#
f63a17d6 |
| 21-Nov-2017 |
Matt Caswell |
Convert the state machine code to use SSLfatal() Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4778)
|
#
281bf233 |
| 14-Nov-2017 |
Matt Caswell |
If a server is not acknowledging SNI then don't reject early_data SNI needs to be consistent before we accept early_data. However a server may choose to not acknowledge SNI. In that case
If a server is not acknowledging SNI then don't reject early_data SNI needs to be consistent before we accept early_data. However a server may choose to not acknowledge SNI. In that case we have to expect that a client may send it anyway. We change the consistency checks so that not acknowledging is treated more a like a "wild card", accepting any SNI as being consistent. Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4738)
show more ...
|
#
cf72c757 |
| 05-Nov-2017 |
FdaSilvaYY |
Implement Maximum Fragment Length TLS extension. Based on patch from Tomasz Moń: https://groups.google.com/forum/#!topic/mailing.openssl.dev/fQxXvCg1uQY Reviewed-by: Matt Caswel
Implement Maximum Fragment Length TLS extension. Based on patch from Tomasz Moń: https://groups.google.com/forum/#!topic/mailing.openssl.dev/fQxXvCg1uQY Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/1008)
show more ...
|
#
3be08e30 |
| 18-Oct-2017 |
Benjamin Kaduk |
Provide SSL_CTX.stats.sess_accept for switched ctxs We currently increment the SSL_CTX stats.sess_accept field in tls_setup_handshake(), which is invoked from the state machine well
Provide SSL_CTX.stats.sess_accept for switched ctxs We currently increment the SSL_CTX stats.sess_accept field in tls_setup_handshake(), which is invoked from the state machine well before ClientHello processing would have had a chance to switch the SSL_CTX attached to the SSL object due to a provided SNI value. However, stats.sess_accept_good is incremented in tls_finish_handshake(), and uses the s->ctx.stats field (i.e., the new SSL_CTX that was switched to as a result of SNI processing). This leads to the confusing (nonsensical) situation where stats.sess_accept_good is larger than stats.sess_accept, as the "sess_accept" value was counted on the s->session_ctx. In order to provide some more useful numbers, increment s->ctx.stats.sess_accept after SNI processing if the SNI processing changed s->ctx to differ from s->session_ctx. To preserve the property that any given accept is counted only once, make the corresponding decrement to s->session_ctx.stats.sess_accept when doing so. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4549)
show more ...
|
#
a2b97bdf |
| 13-Oct-2017 |
Matt Caswell |
Don't do version neg on an HRR Previously if a client received an HRR then we would do version negotiation immediately - because we know we are going to get TLSv1.3. However this cau
Don't do version neg on an HRR Previously if a client received an HRR then we would do version negotiation immediately - because we know we are going to get TLSv1.3. However this causes a problem when we emit the 2nd ClientHello because we start changing a whole load of stuff to ommit things that aren't relevant for < TLSv1.3. The spec requires that the 2nd ClientHello is the same except for changes required from the HRR. Therefore the simplest thing to do is to defer the version negotiation until we receive the ServerHello. Fixes #4292 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4527)
show more ...
|
#
9fb6cb81 |
| 10-Oct-2017 |
Matt Caswell |
Fix bug where early_data does not work if no SNI callback is present Fixes #4496 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged fr
Fix bug where early_data does not work if no SNI callback is present Fixes #4496 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4519)
show more ...
|
#
f48d826e |
| 26-Sep-2017 |
Dr. Stephen Henson |
Change curves to groups where relevant Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4475)
|
#
ff6d20a6 |
| 26-Sep-2017 |
Dr. Stephen Henson |
Use separate functions for supported and peer groups lists Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4475)
|
Revision tags: OpenSSL_1_1_0e, OpenSSL_1_0_2k, OpenSSL_1_1_0d, OpenSSL-fips-2_0_15, OpenSSL-fips-2_0_14, OpenSSL_1_1_0c, OpenSSL_1_0_2j, OpenSSL_1_1_0b, OpenSSL_1_0_1u, OpenSSL_1_0_2i, OpenSSL_1_1_0a |
|
#
a84e5c9a |
| 01-Sep-2016 |
Todd Short |
Session resume broken switching contexts When an SSL's context is swtiched from a ticket-enabled context to a ticket-disabled context in the servername callback, no session-id is gen
Session resume broken switching contexts When an SSL's context is swtiched from a ticket-enabled context to a ticket-disabled context in the servername callback, no session-id is generated, so the session can't be resumed. If a servername callback changes the SSL_OP_NO_TICKET option, check to see if it's changed to disable, and whether a session ticket is expected (i.e. the client indicated ticket support and the SSL had tickets enabled at the time), and whether we already have a previous session (i.e. s->hit is set). In this case, clear the ticket-expected flag, remove any ticket data and generate a session-id in the session. If the SSL hit (resumed) and switched to a ticket-disabled context, assume that the resumption was via session-id, and don't bother to update the session. Before this fix, the updated unit-tests in 06-sni-ticket.conf would fail test #4 (server1 = SNI, server2 = no SNI). Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/1529)
show more ...
|
#
34e5292c |
| 24-Sep-2017 |
Dr. Stephen Henson |
Rename tls1_get_curvelist. Rename tls1_get_curvelist to tls1_get_grouplist, change to void as it can never fail and remove unnecessary return value checks. Clean up the code.
Rename tls1_get_curvelist. Rename tls1_get_curvelist to tls1_get_grouplist, change to void as it can never fail and remove unnecessary return value checks. Clean up the code. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/=4412)
show more ...
|
#
9e84a42d |
| 22-Sep-2017 |
Dr. Stephen Henson |
Store groups as uint16_t Instead of storing supported groups in on-the-wire format store them as parsed uint16_t values. This simplifies handling of groups as the values can be direc
Store groups as uint16_t Instead of storing supported groups in on-the-wire format store them as parsed uint16_t values. This simplifies handling of groups as the values can be directly used instead of being converted. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4406)
show more ...
|
#
1c259bb5 |
| 30-Aug-2017 |
Benjamin Kaduk |
Restore historical behavior for absent ServerHello extensions In OpenSSL 1.1.0, when there were no extensions added to the ServerHello, we did not write the extension data length bytes t
Restore historical behavior for absent ServerHello extensions In OpenSSL 1.1.0, when there were no extensions added to the ServerHello, we did not write the extension data length bytes to the end of the ServerHello; this is needed for compatibility with old client implementations that do not support TLS extensions (such as the default configuration of OpenSSL 0.9.8). When ServerHello extension construction was converted to the new extensions framework in commit 7da160b0f46d832dbf285cb0b48ae56d4a8b884d, this behavior was inadvertently limited to cases when SSLv3 was negotiated (and similarly for ClientHellos), presumably since extensions are not defined at all for SSLv3. However, extensions for TLS prior to TLS 1.3 have been defined in separate RFCs (6066, 4366, and 3546) from the TLS protocol specifications, and as such should be considered an optional protocol feature in those cases. Accordingly, be conservative in what we send, and skip the extensions block when there are no extensions to be sent, regardless of the TLS/SSL version. (TLS 1.3 requires extensions and can safely be treated differently.) Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4296)
show more ...
|
#
4be3a7c7 |
| 16-Aug-2017 |
Matt Caswell |
Client side sanity check of ALPN after server has accepted early_data Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3926)
|
#
630369d9 |
| 01-Aug-2017 |
Matt Caswell |
Add server side sanity checks of SNI/ALPN for use with early_data Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3926)
|
#
add8d0e9 |
| 05-Jul-2017 |
Matt Caswell |
Enable the ability to use an external PSK for sending early_data Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3926)
|
#
677963e5 |
| 18-Aug-2017 |
Pauli |
e_os.h removal from other headers and source files. Removed e_os.h from all bar three headers (apps/apps.h crypto/bio/bio_lcl.h and ssl/ssl_locl.h). Added e_os.h into the files
e_os.h removal from other headers and source files. Removed e_os.h from all bar three headers (apps/apps.h crypto/bio/bio_lcl.h and ssl/ssl_locl.h). Added e_os.h into the files that need it now. Directly reference internal/nelem.h when required. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4188)
show more ...
|
#
10ed1b72 |
| 18-Aug-2017 |
Todd Short |
Reorder extensions to put SigAlgs last Force non-empty padding extension. When enabled, force the padding extension to be at least 1 byte long. WebSphere application server cannot ha
Reorder extensions to put SigAlgs last Force non-empty padding extension. When enabled, force the padding extension to be at least 1 byte long. WebSphere application server cannot handle having an empty extension (e.g. EMS/EtM) as the last extension in a client hello. This moves the SigAlgs extension last for TLSv1.2 to avoid this issue. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3921)
show more ...
|
#
5626f634 |
| 01-Aug-2017 |
Benjamin Kaduk |
Move ALPN handling from finalizer to delayed call Commit 02f0274e8c0596dcf7e2d104250232a42c650b96 moved ALPN processing into an extension finalization function, as the only documented or
Move ALPN handling from finalizer to delayed call Commit 02f0274e8c0596dcf7e2d104250232a42c650b96 moved ALPN processing into an extension finalization function, as the only documented ordering requirement from previous commits was that ALPN processing occur after SNI processing, and SNI processing is performed before the extension finalization step. However, it is useful for applications' alpn_select callbacks to run after ciphersuite selection as well -- at least one application protocol specification (HTTP/2) imposes restrictions on which ciphersuites are usable with that protocol. Since it is generally more preferrable to have a successful TLS connection with a default application protocol than to fail the TLS connection and not be able to have the preferred application protocol, it is good to give the alpn_select callback information about the ciphersuite to be used, so that appropriate restrctions can be enforced in application code. Accordingly, split the ALPN handling out into a separate tls_handl_alpn() function akin to tls_handle_status_request(), called from tls_post_process_client_hello(). This is an alternative to resuscitating ssl_check_clienthello_tlsext_late(), something of an awkwward name itself. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4070)
show more ...
|
#
44e69951 |
| 11-Aug-2017 |
FdaSilvaYY |
Fix some Typos and indents Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4108)
|
#
b93a295a |
| 11-Jul-2017 |
Todd Short |
Fix SSL_set_tlsext_debug_callback/-tlsextdebug Some extensions were being displayed twice, before they were parsed, and again after they were parsed. The supported_versions extension
Fix SSL_set_tlsext_debug_callback/-tlsextdebug Some extensions were being displayed twice, before they were parsed, and again after they were parsed. The supported_versions extension was not being fully displayed, as it was processed differently than other extensions. Move the debug callback to where the extensions are first collected, to catch all the extensions as they come in, so they are ordered correctly. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3911)
show more ...
|
#
00848ea8 |
| 18-Jul-2017 |
Matt Caswell |
Tolerate a zero length ticket nonce TLSv1.3 draft-21 requires the ticket nonce to be at least 1 byte in length. However NSS sends a zero length nonce. This is actually ok because the nex
Tolerate a zero length ticket nonce TLSv1.3 draft-21 requires the ticket nonce to be at least 1 byte in length. However NSS sends a zero length nonce. This is actually ok because the next draft will allow zero length nonces anyway, so we should tolerate this. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3957)
show more ...
|
#
b81bd336 |
| 05-Jul-2017 |
Matt Caswell |
Update the early_secret generation to use the new ticket_nonce field Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3852)
|
#
a19ae67d |
| 05-Jul-2017 |
Matt Caswell |
Update tls13_hkdf_expand() to take the length of the data In most scenarios the length of the input data is the hashsize, or 0 if the data is NULL. However with the new ticket_nonce chan
Update tls13_hkdf_expand() to take the length of the data In most scenarios the length of the input data is the hashsize, or 0 if the data is NULL. However with the new ticket_nonce changes the length can be different. Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3852)
show more ...
|
#
9368f865 |
| 12-Jun-2017 |
Matt Caswell |
Add TLSv1.3 client side external PSK support Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3670)
|
#
3a7c56b2 |
| 12-Jun-2017 |
Matt Caswell |
Add TLSv1.3 server side external PSK support Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3670)
|