Commit Graph

573 Commits

Author SHA1 Message Date
Dr. Stephen Henson
6447e8184c Merge tls1_check_curve into tls1_check_group_id
The function tls_check_curve is only called on clients and contains
almost identical functionaity to tls1_check_group_id when called from
a client. Merge the two.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)
2017-10-06 19:09:51 +01:00
Dr. Stephen Henson
f48d826e33 Change curves to groups where relevant
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)
2017-10-06 13:23:45 +01:00
Dr. Stephen Henson
ff6d20a67b Use separate functions for supported and peer groups lists
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)
2017-10-06 13:23:45 +01:00
Dr. Stephen Henson
b50951d36c Add and use function tls1_in_list to avoid code duplication.
[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
2017-09-26 13:00:26 +01:00
Dr. Stephen Henson
5ce5f787e3 Use tls1_group_id_lookup in tls1_curve_allowed
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
2017-09-26 13:00:26 +01:00
Dr. Stephen Henson
34e5292c57 Rename tls1_get_curvelist.
Rename tls1_get_curvelist to tls1_get_grouplist, change to void as
it can never fail and remove unnecessary return value checks. Clean
up the code.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
2017-09-26 13:00:26 +01:00
Dr. Stephen Henson
4a1b428019 Rewrite compression and group checks.
Replace existing compression and groups check with two functions.

tls1_check_pkey_comp() checks a keys compression algorithms is consistent
with extensions.

tls1_check_group_id() checks is a group is consistent with extensions
and preferences.

Rename tls1_ec_nid2curve_id() to tls1_nid2group_id() and make it static.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
2017-09-26 13:00:26 +01:00
Dr. Stephen Henson
43b95d7365 Replace tls1_ec_curve_id2nid.
Replace tls1_ec_curve_id2nid() with tls_group_id_lookup() which returns
the TLS_GROUP_INFO for the group.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
2017-09-26 13:00:26 +01:00
Dr. Stephen Henson
0e464d9ddd Rename tls_curve_info to TLS_GROUP_INFO, move to ssl_locl.h
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
2017-09-26 13:00:26 +01:00
Dr. Stephen Henson
8841154a90 Return group id in tls1_shared_group
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
2017-09-26 13:00:26 +01:00
Dr. Stephen Henson
1483b8582c Return correct Suite B curve, fix comment.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
2017-09-26 13:00:26 +01:00
Kurt Roeckx
9b01779cbf Use curve_id not the nid
Found by OSS-Fuzz and the tests

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #4410
2017-09-23 17:20:04 +02:00
Dr. Stephen Henson
9e84a42db4 Store groups as uint16_t
Instead of storing supported groups in on-the-wire format store
them as parsed uint16_t values. This simplifies handling of groups
as the values can be directly used instead of being converted.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4406)
2017-09-22 22:59:42 +01:00
Patrick Steuer
b9ff0483bd Fix strict-warnings build
Compilation failed due to -Werror=misleading-indentation.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4395)
2017-09-21 16:01:22 -05:00
Dr. Stephen Henson
b46867d771 Allow RSA certificates to be used for RSA-PSS
Allo RSA certificate to be used for RSA-PSS signatures: this needs
to be explicit because RSA and RSA-PSS certificates are now distinct
types.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)
2017-09-20 12:50:23 +01:00
Dr. Stephen Henson
045d078aef Add RSA-PSS key certificate type.
Recognise RSA-PSS certificate algorithm and add a new certificate
type.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)
2017-09-20 12:50:23 +01:00
Pauli
677963e5a4 e_os.h removal from other headers and source files.
Removed e_os.h from all bar three headers (apps/apps.h crypto/bio/bio_lcl.h and
ssl/ssl_locl.h).

Added e_os.h into the files that need it now.

Directly reference internal/nelem.h when required.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4188)
2017-08-30 07:20:43 +10:00
Dr. Stephen Henson
13cc257423 Use cert tables in ssl_set_sig_mask
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3858)
2017-07-13 12:38:42 +01:00
Dr. Stephen Henson
52fd27f978 Use certificate tables instead of ssl_cert_type
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3858)
2017-07-13 12:38:42 +01:00
Dr. Stephen Henson
7f6b466b2c Use certificate tables instead of ssl_cipher_get_cert_index.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3858)
2017-07-13 12:38:42 +01:00
Dr. Stephen Henson
b8858aec13 Replace tls12_get_pkey_idx
The functiontls12_get_pkey_idx is only used to see if a certificate index is
enabled: call ssl_cert_is_disabled instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3858)
2017-07-13 12:38:42 +01:00
Matt Caswell
0ca8d1ecf2 Update SSL_export_keying_material() for TLSv1.3
Fixes #3680

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3782)
2017-06-29 10:15:49 +01:00
Benjamin Kaduk
6ffeb269a3 Disallow DSA/SHA1/etc. for pure TLS 1.3 ClientHellos
In draft-ietf-tls-tls13-20 Appendix B we find that:

   This section describes protocol types and constants.  Values listed
   as _RESERVED were used in previous versions of TLS and are listed
   here for completeness.  TLS 1.3 implementations MUST NOT send them
   but might receive them from older TLS implementations.

Similarly, in section 4.2.3 we see:

   Legacy algorithms  Indicates algorithms which are being deprecated
      because they use algorithms with known weaknesses, specifically
      SHA-1 which is used in this context with either with RSA using
      RSASSA-PKCS1-v1_5 or ECDSA.  These values refer solely to
      signatures which appear in certificates (see Section 4.4.2.2) and
      are not defined for use in signed TLS handshake messages.
      Endpoints SHOULD NOT negotiate these algorithms but are permitted
      to do so solely for backward compatibility.  Clients offering
      these values MUST list them as the lowest priority (listed after
      all other algorithms in SignatureSchemeList).  TLS 1.3 servers
      MUST NOT offer a SHA-1 signed certificate unless no valid
      certificate chain can be produced without it (see
      Section 4.4.2.2).

However, we are currently sending the SHA2-based DSA signature schemes
and many SHA1-based schemes, which is in contradiction with the specification.

Because TLS 1.3 support will appear in OpenSSL 1.1, we are bound by
stability requirements to continue to offer the DSA signature schemes
and the deprecated hash algorithms.  at least until OpenSSL 1.2.
However, for pure TLS 1.3 clients that do not offer lower TLS versions,
we can be compliant.  Do so, and leave a note to revisit the issue when
we are permitted to break with sacred historical tradition.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3326)
2017-06-24 19:25:43 -05:00
Dr. Stephen Henson
d2916a5b29 Use EVP_PKEY_X25519, EVP_PKEY_ED25519 instead of NIDs where appropriate.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3585)
2017-06-21 14:11:01 +01:00
Dr. Stephen Henson
b2021556e4 Allow Ed25519 in TLS 1.2
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3585)
2017-06-21 14:11:01 +01:00
Dr. Stephen Henson
168067b631 Handle signature algorithms with no associated digest
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3585)
2017-06-21 14:11:01 +01:00
Dr. Stephen Henson
3d234c9e5c Add Ed25519 signature algorithm
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3585)
2017-06-21 14:11:01 +01:00
Dr. Stephen Henson
b04d4e38b7 Add Ed25519 to signature algorithm table
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3585)
2017-06-21 14:11:01 +01:00
Dr. Stephen Henson
07afa3d880 Add index for ED25519
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3585)
2017-06-21 14:11:01 +01:00
Dr. Stephen Henson
65e89736b3 Use X509_get_signature_info to get signature strength.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3585)
2017-06-21 14:11:01 +01:00
Benjamin Kaduk
1316c9ffab Fix no-ec
Also remove nested OPENSSL_NO_EC conditional; it was properly indented,
but a no-op.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3693)
2017-06-15 17:02:45 -04:00
Matt Caswell
d8311fc93a Add back support for SHA224 based sig algs
This used to work but was inadvertently removed as part of the TLSv1.3
work. This adds it back.

Fixes #3633

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3639)
2017-06-08 17:37:02 +01:00
Matt Caswell
b77f3ed171 Convert existing usage of assert() to ossl_assert() in libssl
Provides consistent output and approach.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3496)
2017-05-22 14:00:43 +01:00
Matt Caswell
fb34a0f4e0 Try to be more consistent about the alerts we send
We are quite inconsistent about which alerts get sent. Specifically, these
alerts should be used (normally) in the following circumstances:

SSL_AD_DECODE_ERROR = The peer sent a syntactically incorrect message
SSL_AD_ILLEGAL_PARAMETER = The peer sent a message which was syntactically
correct, but a parameter given is invalid for the context
SSL_AD_HANDSHAKE_FAILURE = The peer's messages were syntactically and
semantically correct, but the parameters provided were unacceptable to us
(e.g. because we do not support the requested parameters)
SSL_AD_INTERNAL_ERROR = We messed up (e.g. malloc failure)

The standards themselves aren't always consistent but I think the above
represents the best interpretation.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3480)
2017-05-19 08:47:08 +01:00
Matt Caswell
38a7315060 Add a ciphersuite config sanity check for servers
Ensure that there are ciphersuites enabled for the maximum supported
version we will accept in a ClientHello.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3316)
2017-04-26 14:31:00 +01:00
Matt Caswell
8af91fd9d0 Don't fail the connection in SSLv3 if server selects ECDHE
ECDHE is not properly defined for SSLv3. Commit fe55c4a2 prevented ECDHE
from being selected in that protocol. However, historically, servers do
still select ECDHE anyway so that commit causes interoperability problems.
Clients that previously worked when talking to an SSLv3 server could now
fail.

This commit introduces an exception which enables a client to continue in
SSLv3 if the server selected ECDHE.

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3204)
2017-04-24 16:15:40 +01:00
Dr. Stephen Henson
fa7c263747 New certificate_authorities functions
Add functions to add/retrieve the certificate_authorities. The older
client_CA functions mainly just call the new versions now.

Rename fields sice new extension can be generated by client and server.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3015)
2017-04-03 23:47:21 +01:00
FdaSilvaYY
69687aa829 More typo fixes
Fix some comments too
[skip ci]

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3069)
2017-03-29 07:14:29 +02:00
Bernd Edlinger
d3bc980585 Avoid questionable use of the value of a pointer
that refers to space
deallocated by a call to the free function in tls_decrypt_ticket.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2897)
(cherry picked from commit 13ed1afa92)
2017-03-10 15:56:58 -05:00
Bernd Edlinger
0b1f266486 Fixup previous merge.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2703)
2017-03-10 14:48:40 +00:00
Dr. Stephen Henson
5528d68f6d Set specific error is we have no valid signature algorithms set
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2840)
2017-03-03 22:02:39 +00:00
Dr. Stephen Henson
b0e9ab95dd Signature algorithm enhancement.
Change tls12_sigalg_allowed() so it is passed a SIGALG_LOOKUP parameter,
this avoids multiple lookups.

When we copy signature algorithms return an error if no valid TLS message
signing algorithm is present. For TLS 1.3 this means we need at least one
signature algorithm other than RSA PKCS#1 or SHA1 both of which can only be
used to sign certificates and not TLS messages.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2840)
2017-03-03 22:02:39 +00:00
Dr. Stephen Henson
8f12296e23 Disallow zero length signature algorithms
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2840)
2017-03-03 21:58:33 +00:00
Dr. Stephen Henson
224b4e37c0 Don't allow DSA for TLS 1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2840)
2017-03-03 21:58:33 +00:00
Dr. Stephen Henson
095a982bb4 For TLS 1.3 reject SHA1 TLS signatures
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2739)
2017-02-25 00:43:45 +00:00
Dr. Stephen Henson
e892e32558 Reject compressed point format with TLS 1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2739)
2017-02-24 23:52:23 +00:00
Dr. Stephen Henson
599b586d87 Add SuiteB support to tls_choose_sigalg()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2738)
2017-02-24 23:30:49 +00:00
Dr. Stephen Henson
75c13e7830 Tidy up certificate type handling.
The certificate types used to be held in a fixed length array or (if
it was too long) a malloced buffer. This was done to retain binary
compatibility. The code can be simplified now SSL is opaque by always
using a malloced buffer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2733)
2017-02-24 01:23:38 +00:00
Bernd Edlinger
79020b27be Add some more consistency checks in tls_decrypt_ticket.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2704)
2017-02-22 09:36:02 -05:00
Dr. Stephen Henson
a8bb912d84 Set default validity flags.
Set default validity flags if signature algorithms extension
is not present. Preserve flags when checking chains.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2679)
2017-02-21 17:41:43 +00:00
Dr. Stephen Henson
9195ddcd0f remove md array: it is not used any more.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2679)
2017-02-21 17:41:43 +00:00
Dr. Stephen Henson
5a8916d985 Explicitly disallow DSA for TLS 1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2667)
2017-02-17 16:33:12 +00:00
Dr. Stephen Henson
ad4dd362e0 Use tls_choose_sigalg for client auth.
For client auth call tls_choose_sigalg to select the certificate
and signature algorithm. Use the selected algorithm in
tls_construct_cert_verify.

Remove obsolete tls12_get_sigandhash.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2643)
2017-02-16 16:43:44 +00:00
Dr. Stephen Henson
717a265aa5 Add client side support to tls_choose_sigalg.
Select appropriate signature algorithm and certificate for client
authentication using tls_choose_sigalg.

A lot of selection logic is very similar except not finding a
certificate is not a fatal error: we just do not present a
certificate.

For TLS 1.2 and earlier we only check the current certificate
is suitable (for compatibility with previous logic) for TLS 1.3
(where there are no compatibility issues) we support multiple
client certificates for different algorithms.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2643)
2017-02-16 16:43:44 +00:00
Dr. Stephen Henson
7b3a4d6107 Fix warning
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2644)
2017-02-16 01:44:28 +00:00
Dr. Stephen Henson
59088e43b1 Set current certificate to selected certificate.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2637)
2017-02-15 15:33:15 +00:00
Dr. Stephen Henson
a34a9df071 Skip curve check if sigalg doesn't specify a curve.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
2017-02-15 02:23:55 +00:00
Dr. Stephen Henson
a497cf2516 Use CERT_PKEY pointer instead of index
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
2017-02-15 02:23:54 +00:00
Dr. Stephen Henson
f365a3e2e5 Use cert_index and sigalg
Now the certificate and signature algorithm is set in one place we
can use it directly insetad of recalculating it. The old functions
ssl_get_server_send_pkey() and ssl_get_server_cert_index() are no
longer required.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
2017-02-15 02:23:54 +00:00
Dr. Stephen Henson
0972bc5ced Add sigalg for earlier TLS versions
Update tls_choose_sigalg to choose a signature algorithm for all
versions of TLS not just 1.3.

For TLS 1.2 we choose the highest preference signature algorithm
for the chosen ciphersuite.

For TLS 1.1 and earlier the signature algorithm is determined by
the ciphersuite alone. For RSA we use a special MD5+SHA1 signature
algorithm.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
2017-02-15 02:23:54 +00:00
Dr. Stephen Henson
4a419f6018 Change tls_choose_sigalg so it can set errors and alerts.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
2017-02-15 02:23:54 +00:00
Bernd Edlinger
57b0d651f0 Use TLSEXT_KEYNAME_LENGTH in tls_decrypt_ticket.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2618)
2017-02-14 14:37:59 -05:00
Dr. Stephen Henson
d0ff28f8a2 Replace SSL_PKEY_RSA_ENC, SSL_PKEY_RSA_SIGN
The original intent of SSL_PKEY_RSA_SIGN and SSL_PKEY_RSA_ENC was to
support two different keys for RSA signing and decrypt. However this
was never implemented and we only ever set one key and the other was
always NULL. Replace with single SSL_PKEY_RSA type.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2587)
2017-02-10 20:08:35 +00:00
Dr. Stephen Henson
8fd19b20be Check index >= 0 as 0 is a valid index.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2587)
2017-02-10 20:08:35 +00:00
Peter Wu
6d047e06e6 SSL_get_shared_sigalgs: handle negative idx parameter
When idx is negative (as is the case with do_print_sigalgs in
apps/s_cb.c), AddressSanitizer complains about a buffer overflow (read).
Even if the pointer is not dereferenced, this is undefined behavior.

Change the user not to use "-1" as index since the function is
documented to return 0 on out-of-range values.

Tested with `openssl s_server` and `curl -k https://localhost:4433`.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2349)
2017-02-09 09:48:46 +00:00
Richard Levitte
21f198ec48 Fix "no-ec"
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2547)
2017-02-03 20:37:23 +01:00
Dr. Stephen Henson
93a77f9e2c Add function tls_choose_sigalg().
New function tls_choose_sigalg(). This is a signature algorithm version
of ssl3_choose_cipher(): it picks and sets the appropriate signature
algorithm and certificate based on shared signature algorithms.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)
2017-02-02 14:45:09 +00:00
Todd Short
222da97918 Majority rules, use session_ctx vs initial_ctx
session_ctx and initial_ctx are aliases of each other, and with the
opaque data structures, there's no need to keep both around. Since
there were more references of session_ctx, replace all instances of
initial_ctx with session_ctx.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2334)
2017-01-31 20:41:55 -05:00
Dr. Stephen Henson
f1adb0068f Tidy up Suite B logic
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
2017-01-31 00:03:02 +00:00
Dr. Stephen Henson
6cbebb5516 Remove peer_md and use peer_sigalg instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
2017-01-31 00:03:02 +00:00
Dr. Stephen Henson
44b6318f48 Simplify sigalgs code.
Remove unnecessary lookup operations: use the indices and data in the
lookup table directly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
2017-01-31 00:03:02 +00:00
Dr. Stephen Henson
17ae384e49 Add digest and key indices to table.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
2017-01-31 00:03:01 +00:00
Dr. Stephen Henson
8f88cb53dd Add TLS 1.3 signing curve check
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
2017-01-31 00:03:00 +00:00
Dr. Stephen Henson
2b4418ebd6 Only allow PSS signatures with RSA keys and TLS 1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
2017-01-31 00:03:00 +00:00
Dr. Stephen Henson
f742cda820 Store table entry to peer signature algorithm.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)
2017-01-31 00:02:59 +00:00
Dr. Stephen Henson
787ebcafcd Update macros.
Use TLS_MAX_SIGALGCNT for the maximum number of entries in the
signature algorithms array.

Use TLS_MAX_SIGSTRING_LEN for the maxiumum length of each signature
component instead of a magic number.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:18 +00:00
Dr. Stephen Henson
cdf516d988 Fix TLS 1.2 and no sigalgs.
For TLS 1.2 if we have no signature algorithms extension then lookup
using the complete table instead of (empty) shared signature algorithms
list so we pick up defaults.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:17 +00:00
Dr. Stephen Henson
4d43ee28d4 Replace TLS_SIGALGS with SIGALG_LOOKUP
Since every supported signature algorithm is now an entry in the
SIGALG_LOOKUP table we can replace shared signature algortihms with
pointers to constant table entries.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:17 +00:00
Dr. Stephen Henson
8a43a42a02 Support TLS 1.3 signature scheme names.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
edbfba1a34 Extend TLS 1.3 signature table.
Add additional entries in the TLS 1.2 signature table to include
the name, sig and hash NID (if any) and required curve (if any).

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
018031faa8 Use shared signature algorithm list to find type.
Lookup the signature type in the shared list: we can use this to
use PSS if the peer supports it for TLS 1.2.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
42ef7aead2 Add SSL_get_peer_signature_type_nid() function.
Add function to retrieve signature type: in the case of RSA
keys the signature type can be EVP_PKEY_RSA or EVP_PKEY_RSA_PSS.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
5554facbe7 Store peer signature type.
Store peer signature type in s->s3->tmp.peer_sigtype and check it
to see if the peer used PSS.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
b2eb699874 More complete PSS support.
Extend support for PSS key signatures by using the EVP_PKEY_RSA_PSS type
to distinguish them from PKCS1 signature types.

Allow setting of PSS signature algorithms using the string "PSS" or
"RSA-PSS".

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 12:59:28 +00:00
Dr. Stephen Henson
98c792d18c Use uint16_t for signature scheme.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 12:59:28 +00:00
Matt Caswell
40f805ad92 Various style fixes following review feedback
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:25 +00:00
Matt Caswell
61c3264970 Remove unneccessary comments
Now we're using an enum the values themselves are self explanatory

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:25 +00:00
Matt Caswell
ddf6ec0069 Make the "ticket" function return codes clearer
Remove "magic" return values and use an enum instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:23 +00:00
Matt Caswell
081912943f Use the correct session resumption mechanism
Don't attempt to add a TLS1.3 session to a TLS1.2 ClientHello session
ticket extensions. Similarly don't add a TLS1.2 session to a TLS1.3
psk extension.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:21 +00:00
Matt Caswell
1053a6e228 Implement Server side of PSK extension parsing
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:21 +00:00
Dr. Stephen Henson
a9669ddc64 Use correct signature algorithm list when sending or checking.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2290)
2017-01-26 16:44:18 +00:00
Rich Salz
3e37351834 If client doesn't send curves list, don't assume all.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1597)
2017-01-18 12:24:28 -05:00
Matt Caswell
5eeb6c6e56 Fix no-ec following sigalgs refactor
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:51 +00:00
Matt Caswell
7a531ee460 Fix tls1_set_sigalgs() length calculation
The length passed to tls1_set_sigalgs() is a multiple of two and there are
two char entries in the list for each sigalg. When we set
client_sigalgslen or conf_sigalgslen this is the number of ints in the list
where there is one entry per sigalg (i.e. half the length of the list passed
to the function).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:51 +00:00
Matt Caswell
42ab223000 Add some missing sigalgs
The SHA1 sigalgs were inadvertently missed off in the sigalgs refactor.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:51 +00:00
Matt Caswell
1b520cbb6a Fix a Travis failure
Declare a variable as static to silence the warning

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
fe3066ee40 Extend PSS signature support to TLSv1.2
TLSv1.3 introduces PSS based sigalgs. Offering these in a TLSv1.3 client
implies that the client is prepared to accept these sigalgs even in
TLSv1.2.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
710eb47fdd Add a TLS1.3 TODO for setting of sig algs
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
523fb3233a Ignore PKCS1 based sig algs in TLSv1.3
In TLSv1.3 we must use PSS based sig algs for RSA signing. Ignore any
shared sig algs which are PKCS1 based.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00
Matt Caswell
0490431272 Verify that the sig algs extension has been sent for TLSv1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
2017-01-10 23:02:50 +00:00