Commits · f2bcff43bcd5b1e2632273ef8fea0900a15d7769 · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

Mar 03, 2017

Update the cipher(1) documentation to explicitly state that the RSA cipher · f2bcff43

Pauli authored Mar 02, 2017


string means the same a kRSA.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2821)

f2bcff43

sh_malloc & sh_free prototype change to match POSIX · 332dc4fa

Rich Salz authored Mar 02, 2017



CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2823)

332dc4fa

Silence some more clang warnings · 42f50fdf

Matt Caswell authored Mar 03, 2017



Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2832)

42f50fdf

Mar 02, 2017

Silence some clang warnings · 30d1bab1

Matt Caswell authored Mar 02, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2831)

30d1bab1

More early data documentation updates following feedback · 83750d9b

Matt Caswell authored Mar 02, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

83750d9b

Update the API documentation for the latest early data changes · cd9f7f62
Matt Caswell authored Mar 02, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
cd9f7f62

Update early data API for writing to unauthenticated clients · 09f28874

Matt Caswell authored Mar 02, 2017



Change the early data API so that the server must use
SSL_write_early_data() to write to an unauthenticated client.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

09f28874

Rename SSL_write_early() to SSL_write_early_data() · 0665b4ed

Matt Caswell authored Mar 02, 2017



This is for consistency with the rest of the API where all the functions
are called *early_data*.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

0665b4ed

Rename SSL_read_early() to SSL_read_early_data() · f533fbd4

Matt Caswell authored Mar 02, 2017



This is for consistency with the rest of the API where all the functions
are called *early_data*.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

f533fbd4

Updates to the early data documentation · ef466acc

Matt Caswell authored Feb 28, 2017



Following on from the latest API changes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

ef466acc

Updates to s_server and s_client for the latest early_data API changes · ade1e888
Matt Caswell authored Feb 27, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
ade1e888

Make SSL_write_early_finish() an internal only function · 3eaa4170

Matt Caswell authored Feb 27, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

3eaa4170

Add early_data tests · 5f982038

Matt Caswell authored Feb 27, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

5f982038

Various fixes required to allow SSL_write/SSL_read during early data · f7e393be
Matt Caswell authored Feb 27, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
f7e393be
Enable the server to call SSL_write() without stopping the ability to call SSL_read_early() · d7f8783f
Matt Caswell authored Feb 25, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
d7f8783f
Enable the client to call SSL_read() without stopping the ability to call SSL_write_early() · 564547e4
Matt Caswell authored Feb 25, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
564547e4

Introduce a new early_data state in the state machine · 4004ce5f

Matt Caswell authored Feb 25, 2017



Also simplifies the state machine a bit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

4004ce5f

Improve the early data sanity check in SSL_do_handshake() · bc908c67

Matt Caswell authored Feb 24, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

bc908c67

Add documentation for the new s_client and s_server early_data options · 6437b802
Matt Caswell authored Feb 24, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
6437b802

Tighten sanity checks when calling early data functions · 0a5ece5b

Matt Caswell authored Feb 24, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

0a5ece5b

Add documentation for the early data functions · fd6c1025

Matt Caswell authored Feb 24, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

fd6c1025

Make SSL_get_early_data_status() take a const · f5b519c4

Matt Caswell authored Feb 24, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

f5b519c4

Make SSL_get_max_early_data() and SSL_CTX_get_max_early_data() take a const · 46dcb945
Matt Caswell authored Feb 24, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
46dcb945

Add a SSL_SESSION_get_max_early_data() function · fcc47578

Matt Caswell authored Feb 24, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

fcc47578

Don't attempt to write more early_data than we know the server will accept · 7daf7156
Matt Caswell authored Feb 24, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
7daf7156

Only accept early_data if the negotiated ALPN is the same · f6370040

Matt Caswell authored Feb 24, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

f6370040

Skip early_data if appropriate after a HelloRetryRequest · a832b5ef

Matt Caswell authored Feb 24, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

a832b5ef

Don't accept early_data if we are going to issue a HelloRetryRequest · 38df5a45
Matt Caswell authored Feb 24, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
38df5a45

Add extra validation parsing the server-to-client early_data extension · 538bea6c

Matt Caswell authored Feb 24, 2017



Check that we actually resumed the session, and that we selected the first
identity.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

538bea6c

Remove some TLSv1.3 TODOs that are no longer relevant · 329114f9

Matt Caswell authored Feb 24, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

329114f9

Validate the ticket age for resumed sessions · 2c604cb9

Matt Caswell authored Feb 24, 2017



If the ticket age calcualtions do not check out then we must not accept
early data (it could be a replay).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

2c604cb9

Ensure the max_early_data option to s_server can be 0 · 6746648c

Matt Caswell authored Feb 23, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

6746648c

Provide a default value for max_early_data · bfa9a9af

Matt Caswell authored Feb 23, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

bfa9a9af

Check max_early_data against the amount of early data we actually receive · 70ef40a0
Matt Caswell authored Feb 23, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
70ef40a0

Make sure we reset the read sequence when skipping records · 67f78ead

Matt Caswell authored Feb 23, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

67f78ead

Disallow handshake messages in the middle of early_data · 10109364

Matt Caswell authored Feb 23, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

10109364

Fix seg fault when sending early_data using CCM ciphersuites · c117af67
Matt Caswell authored Feb 23, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
c117af67
Get s_client to report on whether early data was accepted or not · 576eb395
Matt Caswell authored Feb 23, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
576eb395

Implement client side parsing of the early_data extension · b2cc7f31

Matt Caswell authored Feb 23, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

b2cc7f31

Add a "-early_data" option to s_server · e0655186

Matt Caswell authored Feb 22, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

e0655186