Commits · f5b519c416ad70f0bc0e9a5750be1367224eee5a · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

Mar 02, 2017

Make SSL_get_early_data_status() take a const · f5b519c4

Matt Caswell authored Feb 24, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

f5b519c4

Make SSL_get_max_early_data() and SSL_CTX_get_max_early_data() take a const · 46dcb945
Matt Caswell authored Feb 24, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
46dcb945

Add a SSL_SESSION_get_max_early_data() function · fcc47578

Matt Caswell authored Feb 24, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

fcc47578

Don't attempt to write more early_data than we know the server will accept · 7daf7156
Matt Caswell authored Feb 24, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
7daf7156

Only accept early_data if the negotiated ALPN is the same · f6370040

Matt Caswell authored Feb 24, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

f6370040

Skip early_data if appropriate after a HelloRetryRequest · a832b5ef

Matt Caswell authored Feb 24, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

a832b5ef

Don't accept early_data if we are going to issue a HelloRetryRequest · 38df5a45
Matt Caswell authored Feb 24, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
38df5a45

Add extra validation parsing the server-to-client early_data extension · 538bea6c

Matt Caswell authored Feb 24, 2017



Check that we actually resumed the session, and that we selected the first
identity.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

538bea6c

Remove some TLSv1.3 TODOs that are no longer relevant · 329114f9

Matt Caswell authored Feb 24, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

329114f9

Validate the ticket age for resumed sessions · 2c604cb9

Matt Caswell authored Feb 24, 2017



If the ticket age calcualtions do not check out then we must not accept
early data (it could be a replay).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

2c604cb9

Ensure the max_early_data option to s_server can be 0 · 6746648c

Matt Caswell authored Feb 23, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

6746648c

Provide a default value for max_early_data · bfa9a9af

Matt Caswell authored Feb 23, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

bfa9a9af

Check max_early_data against the amount of early data we actually receive · 70ef40a0
Matt Caswell authored Feb 23, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
70ef40a0

Make sure we reset the read sequence when skipping records · 67f78ead

Matt Caswell authored Feb 23, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

67f78ead

Disallow handshake messages in the middle of early_data · 10109364

Matt Caswell authored Feb 23, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

10109364

Fix seg fault when sending early_data using CCM ciphersuites · c117af67
Matt Caswell authored Feb 23, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
c117af67
Get s_client to report on whether early data was accepted or not · 576eb395
Matt Caswell authored Feb 23, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
576eb395

Implement client side parsing of the early_data extension · b2cc7f31

Matt Caswell authored Feb 23, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

b2cc7f31

Add a "-early_data" option to s_server · e0655186

Matt Caswell authored Feb 22, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

e0655186

Fix changing of the cipher state when dealing with early data · fe5e20fd
Matt Caswell authored Feb 22, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
fe5e20fd

Construct the server side early_data extension · 1ea4d09a

Matt Caswell authored Feb 22, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

1ea4d09a

Provide an SSL_read_early() function for reading early data · d781d247
Matt Caswell authored Feb 21, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
d781d247

Change the cipher state when sending early data · 6cb42265

Matt Caswell authored Feb 21, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

6cb42265

Implement the early data changes required in tls13_change_cipher_state() · d49e23ec
Matt Caswell authored Feb 21, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
```
d49e23ec

Add an option to s_client to send early_data · 923ac827

Matt Caswell authored Feb 20, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

923ac827

Parse the early_data extension · 0a87d0ac

Matt Caswell authored Feb 20, 2017



We also skip any early_data that subsequently gets sent. Later commits will
process it if we can.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

0a87d0ac

Construct the early_data extension · a4f376af

Matt Caswell authored Feb 20, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

a4f376af

Provide functions to write early data · 49e7fe12

Matt Caswell authored Feb 21, 2017



We provide SSL_write_early() which *must* be called first on a connection
(prior to any other IO function including SSL_connect()/SSL_do_handshake()).
Also SSL_write_early_finish() which signals the end of early data.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

49e7fe12

Parse the ticket_early_data_info extension · 5d5b3fba

Matt Caswell authored Feb 20, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

5d5b3fba

Teach SSL_trace() about the early_data_info extension · 29fac541

Matt Caswell authored Feb 17, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

29fac541

Add a -max_early_data option to s_server · 048b1893

Matt Caswell authored Feb 17, 2017



Allows you to set the number of bytes that can be sent as early data

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

048b1893

Construct the ticket_early_data_info extension · 3fc8d856

Matt Caswell authored Feb 17, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

3fc8d856

Remove ref to err(7), update copyright. · 73fb82b7

Rich Salz authored Mar 02, 2017



Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2825)

73fb82b7

-precert doesn't work when configured no-ct, don't try to test it then · 51f5930a
Richard Levitte authored Mar 02, 2017
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2827)
```
51f5930a

Fix the skip numbers in 80-test_ca.t · a4c5f859

Richard Levitte authored Mar 02, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2827)

a4c5f859

Use the built in boolean type for CompressionExpected · b6611753

Matt Caswell authored Mar 02, 2017



Don't create a custom boolean type for parsing CompressionExpected. Use
the existing one instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2814)

b6611753

Add compression tests · 439db0c9

Matt Caswell authored Mar 01, 2017



Check whether we negotiate compression in various scenarios.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2814)

439db0c9

Fix a compression bug · f33f9dde

Matt Caswell authored Mar 01, 2017



do_ssl3_write() was crashing when compression was enabled. We calculate
the maximum length that a record will be after compression and reserve
those bytes in the WPACKET. Unfortunately we were adding the maximum
compression overhead onto the wrong variable resulting in a corrupted
record.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2814)

f33f9dde

Ensure that we never select compression in TLSv1.3 · c19602b5

Matt Caswell authored Mar 01, 2017



Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2814)

c19602b5

Add LDAP support (RFC 4511) to s_client ("-starttls ldap") · 398b0bbd

Robert Scheck authored Feb 27, 2017



Based on initial patch by Alex Bergmann <alex@linlab.net> and new function
ldap_ExtendedResponse_parse() by Andy Polyakov <appro@openssl.org>. Thanks
very much to both.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2293)

398b0bbd