Matt Caswell [Tue, 24 Jan 2017 11:12:03 +0000 (11:12 +0000)]
Fix SSL_get0_raw_cipherlist()
SSL_get0_raw_cipherlist() was a little too "raw" in the case of an SSLv2
compat ClientHello. In 1.0.2 and below, during version negotiation, if
we received an SSLv2 compat ClientHello but actually wanted to do SSLv3+
then we would construct a "fake" SSLv3+ ClientHello. This "fake" ClientHello
would have its ciphersuite list converted to the SSLv3+ format. It was
this "fake" raw list that got saved away to later be returned by a call to
SSL_get0_raw_cipherlist().
In 1.1.0+ version negotiation works differently and we process an SSLv2
compat ClientHello directly without the need for an intermediary "fake"
ClientHello. This meant that the raw ciphersuite list being saved was in
the SSLv2 format. Any caller of this function would not expect that and
potentially overread the returned buffer by one byte.
Fixes #2189
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2280)
Kazuki Yamaguchi [Thu, 29 Dec 2016 15:59:56 +0000 (00:59 +0900)]
Add missing flags for EVP_chacha20()
ChaCha20 code uses its own custom cipher_data. Add EVP_CIPH_CUSTOM_IV
and EVP_CIPH_ALWAYS_CALL_INIT so that the key and the iv can be set by
different calls of EVP_CipherInit_ex().
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2156)
Bernd Edlinger [Thu, 22 Dec 2016 19:17:29 +0000 (20:17 +0100)]
Fix a ssl session leak due to OOM in lh_SSL_SESSION_insert
- s == NULL can mean c is a new session *or* lh_insert was
unable to create a hash entry.
- use lh_SSL_SESSION_retrieve to check for this error condition.
- If it happens simply remove the extra reference again.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2138)
ganesh [Fri, 11 Nov 2016 03:13:13 +0000 (08:43 +0530)]
RAND_egd_bytes: No need to check RAND_status on connection error.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1886)
ganesh [Thu, 10 Nov 2016 11:16:43 +0000 (16:46 +0530)]
Fixed the return code for RAND_egd_bytes.
According to the documentation, the return code should be -1 when
RAND_status does not return 1.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1886)
ganesh [Wed, 9 Nov 2016 15:14:22 +0000 (20:44 +0530)]
Fixed the return code of RAND_query_egd_bytes when connect fails.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1886)
Andy Polyakov [Wed, 18 Jan 2017 17:12:34 +0000 (12:12 -0500)]
Replace div-spoiler hack with simpler code
This comes from a comment in GH issue #1027. Andy wrote the code,
Rich made the PR.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2253)
Cory Benfield [Fri, 20 Jan 2017 16:22:49 +0000 (16:22 +0000)]
Add documentation for the key logging callbacks
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1646)
Cory Benfield [Fri, 20 Jan 2017 16:22:39 +0000 (16:22 +0000)]
Add tests for the key logging callbacks.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1646)
Cory Benfield [Fri, 20 Jan 2017 16:22:30 +0000 (16:22 +0000)]
Add support for key logging callbacks.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1646)
Richard Levitte [Sat, 21 Jan 2017 13:44:52 +0000 (14:44 +0100)]
Fix no-tls1_2
It seems that the ssl test 20-cert-select.conf dislikes the lack of TLSv1.2
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2268)
FdaSilvaYY [Wed, 16 Nov 2016 21:46:25 +0000 (22:46 +0100)]
Fix use before assignment
it was getting the SerialNumber of a previous cert.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2272)
Matt Caswell [Tue, 22 Nov 2016 16:55:35 +0000 (16:55 +0000)]
Extend the test_ssl_new renegotiation tests to include client auth
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1982)
Matt Caswell [Tue, 22 Nov 2016 16:54:28 +0000 (16:54 +0000)]
Stop server from expecting Certificate message when not requested
In a non client-auth renegotiation where the original handshake *was*
client auth, then the server will expect the client to send a Certificate
message anyway resulting in a connection failure.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1982)
Matt Caswell [Tue, 22 Nov 2016 16:39:27 +0000 (16:39 +0000)]
Stop client from sending Certificate message when not requested
In a non client-auth renegotiation where the original handshake *was*
client auth, then the client will send a Certificate message anyway
resulting in a connection failure.
Fixes #1920
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1982)
Matt Caswell [Tue, 22 Nov 2016 16:23:22 +0000 (16:23 +0000)]
Fix SSL_VERIFY_CLIENT_ONCE
The flag SSL_VERIFY_CLIENT_ONCE is documented as follows:
B<Server mode:> only request a client certificate on the initial TLS/SSL
handshake. Do not ask for a client certificate again in case of a
renegotiation. This flag must be used together with SSL_VERIFY_PEER.
B<Client mode:> ignored
But the implementation actually did nothing. After the server sends its
ServerKeyExchange message, the code was checking s->session->peer to see if
it is NULL. If it was set then it did not ask for another client
certificate. However s->session->peer will only be set in the event of a
resumption, but a ServerKeyExchange message is only sent in the event of a
full handshake (i.e. no resumption).
The documentation suggests that the original intention was for this to
have an effect on renegotiation, and resumption doesn't come into it.
The fix is to properly check for renegotiation, not whether there is already
a client certificate in the session.
As far as I can tell this has been broken for a *long* time.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1982)
Bernd Edlinger [Sun, 1 Jan 2017 00:43:20 +0000 (01:43 +0100)]
fix a memory leak in ssl3_generate_key_block fix the error handling in ssl3_change_cipher_state
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2164)
Bernd Edlinger [Tue, 10 Jan 2017 08:22:05 +0000 (09:22 +0100)]
Check the exit code from the server process
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2205)
Andy Polyakov [Sun, 25 Dec 2016 15:36:43 +0000 (16:36 +0100)]
poly1305/poly1305_base2_44.c: clarify shift boundary condition.
Reviewed-by: Matt Caswell <matt@openssl.org>
Andy Polyakov [Thu, 29 Dec 2016 22:42:49 +0000 (23:42 +0100)]
ec/asm/ecp_nistz256-ppc64.pl: minor POWER8-specific optimization.
Up to 4% depending on benchmark.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Gaétan Njinang [Fri, 20 Jan 2017 05:37:43 +0000 (06:37 +0100)]
'openssl passwd' command can now compute AIX MD5-based passwords hashes.
The difference between the AIX MD5 password algorithm and the standard MD5
password algorithm is that in AIX there is no magic string while in the
standard MD5 password algorithm the magic string is "$1$"
Documentation of '-aixmd5' option of 'openssl passwd' command is added.
1 test is added in test/recipes/20-test-passwd.t
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2251)
Richard Levitte [Wed, 18 Jan 2017 15:19:26 +0000 (16:19 +0100)]
Fix DSA parameter generation control error
When setting the digest parameter for DSA parameter generation, the
signature MD was set instead of the parameter generation one.
Fortunately, that's also the one that was used for parameter
generation, but it ultimately meant the parameter generator MD and the
signature MD would always be the same.
Fixes github issue #2016
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2250)
Dr. Stephen Henson [Sun, 15 Jan 2017 15:59:48 +0000 (15:59 +0000)]
Add signing hash tests
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2235)
Dr. Stephen Henson [Fri, 13 Jan 2017 15:20:42 +0000 (15:20 +0000)]
Add options to check TLS signing hashes
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2235)
Markus Triska [Wed, 18 Jan 2017 23:07:20 +0000 (00:07 +0100)]
correct 3 mistakes
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2257)
Rich Salz [Mon, 16 Jan 2017 19:30:59 +0000 (14:30 -0500)]
Skip ECDH tests for SSLv3
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1597)
Rich Salz [Mon, 19 Sep 2016 17:09:58 +0000 (13:09 -0400)]
If client doesn't send curves list, don't assume all.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1597)
Dr. Stephen Henson [Tue, 17 Jan 2017 17:51:24 +0000 (17:51 +0000)]
Defines and strings for special salt length values, add tests
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2236)
Dr. Stephen Henson [Mon, 16 Jan 2017 18:07:54 +0000 (18:07 +0000)]
additional PSS tests for -1 and invalid salt length
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2236)
Dr. Stephen Henson [Mon, 16 Jan 2017 16:52:52 +0000 (16:52 +0000)]
Add support for -1, -2 salt lengths for PSS only keys.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2236)
FdaSilvaYY [Tue, 8 Nov 2016 18:21:51 +0000 (19:21 +0100)]
Clean dead macros and defines
... mostly related to some old discarded modules .
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1906)
FdaSilvaYY [Thu, 10 Nov 2016 22:28:10 +0000 (23:28 +0100)]
Clean one unused variable, plus an useless one.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1906)
Markus Triska [Wed, 18 Jan 2017 00:40:36 +0000 (01:40 +0100)]
Correct reference to SSL_get_peer_cert_chain().
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
CLA: trivial
(Merged from https://github.com/openssl/openssl/pull/2247)
EasySec [Tue, 17 Jan 2017 16:21:55 +0000 (17:21 +0100)]
Fix list -disabled for blake2 alg
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2241)
xemdetia [Mon, 16 Jan 2017 19:41:03 +0000 (14:41 -0500)]
Fix man3 reference to CRYPTO_secure_used
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2238)
Kurt Roeckx [Sun, 15 Jan 2017 23:04:31 +0000 (00:04 +0100)]
Add missing braces.
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #2234
Kurt Roeckx [Sat, 14 Jan 2017 15:10:25 +0000 (16:10 +0100)]
Fix undefined behaviour when printing the X509 and CRL version
Found by oss-fuzz
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2231
Kurt Roeckx [Sun, 15 Jan 2017 11:33:45 +0000 (12:33 +0100)]
Fix VC warnings about unary minus to an unsigned type.
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2230
Kurt Roeckx [Sat, 14 Jan 2017 14:58:42 +0000 (15:58 +0100)]
Fix undefined behaviour when printing the X509 serial
Found by afl
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2230
Dr. Stephen Henson [Fri, 13 Jan 2017 17:41:48 +0000 (17:41 +0000)]
Add client cert type tests
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2224)
Dr. Stephen Henson [Thu, 12 Jan 2017 14:52:31 +0000 (14:52 +0000)]
Add certificate selection tests.
Add certifcate selection tests: the certificate type is selected by cipher
string and signature algorithm.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2224)
Dr. Stephen Henson [Thu, 12 Jan 2017 13:58:48 +0000 (13:58 +0000)]
add ECDSA test server certificate
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2224)
Dr. Stephen Henson [Sun, 8 Jan 2017 19:30:41 +0000 (19:30 +0000)]
Add options to check certificate types.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2224)
Rich Salz [Fri, 13 Jan 2017 16:00:26 +0000 (11:00 -0500)]
Fix "failure rate" bugs
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2228)
Richard Levitte [Thu, 12 Jan 2017 22:13:17 +0000 (23:13 +0100)]
Clarify what RUN_ONCE returns
RUN_ONCE really just returns 0 on failure or whatever the init
function returned. By convention, however, the init function must
return 0 on failure and 1 on success. This needed to be clarified.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2225)
Richard Levitte [Fri, 13 Jan 2017 11:03:16 +0000 (12:03 +0100)]
Fix no-ocsp
The use of EXFLAG_SET requires the inclusion of openssl/x509v3.h.
openssl/ocsp.h does that, except when OCSP is disabled.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2227)
Richard Levitte [Fri, 13 Jan 2017 10:19:48 +0000 (11:19 +0100)]
UI: Use RUN_ONCE differently
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2222)
Richard Levitte [Thu, 12 Jan 2017 19:22:12 +0000 (20:22 +0100)]
UI: Ensure there will be no race condition when getting the UI_METHOD ex_data
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2222)
Rich Salz [Thu, 12 Jan 2017 21:39:41 +0000 (16:39 -0500)]
Make X509_Digest,others public
Also, if want SHA1 then use the pre-computed value if there.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2223)
Rich Salz [Thu, 12 Jan 2017 19:15:13 +0000 (14:15 -0500)]
Rename file so "ls" works on 80 columns
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2221)
Rich Salz [Thu, 12 Jan 2017 17:22:12 +0000 (12:22 -0500)]
Add documentation
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1252)
Rich Salz [Fri, 8 Jul 2016 17:40:08 +0000 (13:40 -0400)]
Add "random malloc failure" tooling
Still needs to be documented, somehow/somewhere.
The env var OPENSSL_MALLOC_FAILURES controls how often malloc/realloc
should fail. It's a set of fields separated by semicolons. Each field
is a count and optional percentage (separated by @) which defaults to 100.
If count is zero then it lasts "forever." For example: 100;@25 means the
first 100 allocations pass, then the rest have a 25% chance of failing
until the program exits or crashes.
If env var OPENSSL_MALLOC_FD parses as a positive integer, a record
of all malloc "shouldfail" tests is written to that file descriptor.
If a malloc will fail, and OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE is not set
(platform specific), then a backtrace will be written to the descriptor
when a malloc fails. This can be useful because a malloc may fail but
not be checked, and problems will only occur later.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1252)
Rich Salz [Tue, 10 Jan 2017 21:18:33 +0000 (16:18 -0500)]
GH2176: Add X509_VERIFY_PARAM_get_time
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2208)
Rich Salz [Thu, 12 Jan 2017 13:20:54 +0000 (08:20 -0500)]
Review comments; fail build if nits found
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2202)
Richard Levitte [Tue, 10 Jan 2017 03:41:26 +0000 (22:41 -0500)]
Run find-doc-nits in travis
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2202)
Richard Levitte [Thu, 12 Jan 2017 14:17:42 +0000 (15:17 +0100)]
UI documentation fixup
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2218)
Richard Levitte [Thu, 12 Jan 2017 12:07:39 +0000 (13:07 +0100)]
UI: fix uitest for VMS
- On VMS, apps/apps.c depends on apps/vms_term_sock.c, so add it to
the build
- On VMS, apps/*.c are compiled with default symbol settings,
i.e. uppercased and truncated symbols, which differs from test
programs. Make sure uitest.c knows that with a few pragmas.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2218)
Richard Levitte [Thu, 12 Jan 2017 10:08:36 +0000 (11:08 +0100)]
UI: fix uitest for no-ui configuration
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2218)
Matt Caswell [Thu, 12 Jan 2017 09:48:38 +0000 (09:48 +0000)]
Fix no-dh builds
One of the new tests uses a DH based ciphersuite. That test should be
disabled if DH is disabled.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2217)
Matt Caswell [Wed, 11 Jan 2017 10:35:15 +0000 (10:35 +0000)]
Fix compilation with no-nextprotoneg
A guard was in the wrong place in the header file.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2212)
Richard Levitte [Tue, 10 Jan 2017 23:13:59 +0000 (00:13 +0100)]
Add a test "uitest"
It tests both the use of UI_METHOD (through the apps/apps.h API) and
wrapping an older style PEM password callback in a UI_METHOD.
Replace the earlier UI test with a run of this test program
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)
Richard Levitte [Tue, 10 Jan 2017 23:12:01 +0000 (00:12 +0100)]
Add a few documentation lines about UI_OpenSSL()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)
Richard Levitte [Tue, 10 Jan 2017 08:02:40 +0000 (09:02 +0100)]
Document the UI utility functions
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)
Richard Levitte [Mon, 9 Jan 2017 13:26:55 +0000 (14:26 +0100)]
make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)
Richard Levitte [Tue, 6 Dec 2016 13:36:43 +0000 (14:36 +0100)]
Add a UI utility function with which to wrap pem_callback_cb in a UI_METHOD
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)
Richard Levitte [Tue, 6 Dec 2016 13:36:04 +0000 (14:36 +0100)]
Add an application data field in the UI_METHOD
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)
Richard Levitte [Tue, 6 Dec 2016 13:34:52 +0000 (14:34 +0100)]
Constify the input parameter to UI_method_get_*
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)
Richard Levitte [Tue, 6 Dec 2016 03:17:18 +0000 (04:17 +0100)]
Enable apps to get a UI_METHOD for the default prompter
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)
Matt Caswell [Tue, 10 Jan 2017 14:38:09 +0000 (14:38 +0000)]
Fix no-ec following sigalgs refactor
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Tue, 10 Jan 2017 14:23:02 +0000 (14:23 +0000)]
Fix tls1_set_sigalgs() length calculation
The length passed to tls1_set_sigalgs() is a multiple of two and there are
two char entries in the list for each sigalg. When we set
client_sigalgslen or conf_sigalgslen this is the number of ints in the list
where there is one entry per sigalg (i.e. half the length of the list passed
to the function).
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Tue, 10 Jan 2017 13:45:24 +0000 (13:45 +0000)]
Add some missing sigalgs
The SHA1 sigalgs were inadvertently missed off in the sigalgs refactor.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Tue, 10 Jan 2017 11:30:57 +0000 (11:30 +0000)]
Fix an uninit read picked up by Travis
The siglen value needs to be initialised prior to it being read in the
call to EVP_DigestSignFinal later in this function.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Tue, 10 Jan 2017 09:38:30 +0000 (09:38 +0000)]
Fix a Travis failure
Declare a variable as static to silence the warning
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Thu, 5 Jan 2017 14:40:00 +0000 (14:40 +0000)]
Add some signature tests
Check that signatures actually work, and that an incorrect signature
results in a handshake failure.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Thu, 5 Jan 2017 12:34:46 +0000 (12:34 +0000)]
Teach TLSProxy how to re-encrypt a TLSv1.3 message after changes
This enables us to make changes to in-flight TLSv1.3 messages that appear
after the ServerHello.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Thu, 5 Jan 2017 12:32:06 +0000 (12:32 +0000)]
Extend ServerKeyExchange parsing to work with a signature
Previously SKE in TLSProxy only knew about one anonymous ciphersuite so
there was never a signature. Extend that to include a ciphersuite that is
not anonymous. This also fixes a bug where the existing SKE processing was
checking against the wrong anon ciphersuite value. This has a knock on
impact on the sslskewith0p test. The bug meant the test was working...but
entirely by accident!
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Thu, 5 Jan 2017 12:28:40 +0000 (12:28 +0000)]
Teach TLSProxy about the CertificateVerify message
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Tue, 3 Jan 2017 13:43:56 +0000 (13:43 +0000)]
Teach SSL_trace about the new sigalgs
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Tue, 3 Jan 2017 10:40:14 +0000 (10:40 +0000)]
Add a sigalg test to check we only allow sigalgs we sent
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Tue, 3 Jan 2017 10:01:39 +0000 (10:01 +0000)]
Extend PSS signature support to TLSv1.2
TLSv1.3 introduces PSS based sigalgs. Offering these in a TLSv1.3 client
implies that the client is prepared to accept these sigalgs even in
TLSv1.2.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Mon, 2 Jan 2017 11:52:57 +0000 (11:52 +0000)]
Fix test_sslversions to know that TLSv1.3 sets record version to TLSv1.0
This also acts as a test for the bug fixed in the previous commit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Mon, 2 Jan 2017 11:40:16 +0000 (11:40 +0000)]
Always use TLSv1.0 for record layer version in TLSv1.3
TLSv1.3 freezes the record layer version and ensures that it is always set
to TLSv1.0. Some implementations check this.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Fri, 30 Dec 2016 15:25:47 +0000 (15:25 +0000)]
Add a TLS1.3 TODO for setting of sig algs
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Fri, 30 Dec 2016 11:27:24 +0000 (11:27 +0000)]
Add some sig algs tests
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Fri, 30 Dec 2016 14:08:19 +0000 (14:08 +0000)]
Ignore PKCS1 based sig algs in TLSv1.3
In TLSv1.3 we must use PSS based sig algs for RSA signing. Ignore any
shared sig algs which are PKCS1 based.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Fri, 30 Dec 2016 11:26:39 +0000 (11:26 +0000)]
Verify that the sig algs extension has been sent for TLSv1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Thu, 29 Dec 2016 17:11:27 +0000 (17:11 +0000)]
Fix client application traffic secret
A misreading of the TLS1.3 spec meant we were using the handshake hashes
up to and including the Client Finished to calculate the client
application traffic secret. We should be only use up until the Server
Finished.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Thu, 29 Dec 2016 15:08:47 +0000 (15:08 +0000)]
Temporarily ignore NewSessionTickets for TLS1.3
We can't handle these messages yet, so ignore them for now.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Thu, 15 Dec 2016 00:28:47 +0000 (00:28 +0000)]
Use the correct size for TLSv1.3 finished keys
We need to use the length of the handshake hash for the length of the
finished key.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Wed, 14 Dec 2016 17:27:15 +0000 (17:27 +0000)]
Ensure the record sequence number gets incremented
We were not incrementing the sequence number every time we sent/received
a record.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Wed, 14 Dec 2016 16:50:14 +0000 (16:50 +0000)]
Remove some unneeded functions
The sigalgs work has made some old lookup tables and functions redundant
so remove them.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Wed, 14 Dec 2016 16:37:48 +0000 (16:37 +0000)]
Use NIDs instead of the old TLSv1.2 sigalgs hash and sig ids
We had an extra layer of indirection in looking up hashes and sigs based
on sigalgs which is now no longer necessary. This removes it.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Wed, 14 Dec 2016 14:39:38 +0000 (14:39 +0000)]
Remove a redundant function
The extensions refactor made this function redundant so we can remove it.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Wed, 14 Dec 2016 14:31:21 +0000 (14:31 +0000)]
Convert Sigalgs processing to use ints
In TLSv1.2 an individual sig alg is represented by 1 byte for the hash
and 1 byte for the signature. In TLSv1.3 each sig alg is represented by
two bytes, where the two bytes together represent a single hash and
signature combination. This converts the internal representation of sigalgs
to use a single int for the pair, rather than a pair of bytes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Thu, 8 Dec 2016 16:02:51 +0000 (16:02 +0000)]
Sign CertificateVerify messages using PSS padding
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Mon, 5 Dec 2016 17:04:51 +0000 (17:04 +0000)]
Make CertificateVerify TLS1.3 aware
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Mon, 5 Dec 2016 14:59:25 +0000 (14:59 +0000)]
Move Certificate Verify construction and processing into statem_lib.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Matt Caswell [Mon, 5 Dec 2016 14:58:51 +0000 (14:58 +0000)]
Add a TODO(TLS1.3) around certificate selection
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
Rich Salz [Tue, 10 Jan 2017 20:40:27 +0000 (15:40 -0500)]
Fix typo in Blake2 function names
Fixes GitHub issue 2169.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2207)
Kurt Roeckx [Thu, 20 Oct 2016 18:49:22 +0000 (20:49 +0200)]
Print the X509 version signed, and convert to unsigned for the hex version.
Found by tis-interpreter
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1754