openssl.git
2 years agoCorrections according the review comments.
Dmitry Kostjuchenko [Mon, 28 Nov 2016 17:54:43 +0000 (19:54 +0200)]
Corrections according the review comments.

Updated indentations according project rules, renamed file-local define to the shorter version - USE_RWLOCK, fixed declaration after the if statement in CRYPTO_THREAD_lock_new().
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1981)

2 years agoCompile fix on platforms with missing pthread_rwlock_t.
Dmitry Kostjuchenko [Tue, 22 Nov 2016 16:37:43 +0000 (18:37 +0200)]
Compile fix on platforms with missing pthread_rwlock_t.

Fix compilation on platforms with missing pthread_rwlock_t implementation by replacing it with pthread_mutex_t. An example of such platform can be Android OS 2.0 - 2.1, API level 5 (Eclair), Android NDK platform - android-5 where pthread_rwlock_t is not implemented and is missing in pthread.h.

In case of missing pthread_rwlock_t implementation CRYPTO_RWLOCK will work as exclusive lock in write-only mode of pthread_rwlock_t lock.

The implementation based on pthread_mutex_t must be using PTHREAD_MUTEX_RECURSIVE mode to be compatible with recursive behavior of pthread_rwlock_rdlock.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1981)

2 years agocrypto/x86_64cpuid.pl: detect if kernel preserves %zmm registers.
Andy Polyakov [Fri, 27 Jan 2017 18:03:37 +0000 (19:03 +0100)]
crypto/x86_64cpuid.pl: detect if kernel preserves %zmm registers.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2 years agoInitialise alg_k and alg_a
Richard Levitte [Thu, 2 Feb 2017 22:45:38 +0000 (23:45 +0100)]
Initialise alg_k and alg_a

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2543)

2 years agoAdd missing MinProtocol/MaxProtocol
Dr. Stephen Henson [Thu, 2 Feb 2017 12:34:22 +0000 (12:34 +0000)]
Add missing MinProtocol/MaxProtocol

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)

2 years agoAdd TLS 1.3 certificate selection tests.
Dr. Stephen Henson [Wed, 1 Feb 2017 13:29:45 +0000 (13:29 +0000)]
Add TLS 1.3 certificate selection tests.

For TLS 1.3 we select certificates with signature algorithms extension
only. For ECDSA+SHA384 there is the additional restriction that the
curve must be P-384: since the test uses P-256 this should fail.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)

2 years agoDon't filter TLS 1.3 ciphersuites by signing or key exchange algorithm
Dr. Stephen Henson [Tue, 31 Jan 2017 18:59:31 +0000 (18:59 +0000)]
Don't filter TLS 1.3 ciphersuites by signing or key exchange algorithm

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)

2 years agoUpdate cipher definition
Dr. Stephen Henson [Tue, 31 Jan 2017 14:10:36 +0000 (14:10 +0000)]
Update cipher definition

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)

2 years agoRemove special case for TLS 1.3.
Dr. Stephen Henson [Tue, 31 Jan 2017 18:33:14 +0000 (18:33 +0000)]
Remove special case for TLS 1.3.

We now set the server certificate in tls_choose_sigalg() so there is
no need for a special case for TLS 1.3 any more.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)

2 years agoFor TLS 1.3 retrieve previously set certificate index
Dr. Stephen Henson [Tue, 31 Jan 2017 18:32:41 +0000 (18:32 +0000)]
For TLS 1.3 retrieve previously set certificate index

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)

2 years agomake errors
Dr. Stephen Henson [Tue, 31 Jan 2017 18:01:55 +0000 (18:01 +0000)]
make errors

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)

2 years agoSet signature algorithm when choosing cipher
Dr. Stephen Henson [Tue, 31 Jan 2017 18:00:55 +0000 (18:00 +0000)]
Set signature algorithm when choosing cipher

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)

2 years agoAdd function tls_choose_sigalg().
Dr. Stephen Henson [Tue, 31 Jan 2017 17:45:00 +0000 (17:45 +0000)]
Add function tls_choose_sigalg().

New function tls_choose_sigalg(). This is a signature algorithm version
of ssl3_choose_cipher(): it picks and sets the appropriate signature
algorithm and certificate based on shared signature algorithms.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)

2 years agoCosmetic change
Dr. Stephen Henson [Tue, 31 Jan 2017 16:39:53 +0000 (16:39 +0000)]
Cosmetic change

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)

2 years agoTest logging TLSv1.3 secrets.
Cory Benfield [Tue, 31 Jan 2017 14:56:31 +0000 (14:56 +0000)]
Test logging TLSv1.3 secrets.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2287)

2 years agoAdd support for logging out TLSv1.3 secrets
Cory Benfield [Tue, 31 Jan 2017 14:56:15 +0000 (14:56 +0000)]
Add support for logging out TLSv1.3 secrets

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2287)

2 years agoAdd support for parameterized SipHash
Todd Short [Wed, 11 Jan 2017 21:38:44 +0000 (16:38 -0500)]
Add support for parameterized SipHash

The core SipHash supports either 8 or 16-byte output and a configurable
number of rounds.
The default behavior, as added to EVP, is to use 16-byte output and
2,4 rounds, which matches the behavior of most implementations.
There is an EVP_PKEY_CTRL that can control the output size.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2216)

2 years agoremove test/.rnd on make clean
Bernd Edlinger [Wed, 1 Feb 2017 18:10:03 +0000 (19:10 +0100)]
remove test/.rnd on make clean

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2344)

2 years agoMajority rules, use session_ctx vs initial_ctx
Todd Short [Tue, 31 Jan 2017 20:32:50 +0000 (15:32 -0500)]
Majority rules, use session_ctx vs initial_ctx

session_ctx and initial_ctx are aliases of each other, and with the
opaque data structures, there's no need to keep both around. Since
there were more references of session_ctx, replace all instances of
initial_ctx with session_ctx.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2334)

2 years agobn: fix occurance of negative zero in BN_rshift1()
Richard Levitte [Wed, 1 Feb 2017 01:29:46 +0000 (02:29 +0100)]
bn: fix occurance of negative zero in BN_rshift1()

Reviewed-by: Rich Salz <rsalz@openssl.org>
2 years agobn: fix occurances of negative zero
Geoff Thorpe [Thu, 6 Oct 2016 15:04:56 +0000 (10:04 -0500)]
bn: fix occurances of negative zero

The BIGNUM behaviour is supposed to be "consistent" when going into and
out of APIs, where "consistent" means 'top' is set minimally and that
'neg' (negative) is not set if the BIGNUM is zero (which is iff 'top' is
zero, due to the previous point).

The BN_DEBUG testing (make test) caught the cases that this patch
corrects.

Note, bn_correct_top() could have been used instead, but that is intended
for where 'top' is expected to (sometimes) require adjustment after direct
word-array manipulation, and so is heavier-weight. Here, we are just
catching the negative-zero case, so we test and correct for that
explicitly, in-place.

Change-Id: Iddefbd3c28a13d935648932beebcc765d5b85ae7
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1672)

2 years agobn: catch negative zero as an error
Geoff Thorpe [Thu, 6 Oct 2016 14:02:38 +0000 (09:02 -0500)]
bn: catch negative zero as an error

Change-Id: I5ab72ad0aae9069b47d5b7b7b9e25bd1b7afa251
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1672)

2 years agobn: fix BN_DEBUG + BN_DEBUG_RAND support
Geoff Thorpe [Thu, 6 Oct 2016 13:25:22 +0000 (08:25 -0500)]
bn: fix BN_DEBUG + BN_DEBUG_RAND support

Couple of updates to make this code work properly again;
* use OPENSSL_assert() instead of assert() (and #include <assert.h>)
* the circular-dependency-avoidance uses RAND_bytes() (not pseudo)

Change-Id: Iefb5a9dd73f71fd81c1268495c54a64378955354
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1672)

2 years agobntests.txt: add a couple of checks of possibly negative zero
Richard Levitte [Tue, 31 Jan 2017 23:48:38 +0000 (00:48 +0100)]
bntests.txt: add a couple of checks of possibly negative zero

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2335)

2 years agobntest: do not stop on first fautl encountered
Richard Levitte [Tue, 31 Jan 2017 23:47:30 +0000 (00:47 +0100)]
bntest: do not stop on first fautl encountered

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2335)

2 years agobntest: make sure file_rshift tests BN_rshift1 as well when appropriate
Richard Levitte [Tue, 31 Jan 2017 23:46:58 +0000 (00:46 +0100)]
bntest: make sure file_rshift tests BN_rshift1 as well when appropriate

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2335)

2 years agobntest: make sure that equalBN takes note of negative zero
Richard Levitte [Tue, 31 Jan 2017 23:46:09 +0000 (00:46 +0100)]
bntest: make sure that equalBN takes note of negative zero

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2335)

2 years agoAdd -Wno-parentheses-equality to dev-warnings.
Rich Salz [Mon, 30 Jan 2017 21:13:41 +0000 (16:13 -0500)]
Add -Wno-parentheses-equality to dev-warnings.

Also fix a block comment formatting glitch.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2327)

2 years agoTidy up Suite B logic
Dr. Stephen Henson [Mon, 30 Jan 2017 22:02:11 +0000 (22:02 +0000)]
Tidy up Suite B logic

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)

2 years agoRemove peer_md and use peer_sigalg instead.
Dr. Stephen Henson [Mon, 30 Jan 2017 18:10:17 +0000 (18:10 +0000)]
Remove peer_md and use peer_sigalg instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)

2 years agoSimplify sigalgs code.
Dr. Stephen Henson [Mon, 30 Jan 2017 17:27:35 +0000 (17:27 +0000)]
Simplify sigalgs code.

Remove unnecessary lookup operations: use the indices and data in the
lookup table directly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)

2 years agoAdd digest and key indices to table.
Dr. Stephen Henson [Mon, 30 Jan 2017 16:05:23 +0000 (16:05 +0000)]
Add digest and key indices to table.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)

2 years agoDon't check certificate type against ciphersuite for TLS 1.3
Dr. Stephen Henson [Mon, 30 Jan 2017 15:34:25 +0000 (15:34 +0000)]
Don't check certificate type against ciphersuite for TLS 1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)

2 years agoAdd TLS 1.3 signing curve check
Dr. Stephen Henson [Mon, 30 Jan 2017 14:45:20 +0000 (14:45 +0000)]
Add TLS 1.3 signing curve check

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)

2 years agoOnly allow PSS signatures with RSA keys and TLS 1.3
Dr. Stephen Henson [Mon, 30 Jan 2017 13:53:54 +0000 (13:53 +0000)]
Only allow PSS signatures with RSA keys and TLS 1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)

2 years agoStore table entry to peer signature algorithm.
Dr. Stephen Henson [Mon, 30 Jan 2017 13:48:39 +0000 (13:48 +0000)]
Store table entry to peer signature algorithm.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2324)

2 years agoFree up the memory for the NewSessionTicket extensions
Matt Caswell [Mon, 30 Jan 2017 19:37:17 +0000 (19:37 +0000)]
Free up the memory for the NewSessionTicket extensions

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2326)

2 years agoMake sure we free and cleanse the pms value in all code paths
Matt Caswell [Mon, 30 Jan 2017 19:36:51 +0000 (19:36 +0000)]
Make sure we free and cleanse the pms value in all code paths

Otherwise we get a memory leak.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2326)

2 years agoUpdate macros.
Dr. Stephen Henson [Sun, 29 Jan 2017 15:12:58 +0000 (15:12 +0000)]
Update macros.

Use TLS_MAX_SIGALGCNT for the maximum number of entries in the
signature algorithms array.

Use TLS_MAX_SIGSTRING_LEN for the maxiumum length of each signature
component instead of a magic number.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agofix style issues
Dr. Stephen Henson [Sun, 29 Jan 2017 13:38:55 +0000 (13:38 +0000)]
fix style issues

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agoFix TLS 1.2 and no sigalgs.
Dr. Stephen Henson [Sun, 29 Jan 2017 00:43:45 +0000 (00:43 +0000)]
Fix TLS 1.2 and no sigalgs.

For TLS 1.2 if we have no signature algorithms extension then lookup
using the complete table instead of (empty) shared signature algorithms
list so we pick up defaults.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agoUse PSS for simple test so TLS 1.3 handhake is successful.
Dr. Stephen Henson [Sat, 28 Jan 2017 19:45:33 +0000 (19:45 +0000)]
Use PSS for simple test so TLS 1.3 handhake is successful.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agoAdd tests for client and server signature type
Dr. Stephen Henson [Fri, 27 Jan 2017 15:56:47 +0000 (15:56 +0000)]
Add tests for client and server signature type

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agoAdd test support for TLS signature types.
Dr. Stephen Henson [Fri, 27 Jan 2017 15:06:16 +0000 (15:06 +0000)]
Add test support for TLS signature types.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agoUpdate documentation
Dr. Stephen Henson [Fri, 27 Jan 2017 02:19:54 +0000 (02:19 +0000)]
Update documentation

Add details of the use of PSS for signature algorithms.

Document SSL_get_peer_signature_nid() and SSL_get_peer_signature_type_nid().

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agomake update
Dr. Stephen Henson [Fri, 27 Jan 2017 04:33:04 +0000 (04:33 +0000)]
make update

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agoReplace TLS_SIGALGS with SIGALG_LOOKUP
Dr. Stephen Henson [Thu, 26 Jan 2017 15:24:35 +0000 (15:24 +0000)]
Replace TLS_SIGALGS with SIGALG_LOOKUP

Since every supported signature algorithm is now an entry in the
SIGALG_LOOKUP table we can replace shared signature algortihms with
pointers to constant table entries.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agoSupport TLS 1.3 signature scheme names.
Dr. Stephen Henson [Thu, 26 Jan 2017 14:40:59 +0000 (14:40 +0000)]
Support TLS 1.3 signature scheme names.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agoExtend TLS 1.3 signature table.
Dr. Stephen Henson [Thu, 26 Jan 2017 14:23:05 +0000 (14:23 +0000)]
Extend TLS 1.3 signature table.

Add additional entries in the TLS 1.2 signature table to include
the name, sig and hash NID (if any) and required curve (if any).

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agoUse shared signature algorithm list to find type.
Dr. Stephen Henson [Thu, 26 Jan 2017 00:15:54 +0000 (00:15 +0000)]
Use shared signature algorithm list to find type.

Lookup the signature type in the shared list: we can use this to
use PSS if the peer supports it for TLS 1.2.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agoAdd SSL_get_peer_signature_type_nid() function.
Dr. Stephen Henson [Wed, 25 Jan 2017 23:28:57 +0000 (23:28 +0000)]
Add SSL_get_peer_signature_type_nid() function.

Add function to retrieve signature type: in the case of RSA
keys the signature type can be EVP_PKEY_RSA or EVP_PKEY_RSA_PSS.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agoStore peer signature type.
Dr. Stephen Henson [Wed, 25 Jan 2017 16:46:02 +0000 (16:46 +0000)]
Store peer signature type.

Store peer signature type in s->s3->tmp.peer_sigtype and check it
to see if the peer used PSS.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agoMore complete PSS support.
Dr. Stephen Henson [Wed, 25 Jan 2017 16:22:13 +0000 (16:22 +0000)]
More complete PSS support.

Extend support for PSS key signatures by using the EVP_PKEY_RSA_PSS type
to distinguish them from PKCS1 signature types.

Allow setting of PSS signature algorithms using the string "PSS" or
"RSA-PSS".

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agoUse uint16_t for signature scheme.
Dr. Stephen Henson [Wed, 25 Jan 2017 14:33:55 +0000 (14:33 +0000)]
Use uint16_t for signature scheme.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agouse RSA_PSS_SALTLEN_DIGEST constant
Dr. Stephen Henson [Wed, 25 Jan 2017 14:02:00 +0000 (14:02 +0000)]
use RSA_PSS_SALTLEN_DIGEST constant

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

2 years agoExpand comment in tls_process_hello_req()
Matt Caswell [Fri, 27 Jan 2017 15:23:25 +0000 (15:23 +0000)]
Expand comment in tls_process_hello_req()

Following review feedback.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoAdd a TODO around validating the ticket age
Matt Caswell [Fri, 27 Jan 2017 15:18:51 +0000 (15:18 +0000)]
Add a TODO around validating the ticket age

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoVarious style fixes following review feedback
Matt Caswell [Fri, 27 Jan 2017 15:17:51 +0000 (15:17 +0000)]
Various style fixes following review feedback

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoRemove unneccessary comments
Matt Caswell [Fri, 27 Jan 2017 12:11:23 +0000 (12:11 +0000)]
Remove unneccessary comments

Now we're using an enum the values themselves are self explanatory

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoUse for loop in WPACKET_fill_lengths instead of do...while
Matt Caswell [Fri, 27 Jan 2017 12:05:52 +0000 (12:05 +0000)]
Use for loop in WPACKET_fill_lengths instead of do...while

Based on review feedback

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoMove the SSL3_CK_CIPHERSUITE_FLAG out of public header
Matt Caswell [Fri, 27 Jan 2017 11:58:04 +0000 (11:58 +0000)]
Move the SSL3_CK_CIPHERSUITE_FLAG out of public header

The newly added SSL3_CK_CIPHERSUITE_FLAG shouldn't be in a public header
file

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoAdd a test for the PSK kex modes extension
Matt Caswell [Wed, 25 Jan 2017 10:44:46 +0000 (10:44 +0000)]
Add a test for the PSK kex modes extension

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoIf we have no suitable PSK kex modes then don't attempt to resume
Matt Caswell [Wed, 25 Jan 2017 11:56:23 +0000 (11:56 +0000)]
If we have no suitable PSK kex modes then don't attempt to resume

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoFix <= TLS1.2 break
Matt Caswell [Mon, 23 Jan 2017 16:59:35 +0000 (16:59 +0000)]
Fix <= TLS1.2 break

Changing the value of SSL_MAX_MASTER_KEY_LENGTH had some unexpected
side effects in the <=TLS1.2 code which apparently relies on this being
48 for interoperability. Therefore create a new define for the TLSv1.3
resumption master secret which can be up to 64 bytes.

Found through the boring test suite.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoAdd a test for WPACKET_fill_lengths()
Matt Caswell [Mon, 23 Jan 2017 15:09:25 +0000 (15:09 +0000)]
Add a test for WPACKET_fill_lengths()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoEnable wpacket test on shared builds
Matt Caswell [Mon, 23 Jan 2017 14:53:44 +0000 (14:53 +0000)]
Enable wpacket test on shared builds

Now that we support internal tests properly, we can test wpacket even in
shared builds.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoMake calls to SSL_renegotiate() error out for TLSv1.3
Matt Caswell [Fri, 20 Jan 2017 17:00:03 +0000 (17:00 +0000)]
Make calls to SSL_renegotiate() error out for TLSv1.3

When we have support for KeyUpdate we might consider doing that instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoMake the "ticket" function return codes clearer
Matt Caswell [Fri, 20 Jan 2017 16:01:27 +0000 (16:01 +0000)]
Make the "ticket" function return codes clearer

Remove "magic" return values and use an enum instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoMiscellaneous style tweaks based on feedback received
Matt Caswell [Fri, 20 Jan 2017 16:02:07 +0000 (16:02 +0000)]
Miscellaneous style tweaks based on feedback received

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoEnsure the al variable is properly ininitialised in all code paths
Matt Caswell [Fri, 20 Jan 2017 13:53:38 +0000 (13:53 +0000)]
Ensure the al variable is properly ininitialised in all code paths

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoEnsure the age_add variable is properly initialised
Matt Caswell [Fri, 20 Jan 2017 13:50:47 +0000 (13:50 +0000)]
Ensure the age_add variable is properly initialised

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoRe-enable resumption for TLS1.3 CT tests
Matt Caswell [Fri, 20 Jan 2017 13:48:41 +0000 (13:48 +0000)]
Re-enable resumption for TLS1.3 CT tests

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoAdd testing of TLSv1.3 resumption in test_tls13messages
Matt Caswell [Fri, 20 Jan 2017 12:11:49 +0000 (12:11 +0000)]
Add testing of TLSv1.3 resumption in test_tls13messages

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoAdd a capability for TLSProxy to wait for a session before killing s_client
Matt Caswell [Fri, 20 Jan 2017 12:08:51 +0000 (12:08 +0000)]
Add a capability for TLSProxy to wait for a session before killing s_client

TLSProxy normally fires off s_client, which creates a connection to the
server. TLSProxy also pipes some data to send to the process and s_client
automatically exits when the pipe hits eof. Unfortunately this means that
it sends the data and closes before it has processed the NewSessionTicket
returned from the server in TLSv1.3. This commits adds an option for
s_client to stay loaded until the sesion has been processed. A side effect
of this is that s_client never sends a close_notify in this mode, so we
count success as seeing that data has been transferred.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoRe-enable test_ssl_new resumption tests for TLSv1.3
Matt Caswell [Thu, 19 Jan 2017 16:49:57 +0000 (16:49 +0000)]
Re-enable test_ssl_new resumption tests for TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoRemove a TLS1.3 TODO that is now completed
Matt Caswell [Thu, 19 Jan 2017 16:44:25 +0000 (16:44 +0000)]
Remove a TLS1.3 TODO that is now completed

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoRe-enable TLSv1.3 session resumption related tests in sslapitest
Matt Caswell [Thu, 19 Jan 2017 16:02:27 +0000 (16:02 +0000)]
Re-enable TLSv1.3 session resumption related tests in sslapitest

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoUpdate create_ssl_connection() to make sure its gets a session
Matt Caswell [Thu, 19 Jan 2017 16:00:19 +0000 (16:00 +0000)]
Update create_ssl_connection() to make sure its gets a session

In TLSv1.3 the connection will be created before the session is
established. In OpenSSL we send the NewSessionTicket message immediately
after the client finished has been received. Therefore we change
create_ssl_connection() to attempt a read of application data after the
handshake has completed. We expect this to fail but it will force the
reading of the NewSessionTicket and the session to be set up.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoRe-enable ALPN resumption tests where we are using TLSv1.3
Matt Caswell [Thu, 19 Jan 2017 15:02:16 +0000 (15:02 +0000)]
Re-enable ALPN resumption tests where we are using TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoAlways ensure that session->cipher is set
Matt Caswell [Thu, 19 Jan 2017 15:01:55 +0000 (15:01 +0000)]
Always ensure that session->cipher is set

If we have deserialized the SSL_SESSION then in some circumstances the
session->cipher value is NULL. We were patching up in some places but not
in others. We should just do it as part of loading the SSL_SESSION.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoTweak a comment
Matt Caswell [Thu, 19 Jan 2017 12:12:35 +0000 (12:12 +0000)]
Tweak a comment

psk_kex_mode stores the available modes - not the one which we selected.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoUse the correct session resumption mechanism
Matt Caswell [Thu, 19 Jan 2017 11:23:06 +0000 (11:23 +0000)]
Use the correct session resumption mechanism

Don't attempt to add a TLS1.3 session to a TLS1.2 ClientHello session
ticket extensions. Similarly don't add a TLS1.2 session to a TLS1.3
psk extension.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoMove session version consistency check
Matt Caswell [Thu, 19 Jan 2017 10:46:53 +0000 (10:46 +0000)]
Move session version consistency check

Make sure the session version consistency check is inside
ssl_get_prev_session(). Also fixes a bug where an inconsistent version can
cause a seg fault in TLSv1.3.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoSet the kex modes on the client too.
Matt Caswell [Thu, 19 Jan 2017 10:07:50 +0000 (10:07 +0000)]
Set the kex modes on the client too.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoImplement server side of PSK extension construction
Matt Caswell [Wed, 18 Jan 2017 17:22:18 +0000 (17:22 +0000)]
Implement server side of PSK extension construction

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoImplement Server side of PSK extension parsing
Matt Caswell [Wed, 18 Jan 2017 16:28:23 +0000 (16:28 +0000)]
Implement Server side of PSK extension parsing

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoMake sure we also cleanse the finished key
Matt Caswell [Wed, 18 Jan 2017 11:52:50 +0000 (11:52 +0000)]
Make sure we also cleanse the finished key

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoProvide a key_share extension finaliser
Matt Caswell [Wed, 18 Jan 2017 11:31:37 +0000 (11:31 +0000)]
Provide a key_share extension finaliser

This mops up various edge cases with key_shares and makes sure we still
generate the handshake secret if we haven't been provided with one but we
have a PSK.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoAdd support for client side parsing of the PSK extension
Matt Caswell [Wed, 18 Jan 2017 09:38:53 +0000 (09:38 +0000)]
Add support for client side parsing of the PSK extension

Requires a refactor of the ServerHello parsing, so that we parse first and
then subsequently process. This is because the resumption information is
held in the extensions block which is parsed last - but we need to know that
information earlier.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoAdd support for the age_add field
Matt Caswell [Tue, 17 Jan 2017 10:43:37 +0000 (10:43 +0000)]
Add support for the age_add field

Update SSL_SESSION to store the age_add and use it where needed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoConstruct the client side psk extension for TLSv1.3
Matt Caswell [Fri, 13 Jan 2017 17:00:49 +0000 (17:00 +0000)]
Construct the client side psk extension for TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoProvide a new WPACKET function for filling in all the lengths
Matt Caswell [Fri, 13 Jan 2017 16:59:18 +0000 (16:59 +0000)]
Provide a new WPACKET function for filling in all the lengths

For the psk extension we need to fill in all the lengths of the message so
far, even though we haven't closed the WPACKET yet. This provides a function
to do that.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoUpdate the s_client -sess_out feature to work for TLSv1.3
Matt Caswell [Fri, 13 Jan 2017 14:25:15 +0000 (14:25 +0000)]
Update the s_client -sess_out feature to work for TLSv1.3

Previously "-sess_out" wrote out the session as soon as the handshake
finished. In TLSv1.3 this won't work because the NewSessionTicket message
arrives post-handshake. Instead we use the session callback mechanism to
do this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoNever send a session id in TLS1.3
Matt Caswell [Fri, 13 Jan 2017 13:49:44 +0000 (13:49 +0000)]
Never send a session id in TLS1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoAdd a TODO around handling of SSL_get_session() and SSL_get1_session()
Matt Caswell [Fri, 13 Jan 2017 13:34:49 +0000 (13:34 +0000)]
Add a TODO around handling of SSL_get_session() and SSL_get1_session()

These functions are problematic in TLSv1.3 because the server sends the
NewSessionTicket message after the handshake has finished.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoProcess incoming NewSessionTicket messages on the client side
Matt Caswell [Fri, 13 Jan 2017 13:32:11 +0000 (13:32 +0000)]
Process incoming NewSessionTicket messages on the client side

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoCreate the NewSessionTicket message in TLSv1.3
Matt Caswell [Fri, 13 Jan 2017 09:19:10 +0000 (09:19 +0000)]
Create the NewSessionTicket message in TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoAdd support for the psk_key_exchange_modes extension
Matt Caswell [Thu, 12 Jan 2017 15:28:48 +0000 (15:28 +0000)]
Add support for the psk_key_exchange_modes extension

This is required for the later addition of resumption support.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoMove TLSv1.3 Session Ticket processing into the state machine
Matt Caswell [Wed, 11 Jan 2017 17:18:19 +0000 (17:18 +0000)]
Move TLSv1.3 Session Ticket processing into the state machine

We still ignore it for now, but at least its in the right place.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

2 years agoDisable requests for renegotiation in TLSv1.3
Matt Caswell [Wed, 11 Jan 2017 16:29:38 +0000 (16:29 +0000)]
Disable requests for renegotiation in TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)