Commit Graph

3240 Commits

Author SHA1 Message Date
Dr. Stephen Henson
fa7c263747 New certificate_authorities functions
Add functions to add/retrieve the certificate_authorities. The older
client_CA functions mainly just call the new versions now.

Rename fields sice new extension can be generated by client and server.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3015)
2017-04-03 23:47:21 +01:00
Matt Caswell
090c8118e8 Fix calls to SSL_get_server_tmp_key() in TLSv1.3
The macro SSL_get_server_tmp_key() returns information about the temp key
used by the server during a handshake. This was returning NULL for TLSv1.3
and causing s_client to omit this information in its connection summary.

Fixes #3081

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3114)
2017-04-03 19:18:47 +01:00
Matt Caswell
a0cb628b17 Tweak a style issue
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3091)
2017-04-03 19:07:29 +01:00
Tatsuhiro Tsujikawa
bbea9f2c5f Restore s->early_data_state with the original value
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3091)
2017-04-03 19:07:29 +01:00
Matt Caswell
59cebcf9f6 Don't handle handshake messages when writing early data on server
If we have received the EoED message but not yet had the CF then we are
"in init". Despite that we still want to write application data, so suppress
the "in init" check in ssl3_write_bytes() in that scenario.

Fixes #3041

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3091)
2017-04-03 19:07:29 +01:00
Kazuki Yamaguchi
a8e75d5680 Fix a typo in the SSL_get_max_early_data() declarations
SSL_get_max_early_data() recently added by 3fc8d85610 ("Construct the
ticket_early_data_info extension", 2017-02-17) is supposed to take an
SSL, but it doesn't.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3113)
2017-04-03 13:45:39 +01:00
Matt Caswell
36abb6a270 Update SSL_extension_supported()
Numerous changes have been made to the supported built-in extensions and
SSL_extension_supported() has not kept up.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3097)
2017-03-31 11:14:13 +01:00
Matt Caswell
116d0da5e8 Fix early data bug with pause between EoED and CF
If the server received EoED then SSL_read_early_data() will return
SSL_READ_EARLY_DATA_FINISH. However if the CF has not yet been processed
then SSL_is_init_finished() will still return 0. Therefore we should still
be able to write early data.

Fixes #3041

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3089)
2017-03-30 15:45:45 +01:00
Matt Caswell
39ef78210c Fix bug with SSL_read_early_data()
If read_ahead is set, or SSL_MODE_AUTO_RETRY is used then if
SSL_read_early_data() hits an EndOfEarlyData message then it will
immediately retry automatically, but this time read normal data instead
of early data!

Fixes #3041

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3077)
2017-03-30 09:09:21 +01:00
Qin Long
dc8da7b1b8 Fix the build warning under OPENSSL_NO_GOST
Variable 'pktype' was set but not used under OPENSSL_NO_GOST. This change
will fix the build warning under [-Werror=unused-but-set-variable].

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2961)
2017-03-29 07:37:02 +02:00
Benjamin Kaduk
0acee5045a Further de-obfuscation
A similar change that probably should have been wrapped into
commit e0926ef49d.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3010)
2017-03-29 07:33:39 +02:00
FdaSilvaYY
69687aa829 More typo fixes
Fix some comments too
[skip ci]

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3069)
2017-03-29 07:14:29 +02:00
FdaSilvaYY
1ee4b98e69 Fix a few more typos
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3066)
2017-03-28 16:16:49 -04:00
Matt Caswell
643a358042 Move the downgrade sentinel declarations to a header file
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3022)
2017-03-24 14:07:11 +00:00
Matt Caswell
c3043dcd55 Add client side support for TLSv1.3 downgrade mechanism
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3022)
2017-03-24 14:07:11 +00:00
Matt Caswell
f7f2a01d63 Add server side support for TLSv1.3 downgrade mechanism
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3022)
2017-03-24 14:07:11 +00:00
Matt Caswell
77815a026c Fix resumption after HRR
Commit 6b1bb98fa moved the processing of ClientHello extensions into the
state machine post-processing stage. After processing s->init_num is reset
to 0, so by post-processing we cannot rely on its value. Unfortunately we
were using it to handle the PSK extension. This causes the handshake to
fail.

We were using init_num to figure out the length of ClientHello2 so we can
remove it from the handshake_buffer. The handshake_buffer holds the
transcript of all the messages sent so far. For PSK processing though we
only want to add in a partial ClientHello2. This commit changes things so
we just work out where ClientHello2 starts, working forward from the
beginning of handshake_buffer.

Fixes #2983

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2996)
2017-03-21 10:00:44 +00:00
Joseph Birr-Pixton
b0c9fc9b48 TLS1.3: Correct intermediate secret derivation
This label for this derivation was incorrectly "derived" or "der" depending
on the pointer size of the build(!). The correct string is "derived secret".

(cherry picked from commit 936dcf2720)

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2989)
2017-03-19 20:59:59 +00:00
Dr. Stephen Henson
45615c5fac Implement certificate_authorities extension
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2918)
2017-03-17 18:41:56 +00:00
Dr. Stephen Henson
32f661079d Support draft-19 TLS certificate request format
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2918)
2017-03-17 18:41:56 +00:00
Dr. Stephen Henson
51c7d3e824 Allow signature algorithms in TLS 1.3 certificate request extensions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2918)
2017-03-17 18:41:56 +00:00
Dr. Stephen Henson
5d6cca05b0 Move parsing and construction of CA names to separate functions
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2918)
2017-03-17 18:41:56 +00:00
Dr. Stephen Henson
f8f16d8ea4 Remove obsolete version test when returning CA names.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2969)
2017-03-16 18:07:19 +00:00
Todd Short
07518cfb38 Add TLSv1.3 draft-19 messages to trace
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2970)
2017-03-16 13:16:51 -04:00
Matt Caswell
d702ad121c Fix the Padding extension
In OpenSSL 1.1.0 the padding extension MUST be last because it calculates
the length of everything that has been written into the ClientHello to
determine whether it needs to be padded or not. With TLSv1.3 that isn't
possible because the specification requires that the PSK extension is last.
Therefore we need to fix the padding extension to take account of any PSK
extension that will be later added.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2968)
2017-03-16 15:37:41 +00:00
Matt Caswell
635b7d3f2a Updates following review feedback
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2895)
2017-03-16 14:20:38 +00:00
Matt Caswell
69b2d39332 Fix ciphersuite handling during an HRR
Choose a new ciphersuite for the HRR. Don't just use the one from the
session.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2895)
2017-03-16 14:20:38 +00:00
Matt Caswell
cf3e221bd9 Ensure after an HRR any PSKs have the right hash
Don't include a PSK that does not have the right hash for the selected
ciphersuite following an HRR.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2895)
2017-03-16 14:20:38 +00:00
Matt Caswell
11c67eeaf4 HelloRetryRequest updates for draft-19
Draft-19 changes the HRR transcript hash so that the initial ClientHello
is replaced in the transcript with a special synthetic message_hash message
that just contains a hash of ClientHello1 as its message body.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2895)
2017-03-16 14:20:38 +00:00
Matt Caswell
9e0ac6a2f1 Check ClientHello boundary as per draft-19
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2895)
2017-03-16 14:20:38 +00:00
Matt Caswell
6594189fa1 Merge early_data_info extension into early_data
As per draft-19

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2895)
2017-03-16 14:20:38 +00:00
Matt Caswell
ef6c191bce Update end of early data processing for draft-19
The end of early data is now indicated by a new handshake message rather
than an alert.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2895)
2017-03-16 14:20:38 +00:00
Matt Caswell
3e0458fb12 Update secret generation for draft-19
TLSv1.3 draft 19 introduces a new pre HKDF-extract Derive-Secret stage.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2895)
2017-03-16 14:20:38 +00:00
Benjamin Kaduk
dda12ce4e5 Remove dead code
tls1_get_curvelist() does not read from its third parameter, so
the assignments prior to function call were dead code and can be removed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2952)
2017-03-15 20:59:42 +00:00
Benjamin Kaduk
d9aea04162 Tighten up client status_request processing
Instead of making a positive comparison against the invalid value
that our server would send, make a negative check against the only
value that is not an error.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2953)
2017-03-15 20:44:57 +00:00
Benjamin Kaduk
a5bb1aa128 Clear alpn_selected_len for clients, too
Zero out the length alongside the NULLing of the pointer, to
bring parity between the selected and proposed fields..

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2954)
2017-03-15 03:18:01 +01:00
Benjamin Kaduk
e0926ef49d De-obfuscate
No need to break out of the loop and repeat the loop termination
condition when we can just return.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2949)
2017-03-14 22:45:44 +00:00
Benjamin Kaduk
aebe9e3991 Fix some -Wshadow warnings
Found using various (old-ish) versions of gcc.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2940)
2017-03-14 11:44:31 -05:00
Pauli
d61461a752 Use the callbacks from the SSL object instead of the SSL_CTX object
... in functions dealing with the SSL object rather than the context.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2870)
2017-03-10 22:31:50 +01:00
Bernd Edlinger
d3bc980585 Avoid questionable use of the value of a pointer
that refers to space
deallocated by a call to the free function in tls_decrypt_ticket.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2897)
(cherry picked from commit 13ed1afa92)
2017-03-10 15:56:58 -05:00
Matt Caswell
42c28b637c Use the new TLSv1.3 certificate_required alert where appropriate
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2898)
2017-03-10 15:33:31 +00:00
Matt Caswell
652a6b7ee1 Check that the PSK extension is last
We need to check that the PSK extension in a ClientHello is the last one.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2896)
2017-03-10 15:24:12 +00:00
Bernd Edlinger
0b1f266486 Fixup previous merge.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2703)
2017-03-10 14:48:40 +00:00
Roberto Guimaraes
6aad939368 this change will prevent undefined behavior when src and dst are equal (memcpy), effectively allowing setting length only in both functions.
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2750)
2017-03-08 09:42:29 -05:00
Matt Caswell
4f7b76bf0f Fix no-comp
The value of SSL3_RT_MAX_ENCRYPTED_LENGTH normally includes the compression
overhead (even if no compression is negotiated for a connection). Except in
a build where no-comp is used the value of SSL3_RT_MAX_ENCRYPTED_LENGTH does
not include the compression overhead.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2872)
2017-03-08 11:03:37 +00:00
Matt Caswell
524420d845 Check TLSv1.3 ServerHello, Finished and KeyUpdates are on record boundary
In TLSv1.3 the above messages signal a key change. The spec requires that
the end of these messages must align with a record boundary. We can detect
this by checking for decrypted but as yet unread record data sitting in
OpenSSL buffers at the point where we process the messages.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2875)
2017-03-07 16:41:25 +00:00
Matt Caswell
b8c49611bc Provide a function to test whether we have unread records pending
Also updates SSL_has_pending() to use it. This actually fixes a bug in
SSL_has_pending() which is supposed to return 1 if we have any processed
or unprocessed data sitting in OpenSSL buffers. However it failed to return
1 if we had processed non-application data pending.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2875)
2017-03-07 16:41:25 +00:00
Rich Salz
9015d34e14 Get pointer type right in BIO_ssl_shutdown()
Also, restore 1.0.2 behavior of looping over all BIO's in the chain.
Thanks to Joseph Bester for finding this and suggesting a fix to the
crash.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2651)
2017-03-07 09:56:49 -05:00
Matt Caswell
4321969513 Tweak the TLSv1.3 record overflow limits
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2861)
2017-03-06 20:07:40 +00:00
Kurt Roeckx
febb0afaef Fix double free in cookie generation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #2850
2017-03-06 18:33:56 +01:00