A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_3 2022-11-11T11:25:18+00:00 2022-11-11T11:25:18+00:00 beck 2022-11-11T11:25:18+00:00 urn:sha1:0ba6b15619d4e4feafccdbd0226ee99b70553a11 Fully explained in libcrypto/README. TL;DR make sure libcrypto and libssl's function calls internally and to each other are via symbol names that won't get overridden by linking other libraries. Mostly work by guenther@, which will currently be gated behind a build setting NAMESPACE=yes. once we convert all the symbols to this method we will do a major bump and pick up the changes. ok tb@ jsing@ 2022-08-17T07:39:19+00:00 jsing 2022-08-17T07:39:19+00:00 urn:sha1:5f133a78eec6f3a2549c066b9a561d6350d6e07a Rather than reimplement this in each TLS client and server, deduplicate it into a single function. Furthermore, rather than dealing with the API hazard that is SSL_get_peer_cert_chain() in this code, simply produce two chains - one that has the leaf and one that does not. SSL_get_peer_cert_chain() can then return the appropriate one. This also moves the peer cert chain from the SSL_SESSION to the SSL_HANDSHAKE, which makes more sense since it is not available on resumption. ok tb@ 2022-07-24T14:28:16+00:00 jsing 2022-07-24T14:28:16+00:00 urn:sha1:2c5937ccb88658c18243c49fc57c58b62e344235 QUIC uses TLS to complete the handshake, however unlike normal TLS it does not use the TLS record layer, rather it provides its own transport. This means that we need to intercept all communication between the TLS handshake and the record layer. This allows TLS handshake message writes to be directed to QUIC, likewise for TLS handshake message reads. Alerts also need to be sent via QUIC, plus it needs to be provided with the traffic keys that are derived by TLS. ok tb@ 2022-06-28T20:40:24+00:00 tb 2022-06-28T20:40:24+00:00 urn:sha1:155ade5b4877933ef80a8ed009a2750254d9dec8 And here is where the fun starts. The tentacles will grow everywhere. ok beck jsing sthen 2022-01-14T09:09:30+00:00 tb 2022-01-14T09:09:30+00:00 urn:sha1:53be7c999edf2b5da8c31198d2e78dd5906217c2 2022-01-05T17:10:03+00:00 jsing 2022-01-05T17:10:03+00:00 urn:sha1:767ff39662be70f355eac7cf069fd9c23c34580d In preparation to use the key share code in both the TLSv1.3 and legacy stacks, rename tls13_key_share to tls_key_share, moving it into the shared handshake struct. Further changes will then allow the legacy stack to make use of the same code for ephemeral key exchange. ok inoguchi@ tb@ 2021-10-23T13:12:14+00:00 jsing 2021-10-23T13:12:14+00:00 urn:sha1:3262c76ed1f7d7ad4c2133bc12fc909491a69e83 This code will soon be used in the DTLSv1.2 and TLSv1.2 stack. Also introduce tls_internal.h and move/rename the read/write/flush callbacks. ok beck@ tb@ 2021-09-04T16:26:12+00:00 jsing 2021-09-04T16:26:12+00:00 urn:sha1:fb975bbc325bbf4283ef4fa3886bde95fe20607e Currently, the plaintext content from opened TLS records is handled via the rbuf code in the TLSv1.3 record layer. Factor this out and provide a separate struct tls_content, which knows how to track and manipulate the content. This makes the TLSv1.3 code cleaner, however it will also soon also be used to untangle parts of the legacy record layer. ok beck@ tb@ 2021-05-05T10:05:27+00:00 jsing 2021-05-05T10:05:27+00:00 urn:sha1:1a056896b1f8722603712ec9956a081ee5b6c651 For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places. This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested. ok inoguchi@ tb@ 2021-04-25T13:15:23+00:00 jsing 2021-04-25T13:15:23+00:00 urn:sha1:8b55d917f6299f185307b9010616350e6d6a3d93 Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code. ok inoguchi@ tb@