| Commit message (Collapse) | Author | Files | Lines |
|---|
|
- Add -tls1_3 and -no_tls1_3 to openssl(1) s_server
- Stop using version pinned methods, instead setting the min and max protocol versions
ok jsing@ tb@
|
|
|
|
|
|
ok beck@ tb@
|
|
|
|
|
|
ok beck@ tb@
|
|
When legacy version is below TLSv1.2 ensure that the record version is
SSL3/TLS, however when the legacy version is set to TLSv1.2 require this
specifically.
ok beck@ tb@
|
|
This will be used to handle record version checks.
ok tb@
|
|
Use this to push an error on to the SSL error stack so that we report the
details of the alert that we sent, rather than failing with an unknown
error.
ok tb@
|
|
This makes the code more readable, requires less code churn when adding
a new callback and is likely to avoid bugs due to function argument
ordering.
ok beck@ inoguchi@ tb@
|
|
This correctly handles session being non-NULL and sets up a few more
things, including ssl_version. Also stop setting the ssl_version to the
server_version, as this is only used on the client side.
ok tb@
|
|
While we are in here also make it notice if time values in a certificate
are bogus, and say so in the output.
ok bcook@ jsing@
|
|
If the client has requested middle box compatibility mode by sending
a non-empty legacy_session_id, the server must send a dummy CCS right
after its first handshake message. This means right after ServerHello
or HelloRetryRequest.
Two important improvements over the backed-out diffr: make sure that
First: client and server can send their dummy CCS at the correct moment
(right before the next flight or right after the current flight).
Second: as jsing noted, we also need to deal with the corner case that
tls13_send_dummy_ccs() can return TLS13_IO_WANT_POLLOUT.
with/ok jsing
|
|
ok beck@
|
|
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_*
defines, provide our own TLS13_ALERT_* defines and use those. This also
provides the alerts that are new to TLSv1.3.
ok beck@
|
|
debug is on. otherwise, just retry. Fixes problems this creates in
testing.
ok jsing@ tb@
|
|
This makes it easier to debug TLSv1.3 handshake failures.
"Yes please!" tb@, ok beck@
|
|
The OCSP response length is currently an integer, which is overloaded with
-1 meaning "unset". Use a size_t for the OCSP response length and infer
unset from the OCSP response being NULL. This makes code more readable,
simpler and less error prone.
ok beck@
|
|
With TLSv1.3 we end up parsing extensions from more than just these two
messages. This can result in variables (like the selected alpn) being
freed when things still need them.
ok tb@
|
|
This variable is currently overloaded - a value of -1 means that it is
"unset" and any other value is a length.
ok tb@
|
|
with TLSv1.2 servers, since it makes clients send their dummy CCS too
early... There's an obvious but dirty bandaid which I can't bring myself
to applying - this business is already disgusting enough.
Issue found the hard way by sthen
|
|
This prevents us from incorrectly choosing a PKCS1 based signature
if the client advertises support for them but also prefers them to
PSS such as appears to be the case with gnuTLS.
ok jsing@
|
|
If the client has requested middle box compatibility mode by sending
a non-empty legacy_session_id, the server must send a dummy CCS right
after its first handshake message. This means right after ServerHello
or HelloRetryRequest.
ok jsing
|
|
When operating in middlebox compatibility mode, the TLSv1.3 client needs
to send a dummy ChangeCipherSpec message immediately before its second
flight of handshake messages (when early data is not offered).
ok tb@
|
|
|
|
ok tb@
|
|
|
|
version to 3.2.0
|
|
ok jsing@, tb@, inoguchi@
|
|
stricter. Previously, we would accept any vector if it advertised the
"null" compression method. RFC 8446 4.1.2 specifies that the only legal
vector has length one and contains a zero byte for the null method.
ok jsing
|
|
and if the two lengths differed, the later CBS_write_bytes() would
correctly fail anyway.
Discussed with jsing
|
|
alert. Found with tlsfuzzer.
ok jsing
|
|
ok inoguchi@ tb@
|
|
|
|
This fixes the case where a send function signals that an alert should be
sent, then returns failure. Previously the failure would be propagated
up, without the alert being sent.
Issued noted by tb@
ok tb@
|
|
Split the record protection engagement code into a separate
tls13_server_engage_record_protection() function and call this from
tls13_server_hello_sent(). Also move some functions around to keep the
logical ordering/grouping.
ok inoguchi@ tb@ (as part of a larger diff)
|
|
terminate the connection with an unexpected_message alert.
See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
|
ok bcook inoguchi deraadt
|
|
Otherwise we fail to do PSS signatures since the key size is too small.
|
|
regress on i386 after inoguchi moved some symbols to const.
ok inoguchi jsing deraadt
|
|
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message
immediately after its first handshake message. This is normally after the
ServerHello message, but it can be after the HelloRetryRequest message.
As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz
TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message
and the ServerHello message. This is unexpected and as far as I'm aware,
no other TLSv1.3 implementation does this. Unfortunately the RFC is rather
ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a
TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR
is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
|
ok tb@
|
|
It is possible to do this by abusing the EVP_CTRL_INIT API.
Pointed out by jsing.
ok inoguchi jsing (as part of a larger diff)
|
|
We might remove static again for further regress around record layer
in the future.
ok jsing@ tb@
|
|
ok jsing@ tb@
|
|
No functional change.
ok inoguchi@ tb@
|
|
The server-side will need to use the same function.
No functional change.
ok inoguchi@ tb@
|
|
Move functions so that they are in the order that the TLSv1.3 messages are
processed. While here, also move tls13_client_end_of_early_data_send() from
tls13_client.c to tls13_server.c.
No functional change.
ok beck@ tb@
|
|
1. Use the correct slice for comparing the cipher output
2. Fix logic error similar to the one in AES-GCM in the previous commit
|
