#
0d9824c1 |
| 08-Nov-2016 |
Matt Caswell |
Implement tls13_change_cipher_state() Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
94ed2c67 |
| 14-Nov-2016 |
Matt Caswell |
Fixed various style issues in the key_share code Numerous style issues as well as references to TLS1_3_VERSION instead of SSL_IS_TLS13(s) Reviewed-by: Rich Salz <rsalz@openssl.o
Fixed various style issues in the key_share code Numerous style issues as well as references to TLS1_3_VERSION instead of SSL_IS_TLS13(s) Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
0f1e51ea |
| 02-Nov-2016 |
Matt Caswell |
Start using the key_share data to derive the PMS The previous commits put in place the logic to exchange key_share data. We now need to do something with that information. In <= TLSv1.2
Start using the key_share data to derive the PMS The previous commits put in place the logic to exchange key_share data. We now need to do something with that information. In <= TLSv1.2 the equivalent of the key_share extension is the ServerKeyExchange and ClientKeyExchange messages. With key_share those two messages are no longer necessary. The commit removes the SKE and CKE messages from the TLSv1.3 state machine. TLSv1.3 is completely different to TLSv1.2 in the messages that it sends and the transitions that are allowed. Therefore, rather than extend the existing <=TLS1.2 state transition functions, we create a whole new set for TLSv1.3. Intially these are still based on the TLSv1.2 ones, but over time they will be amended. The new TLSv1.3 transitions remove SKE and CKE completely. There's also some cleanup for some stuff which is not relevant to TLSv1.3 and is easy to remove, e.g. the DTLS support (we're not doing DTLSv1.3 yet) and NPN. I also disable EXTMS for TLSv1.3. Using it was causing some added complexity, so rather than fix it I removed it, since eventually it will not be needed anyway. Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
d7c42d71 |
| 01-Nov-2016 |
Matt Caswell |
Add processing of the key_share received in the ServerHello Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
b1834ad7 |
| 01-Nov-2016 |
Matt Caswell |
Add the key_share processing to the server side At the moment the server doesn't yet do anything with this information. We still need to send the server's key_share info back to the clie
Add the key_share processing to the server side At the moment the server doesn't yet do anything with this information. We still need to send the server's key_share info back to the client. That will happen in subsequent commits. Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
b612799a |
| 15-Nov-2016 |
Richard Levitte |
Revert "Remove heartbeats completely" Done too soon, this is for future OpenSSL 1.2.0 This reverts commit 6c62f9e1639a7d1a879f363a99882920104dfedb. Reviewed-by: Rich Salz <
Revert "Remove heartbeats completely" Done too soon, this is for future OpenSSL 1.2.0 This reverts commit 6c62f9e1639a7d1a879f363a99882920104dfedb. Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
6c62f9e1 |
| 06-Oct-2016 |
Richard Levitte |
Remove heartbeats completely Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1669)
|
#
801cb720 |
| 31-Oct-2016 |
Matt Caswell |
Fix make update following extensions refactor Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
1ab3836b |
| 22-Oct-2016 |
Matt Caswell |
Refactor ClientHello processing so that extensions get parsed earlier Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
7ee8627f |
| 07-Sep-2016 |
Matt Caswell |
Convert libssl writing for size_t Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
eda75751 |
| 06-Sep-2016 |
Matt Caswell |
Further libssl size_t-ify of reading Writing still to be done Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
5923ad4b |
| 29-Sep-2016 |
Matt Caswell |
Don't set the handshake header in every message Move setting the handshake header up a level into the state machine code in order to reduce boilerplate. Reviewed-by: Rich Salz <
Don't set the handshake header in every message Move setting the handshake header up a level into the state machine code in order to reduce boilerplate. Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
cc59ad10 |
| 29-Sep-2016 |
Matt Caswell |
Convert CertStatus message construction to WPACKET Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
83ae4661 |
| 29-Sep-2016 |
Matt Caswell |
Fix missing NULL checks in NewSessionTicket construction Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
af58be76 |
| 21-Sep-2016 |
Matt Caswell |
Don't allow too many consecutive warning alerts Certain warning alerts are ignored if they are received. This can mean that no progress will be made if one peer continually sends those w
Don't allow too many consecutive warning alerts Certain warning alerts are ignored if they are received. This can mean that no progress will be made if one peer continually sends those warning alerts. Implement a count so that we abort the connection if we receive too many. Issue reported by Shi Lei. Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
3c106325 |
| 21-Sep-2016 |
Matt Caswell |
make update and fix some associated mis-matched error codes Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
15e6be6c |
| 14-Sep-2016 |
Matt Caswell |
Convert NextProto message construction to WPACKET Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
2c7b4dbc |
| 03-Aug-2016 |
Matt Caswell |
Convert tls_construct_client_hello() to use PACKETW Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
1fb9fdc3 |
| 01-Jul-2016 |
Matt Caswell |
Fix DTLS replay protection The DTLS implementation provides some protection against replay attacks in accordance with RFC6347 section 4.1.2.6. A sliding "window" of valid record
Fix DTLS replay protection The DTLS implementation provides some protection against replay attacks in accordance with RFC6347 section 4.1.2.6. A sliding "window" of valid record sequence numbers is maintained with the "right" hand edge of the window set to the highest sequence number we have received so far. Records that arrive that are off the "left" hand edge of the window are rejected. Records within the window are checked against a list of records received so far. If we already received it then we also reject the new record. If we have not already received the record, or the sequence number is off the right hand edge of the window then we verify the MAC of the record. If MAC verification fails then we discard the record. Otherwise we mark the record as received. If the sequence number was off the right hand edge of the window, then we slide the window along so that the right hand edge is in line with the newly received sequence number. Records may arrive for future epochs, i.e. a record from after a CCS being sent, can arrive before the CCS does if the packets get re-ordered. As we have not yet received the CCS we are not yet in a position to decrypt or validate the MAC of those records. OpenSSL places those records on an unprocessed records queue. It additionally updates the window immediately, even though we have not yet verified the MAC. This will only occur if currently in a handshake/renegotiation. This could be exploited by an attacker by sending a record for the next epoch (which does not have to decrypt or have a valid MAC), with a very large sequence number. This means the right hand edge of the window is moved very far to the right, and all subsequent legitimate packets are dropped causing a denial of service. A similar effect can be achieved during the initial handshake. In this case there is no MAC key negotiated yet. Therefore an attacker can send a message for the current epoch with a very large sequence number. The code will process the record as normal. If the hanshake message sequence number (as opposed to the record sequence number that we have been talking about so far) is in the future then the injected message is bufferred to be handled later, but the window is still updated. Therefore all subsequent legitimate handshake records are dropped. This aspect is not considered a security issue because there are many ways for an attacker to disrupt the initial handshake and prevent it from completing successfully (e.g. injection of a handshake message will cause the Finished MAC to fail and the handshake to be aborted). This issue comes about as a result of trying to do replay protection, but having no integrity mechanism in place yet. Does it even make sense to have replay protection in epoch 0? That issue isn't addressed here though. This addressed an OCAP Audit issue. CVE-2016-2181 Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
#
fddfc0af |
| 06-Aug-2016 |
Remi Gacogne |
Add missing session id and tlsext_status accessors * SSL_SESSION_set1_id() * SSL_SESSION_get0_id_context() * SSL_CTX_get_tlsext_status_cb() * SSL_CTX_get_tlsext_status_arg()
Add missing session id and tlsext_status accessors * SSL_SESSION_set1_id() * SSL_SESSION_get0_id_context() * SSL_CTX_get_tlsext_status_cb() * SSL_CTX_get_tlsext_status_arg() Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
show more ...
|
#
69588edb |
| 12-Jul-2016 |
Kurt Roeckx |
Check for errors allocating the error strings. Reviewed-by: Richard Levitte <levitte@openssl.org> GH: #1330
|
#
4fa88861 |
| 08-Jul-2016 |
Matt Caswell |
Update error codes following tls_process_key_exchange() refactor Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
bbba0a7d |
| 19-Jul-2016 |
Richard Levitte |
make update Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
05ec6a25 |
| 08-Jul-2016 |
Matt Caswell |
Fix up error codes after splitting up tls_construct_key_exchange() Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
c76a4aea |
| 06-Jul-2016 |
Matt Caswell |
Errors fix up following break up of CKE processing Reviewed-by: Richard Levitte <levitte@openssl.org>
|