Matt Caswell [Wed, 23 Nov 2016 22:12:56 +0000 (22:12 +0000)]
Fix missing NULL checks in key_share processing
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Wed, 23 Nov 2016 22:12:40 +0000 (22:12 +0000)]
Fix missing NULL checks in CKE processing
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Wed, 23 Nov 2016 13:56:15 +0000 (13:56 +0000)]
Use ClientHello.legacy_version for the RSA pre-master no matter what
Don't use what is in supported_versions for the RSA pre-master
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Matt Caswell [Wed, 23 Nov 2016 13:55:35 +0000 (13:55 +0000)]
Fix some defines in ossl_shim
ossl_shim had some TLS1.3 defines that are now in ssl.h so need to be
removed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Matt Caswell [Wed, 23 Nov 2016 16:09:30 +0000 (16:09 +0000)]
Fix a double ;; causing a travis failure
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Wed, 23 Nov 2016 16:06:46 +0000 (16:06 +0000)]
Fix an uninit variable usage
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Thu, 17 Nov 2016 11:12:20 +0000 (11:12 +0000)]
Update tls13secretstest to use the new simpler test framework
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Wed, 23 Nov 2016 15:38:32 +0000 (15:38 +0000)]
Fix some style issues with TLSv1.3 state machine PR
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Mon, 21 Nov 2016 12:10:35 +0000 (12:10 +0000)]
Fix some style issues identified during review
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Mon, 21 Nov 2016 13:24:50 +0000 (13:24 +0000)]
Fix SSL_IS_TLS13(s)
The SSL_IS_TLS13() macro wasn't quite right. It would come back with true
in the case where we haven't yet negotiated TLSv1.3, but it could be
negotiated.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 15 Nov 2016 14:53:37 +0000 (14:53 +0000)]
Extend test_tls13messages
Add various different handshake types that are possible.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 15 Nov 2016 14:22:29 +0000 (14:22 +0000)]
Add an s_server capability to read an OCSP Response from a file
Current s_server can only get an OCSP Response from an OCSP responder. This
provides the capability to instead get the OCSP Response from a DER encoded
file.
This should make testing of OCSP easier.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 15 Nov 2016 13:26:12 +0000 (13:26 +0000)]
Add a test for the TLSv1.3 state machine
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 15 Nov 2016 11:09:25 +0000 (11:09 +0000)]
Fix some TLSProxy warnings
After the client processes the server's initial flight in TLS1.3 it may
respond with either an encrypted, or an unencrypted alert. We needed to
teach TLSProxy about this so that it didn't issue spurious warnings.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 15 Nov 2016 10:30:34 +0000 (10:30 +0000)]
Ensure unexpected messages are handled consistently
In one case we weren't always sending an unexpected message alert if we
don't get what we expect.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 15 Nov 2016 10:13:09 +0000 (10:13 +0000)]
Ensure the end of first server flight processing is done
There is a set of miscellaneous processing for OCSP, CT etc at the end of
the ServerDone processing. In TLS1.3 we don't have a ServerDone, so this
needs to move elsewhere.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Fri, 11 Nov 2016 16:22:19 +0000 (16:22 +0000)]
Fix the tests following the state machine changes for TLSv1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Fri, 11 Nov 2016 00:20:19 +0000 (00:20 +0000)]
Create the Finished message payload
The previous commit had a dummy payload for the Finished data. This commit
fills it in with a real value.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Wed, 9 Nov 2016 14:06:12 +0000 (14:06 +0000)]
Update state machine to be closer to TLS1.3
This is a major overhaul of the TLSv1.3 state machine. Currently it still
looks like TLSv1.2. This commit changes things around so that it starts
to look a bit less like TLSv1.2 and bit more like TLSv1.3.
After this commit we have:
ClientHello
+ key_share ---->
ServerHello
+key_share
{CertificateRequest*}
{Certificate*}
{CertificateStatus*}
<---- {Finished}
{Certificate*}
{CertificateVerify*}
{Finished} ---->
[ApplicationData] <---> [Application Data]
Key differences between this intermediate position and the final TLSv1.3
position are:
- No EncryptedExtensions message yet
- No server side CertificateVerify message yet
- CertificateStatus still exists as a separate message
- A number of the messages are still in the TLSv1.2 format
- Still running on the TLSv1.2 record layer
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 8 Nov 2016 23:20:31 +0000 (23:20 +0000)]
Implement tls13_change_cipher_state()
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 8 Nov 2016 16:10:21 +0000 (16:10 +0000)]
Remove old style NewSessionTicket from TLSv1.3
TLSv1.3 has a NewSessionTicket message, but it is *completely* different to
the TLSv1.2 one and may as well have been called something else. This commit
removes the old style NewSessionTicket from TLSv1.3. We will have to add the
new style one back in later.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 22 Nov 2016 09:31:12 +0000 (09:31 +0000)]
Fix EXTMS error introduced by commit
94ed2c6
Commit
94ed2c6 dropped a ! operator by mistake, which causes extended
master secret connections to fail. This puts in back.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Tue, 22 Nov 2016 10:22:16 +0000 (11:22 +0100)]
Clarify what X509_NAME_online does with the given buffer and size
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1980)
Kurt Roeckx [Mon, 21 Nov 2016 21:15:11 +0000 (22:15 +0100)]
Add missing -zdelete for some linux arches
b6d5ba1a9f004d637acac18ae3519fe063b6b5e1 forgot to update some linux arches.
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #1977
Todd Short [Thu, 17 Nov 2016 16:56:47 +0000 (11:56 -0500)]
Skipping tests in evp_test leaks memory
When configured with "no-mdc2 enable-crypto-mdebug" the evp_test
will leak memory due to skipped tests, and error out.
Also fix a skip condition
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1968)
Kurt Roeckx [Tue, 15 Nov 2016 17:58:52 +0000 (18:58 +0100)]
Make SSL_read and SSL_write return the old behaviour and document it.
This reverts commit
4880672a9b41a09a0984b55e219f02a2de7ab75e.
Fixes: #1903
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #1931
Dr. Stephen Henson [Sat, 19 Nov 2016 21:52:34 +0000 (21:52 +0000)]
Add test to check EVP_PKEY method ordering.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Robert Scheck [Thu, 17 Nov 2016 23:01:28 +0000 (00:01 +0100)]
Avoid warnings like unused enum value (as suggested by Rich Salz)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1945)
Robert Scheck [Thu, 17 Nov 2016 20:08:49 +0000 (21:08 +0100)]
Shift inside of switch back one level (code style change, as requested by Rich Salz)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1945)
Robert Scheck [Thu, 17 Nov 2016 16:16:50 +0000 (17:16 +0100)]
Add LMTP support (RFC 2033) to s_client ("-starttls lmtp")
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1945)
Beat Bolli [Fri, 18 Nov 2016 08:47:50 +0000 (09:47 +0100)]
Use consistent variable names in example
In the X509_NAME_get_index_by_NID.pod example, the initialized variable is called
"loc", but the one used in the for loop is called "lastpos". Make the names match.
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1949)
Beat Bolli [Fri, 18 Nov 2016 09:17:28 +0000 (10:17 +0100)]
Update the location of the pod files
CLA: trivial
Since
99d63d4 ("Move manpages to man[1357] structure.", 2016-10-26), the location
of the pod files has changed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1951)
Kurt Roeckx [Sat, 3 Sep 2016 19:27:30 +0000 (21:27 +0200)]
Fix name of "locked" variable
It's called with 0 when it's already locked, with 1 when it's not.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1500
Kurt Roeckx [Sat, 27 Aug 2016 14:01:08 +0000 (16:01 +0200)]
Add support for reference counting using C11 atomics
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1500
Dr. Stephen Henson [Thu, 17 Nov 2016 13:17:28 +0000 (13:17 +0000)]
Support MSBLOB format if RC4 is disabled
Reviewed-by: Matt Caswell <matt@openssl.org>
Andy Polyakov [Sun, 13 Nov 2016 21:32:09 +0000 (22:32 +0100)]
sha/asm/sha512-armv8.pl: fix big-endian support in __KERNEL__ case.
In non-__KERNEL__ context 32-bit-style __ARMEB__/__ARMEL__ macros were
set in arm_arch.h, which is shared between 32- and 64-bit builds. Since
it's not included in __KERNEL__ case, we have to adhere to official
64-bit pre-defines, __AARCH64EB__/__AARCH64EL__.
[If we are to share more code, it would need similar adjustment.]
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 16 Nov 2016 10:22:38 +0000 (10:22 +0000)]
Fix missing SSL_IS_TLS13(s) usage
We should use the macro for testing if we are using TLSv1.3 rather than
checking s->version directly.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Nicola Tuveri [Fri, 7 Oct 2016 14:23:17 +0000 (17:23 +0300)]
Handle "int_ctx_new:unsupported algorithm" error
Calling EVP_PKEY_CTX_new_id(curve_NID, NULL) causes an error for most
curves that are implemented through the EC low-level API, and in the
last commit we call it for every curve to avoid treating X25519 as a
special case.
Last commit code already handles correctly this failure, but does not
remove these events from the thread error queue, thus some
false-positive warnings are printed at the end of execution.
This commit ensures that the error queue is clean, without flushing
other errors.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)
Nicola Tuveri [Fri, 7 Oct 2016 13:24:22 +0000 (16:24 +0300)]
Do not handle R_EC_X25519 as a special case
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)
Nicola Tuveri [Fri, 7 Oct 2016 11:59:32 +0000 (14:59 +0300)]
Remove leftover KDF pointer
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)
Nicola Tuveri [Thu, 6 Oct 2016 10:17:00 +0000 (13:17 +0300)]
Use CRYPTO_memcmp for comparing derived secrets
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)
Nicola Tuveri [Tue, 4 Oct 2016 13:40:47 +0000 (16:40 +0300)]
Reintroduce preliminary sanity check in ECDH speed and remove further checks in the benchmark loop.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)
Nicola Tuveri [Tue, 4 Oct 2016 12:56:49 +0000 (15:56 +0300)]
Remove ECDH_EVP_derive_key wrapper function
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)
Nicola Tuveri [Tue, 4 Oct 2016 12:50:11 +0000 (15:50 +0300)]
More coding style fixes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)
Nicola Tuveri [Tue, 4 Oct 2016 06:20:49 +0000 (09:20 +0300)]
Run util/openssl-format-source against apps/speed.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)
Nicola Tuveri [Tue, 4 Oct 2016 06:17:11 +0000 (09:17 +0300)]
bugfix: calculate outlen for each curve
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)
Nicola Tuveri [Mon, 3 Oct 2016 22:30:54 +0000 (01:30 +0300)]
Handle EVP_PKEY_derive errors and fix coding style issues
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)
Nicola Tuveri [Mon, 3 Oct 2016 19:16:07 +0000 (22:16 +0300)]
Fix coding style and remove some stale code/comments
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)
Nicola Tuveri [Mon, 3 Oct 2016 17:28:32 +0000 (20:28 +0300)]
Use EVP interface for ECDH in apps/speed.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)
Dr. Stephen Henson [Wed, 16 Nov 2016 23:04:14 +0000 (23:04 +0000)]
Add conversion test for MSBLOB format.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Wed, 16 Nov 2016 23:14:30 +0000 (23:14 +0000)]
Make MSBLOB format work with dsa utility.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Wed, 16 Nov 2016 23:03:43 +0000 (23:03 +0000)]
Fix MSBLOB format with RSA.
Reviewed-by: Rich Salz <rsalz@openssl.org>
FdaSilvaYY [Wed, 9 Nov 2016 23:54:03 +0000 (00:54 +0100)]
Raise an error on memory alloc failure.
Both strdup or malloc failure should raise à err.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1905)
FdaSilvaYY [Fri, 11 Nov 2016 09:58:34 +0000 (10:58 +0100)]
Missing free item on push failure
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1905)
Rich Salz [Sun, 13 Nov 2016 06:00:44 +0000 (01:00 -0500)]
Merge find-undoc-api into find-doc-nits
Use \b on NOEXIST and EXPORT_VAR_AS_FUNC patterns as suggested by Andy.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1912)
Rob Percival [Wed, 19 Oct 2016 14:42:05 +0000 (15:42 +0100)]
Move SCT_LIST_free definition into a more logical place
This reflects its position in include/openssl/ct.h.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)
Rob Percival [Wed, 19 Oct 2016 14:40:46 +0000 (15:40 +0100)]
Make sure things get deleted when test setup fails in ct_test.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)
Rob Percival [Wed, 19 Oct 2016 14:39:13 +0000 (15:39 +0100)]
Use valid signature in test_decode_tls_sct()
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)
Rob Percival [Wed, 19 Oct 2016 14:38:20 +0000 (15:38 +0100)]
Pass a temporary pointer to o2i_SCT_signature from SCT_new_from_base64
Otherwise, |dec| gets moved past the end of the signature by
o2i_SCT_signature and then can't be correctly freed afterwards.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)
Rob Percival [Wed, 19 Oct 2016 14:11:04 +0000 (15:11 +0100)]
Subtract padding from outlen in ct_base64_decode
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)
Rob Percival [Wed, 7 Sep 2016 16:47:56 +0000 (17:47 +0100)]
Construct SCT from base64 in ct_test
This gives better code coverage and is more representative of how a
user would likely construct an SCT (using the base64 returned by a CT log).
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)
Richard Levitte [Tue, 15 Nov 2016 08:56:20 +0000 (09:56 +0100)]
On x86 machines where the compiler supports -m32, use 'linux-x86'
The rationale is that the linux-x86 is the most likely config target
to evolve and should therefore be chosen when possible, while
linux-elf is mostly reserved for older Linux machines.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1924)
Richard Levitte [Tue, 15 Nov 2016 08:53:01 +0000 (09:53 +0100)]
Add a modern linux-x86 config target
'linux-x86' is similar to 'linux-x86_64' but uses -m32 rather than -m64.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1924)
Matt Caswell [Tue, 15 Nov 2016 16:49:37 +0000 (16:49 +0000)]
Fix a "defined but not used" warning when enabling ssl-trace
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 15 Nov 2016 16:31:26 +0000 (16:31 +0000)]
Remove a hack from ssl_test_old
ssl_test_old was reaching inside the SSL structure and changing the internal
BIO values. This is completely unneccessary, and was causing an abort in the
test when enabling TLSv1.3.
I also removed the need for ssl_test_old to include ssl_locl.h. This
required the addition of some missing accessors for SSL_COMP name and id
fields.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Mon, 14 Nov 2016 11:37:36 +0000 (11:37 +0000)]
Add SSL_peek() and SSL_peek_ex() to NAME section
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 15 Nov 2016 17:50:48 +0000 (17:50 +0000)]
Fix a typo in a comment
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 15 Nov 2016 17:50:08 +0000 (17:50 +0000)]
Move getting the curvelist for client and server out of the loop
No need to continually get the list of supported curves for the client
and server. Just do it once.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Mon, 14 Nov 2016 14:53:31 +0000 (14:53 +0000)]
Fixed various style issues in the key_share code
Numerous style issues as well as references to TLS1_3_VERSION instead of
SSL_IS_TLS13(s)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Thu, 3 Nov 2016 18:51:28 +0000 (18:51 +0000)]
Add some tests for the key_share extension
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Fri, 4 Nov 2016 09:49:16 +0000 (09:49 +0000)]
Check key_exchange data length is not 0
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Fri, 4 Nov 2016 00:07:50 +0000 (00:07 +0000)]
Ensure the whole key_share extension is well formatted
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Thu, 3 Nov 2016 18:50:41 +0000 (18:50 +0000)]
Validate that the provided key_share is in supported_groups
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Wed, 2 Nov 2016 15:03:56 +0000 (15:03 +0000)]
Start using the key_share data to derive the PMS
The previous commits put in place the logic to exchange key_share data. We
now need to do something with that information. In <= TLSv1.2 the equivalent
of the key_share extension is the ServerKeyExchange and ClientKeyExchange
messages. With key_share those two messages are no longer necessary.
The commit removes the SKE and CKE messages from the TLSv1.3 state machine.
TLSv1.3 is completely different to TLSv1.2 in the messages that it sends
and the transitions that are allowed. Therefore, rather than extend the
existing <=TLS1.2 state transition functions, we create a whole new set for
TLSv1.3. Intially these are still based on the TLSv1.2 ones, but over time
they will be amended.
The new TLSv1.3 transitions remove SKE and CKE completely. There's also some
cleanup for some stuff which is not relevant to TLSv1.3 and is easy to
remove, e.g. the DTLS support (we're not doing DTLSv1.3 yet) and NPN.
I also disable EXTMS for TLSv1.3. Using it was causing some added
complexity, so rather than fix it I removed it, since eventually it will not
be needed anyway.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Thu, 3 Nov 2016 15:05:27 +0000 (15:05 +0000)]
Add a TLS version consistency check during session resumption
This is a temporary fix for while we are still using the old session
resumption logic in the TLSv1.3 code. Due to differences in EXTMS support
we can't resume a <=TLSv1.2 session in a TLSv1.3 connection (the EXTMS
consistency check causes the connection to abort). This causes test
failures.
Ultimately we will rewrite the session resumption logic for TLSv1.3 so this
problem will go away. But until then we need a quick fix to keep the tests
happy.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 1 Nov 2016 14:09:19 +0000 (14:09 +0000)]
Add processing of the key_share received in the ServerHello
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 1 Nov 2016 13:24:02 +0000 (13:24 +0000)]
Add key_share info to the ServerHello
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 1 Nov 2016 11:17:10 +0000 (11:17 +0000)]
Update the trace code to know about the key_share extension
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 1 Nov 2016 10:53:32 +0000 (10:53 +0000)]
Add the key_share processing to the server side
At the moment the server doesn't yet do anything with this information.
We still need to send the server's key_share info back to the client. That
will happen in subsequent commits.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Mon, 31 Oct 2016 14:49:52 +0000 (14:49 +0000)]
Generate the key_shares extension on the client side
In this commit we just generate the extension on the client side, but don't
yet do anything with it. Subsequent commits, will add the server side
capability.
At the moment we hard code a single key_share. In the future we should make
this configurable.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Rich Salz [Tue, 15 Nov 2016 23:54:28 +0000 (18:54 -0500)]
Check return value of some BN functions.
Factorise multiple bn_get_top(group->field) calls
Add missing checks on some conditional BN_copy return value
Add missing checks on some BN_copy return value
Add missing checks on a few bn_wexpand return value
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1626)
FdaSilvaYY [Thu, 15 Sep 2016 19:16:17 +0000 (21:16 +0200)]
Introduce PATH_MAX and NAME_MAX
to define the certificate filename storage buffer.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1569)
FdaSilvaYY [Mon, 8 Aug 2016 22:34:23 +0000 (00:34 +0200)]
Simplify and fix usage of three string array variable...
using two separated local variables.
buf[1] was unused.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1569)
Rob Percival [Tue, 15 Nov 2016 10:42:57 +0000 (10:42 +0000)]
Add test for CT_POLICY_EVAL_CTX default time
Checks that the epoch_time_in_ms field of CT_POLICY_EVAL_CTX is initialized
to approximately the current time (as returned by time()) by default. This
prevents the addition of this field, and its verification during SCT
validation, from breaking existing code that calls SCT_validate directly.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
Rob Percival [Wed, 14 Sep 2016 19:26:23 +0000 (20:26 +0100)]
Convert C++ comments to C-style comments
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
Rob Percival [Wed, 14 Sep 2016 19:25:01 +0000 (20:25 +0100)]
Cast time_t to uint64_t before converting to milliseconds in ct_policy.c
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
Rob Percival [Mon, 12 Sep 2016 16:02:58 +0000 (17:02 +0100)]
By default, allow SCT timestamps to be up to 5 minutes in the future
As requested in
https://github.com/openssl/openssl/pull/1554#issuecomment-
246371575.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
Rob Percival [Mon, 12 Sep 2016 15:58:29 +0000 (16:58 +0100)]
Don't check for time() failing in CT_POLICY_EVAL_CTX_new
See https://github.com/openssl/openssl/pull/1554#issuecomment-
246354677.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
Rob Percival [Mon, 12 Sep 2016 15:57:38 +0000 (16:57 +0100)]
Default CT_POLICY_EVAL_CTX.epoch_time_in_ms to time()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
Rob Percival [Mon, 12 Sep 2016 09:28:21 +0000 (10:28 +0100)]
Reword documentation for {SCT_CTX/CT_POLICY_EVAL_CTX}_set_time
Do not call the time "current", as a different time can be provided.
For example, a time slightly in the future, to provide tolerance for
CT logs with a clock that is running fast.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
Rob Percival [Thu, 8 Sep 2016 15:03:26 +0000 (16:03 +0100)]
Remove obsolete error constant CT_F_CTLOG_NEW_NULL
ctlog_new_null() no longer exists.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
Rob Percival [Thu, 8 Sep 2016 15:02:46 +0000 (16:02 +0100)]
Check that SCT timestamps are not in the future
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
Richard Levitte [Mon, 29 Aug 2016 14:58:31 +0000 (16:58 +0200)]
Only build the body of e_padlock when there are lower level routines
engines/e_padlock.c assumes that for all x86 and x86_64 platforms, the
lower level routines will be present. However, that's not always
true, for example for solaris-x86-cc, and that leads to build errors.
The better solution is to have configure detect if the lower level
padlock routines are being built, and define the macro PADLOCK_ASM if
they are, and use that macro in our C code.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1510)
Richard Levitte [Tue, 30 Aug 2016 04:02:50 +0000 (06:02 +0200)]
Make it possible to disable building and running tests
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1514)
Richard Levitte [Tue, 15 Nov 2016 13:53:33 +0000 (14:53 +0100)]
Revert "Remove heartbeats completely"
Done too soon, this is for future OpenSSL 1.2.0
This reverts commit
6c62f9e1639a7d1a879f363a99882920104dfedb.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Thu, 6 Oct 2016 09:22:28 +0000 (11:22 +0200)]
Remove heartbeats completely
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1669)
Dr. Stephen Henson [Sat, 1 Oct 2016 20:19:41 +0000 (21:19 +0100)]
Simplify PKCS#12 PBE algorithm.
Simplify PKCS#12 PBE algorithm by working out Ij + B + 1 directly
instead of using BIGNUMs.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Mon, 14 Nov 2016 23:58:51 +0000 (00:58 +0100)]
Add a warning stipulating how things should be coded in ossl_init_base
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1922)
Richard Levitte [Mon, 14 Nov 2016 22:53:45 +0000 (23:53 +0100)]
Stop init loops
Under certain circumstances, the libcrypto init code would loop,
causing a deadlock. This would typically happen if something in
ossl_init_base() caused an OpenSSL error, and the error stack routines
would recurse into the init code before the flag that ossl_init_base()
had been run was checked.
This change makes sure ossl_init_base isn't run once more of the base
is initiated.
Thanks to Dmitry Kostjuchenko for the idea.
Fixes Github issue #1899
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1922)
Andy Polyakov [Sat, 12 Nov 2016 15:14:03 +0000 (16:14 +0100)]
Configurations/10-main.conf: remove obsolete flag from solaris-x86-gcc.
Reviewed-by: Rich Salz <rsalz@openssl.org>