pha(SSL *s);
|