summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_clnt.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Convert legacy server kex to one-shot sign/verifytb2023-06-111-17/+27
| | | | | | | | | | This converts ssl3_{get,send}_server_key_exchange() to EVP_DigestVerify() and EVP_DigestSign(). In order to do this, build the full signed_params up front and rework the way the key exchange parameters are constructed. This way we can do the verify and sign steps in one go and at the same use a more idiomatic approach with CBB/CBS. with/ok jsing
* Easy EVP_Digest{Sign,Verify} conversions for legacy stacktb2023-06-111-15/+5
| | | | | | | Convert ssl3_send_client_verify_{sigalgs,gost}() to EVP_DigestSign() and ssl3_get_cert_verify() to EVP_DigestVerify(). ok jsing
* spelling fixes; from paul tagliamontejmc2022-12-261-3/+3
| | | | ok tb
* Make internal header file names consistenttb2022-11-261-3/+3
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Annotate misuse of EVP_Digest()tb2022-10-201-1/+2
| | | | | | | | | | The session_id member of SSL_SESSION has 32 bytes for historical reasons. This precisely accommodates a SHA-256 and is currently computed using this hash. If the hash function is ever changed, this will likely overflow. This should be fixed in code. Leave it at an XXX comment for now. Pointed out by jsing
* Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.jsing2022-10-021-101/+101
| | | | | | | | These are no longer necessary due to SSL_CTX and SSL now being fully opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back into SSL. Prompted by tb@
* Move handshake message handling functions from ssl_both.c to client/server.jsing2022-10-011-22/+172
| | | | | | | | | | | | | | | Currently, ssl_both.c contains several functions that are used by both the legacy client and legacy server. This interwines the client and server, making it harder to make progressive changes. While it does deduplicate some code, it also ends up with code that is conditioned on s->server and forces the caller to pass in SSL3_ST_* values. Move these functions from ssl_both.c into ssl_clnt.c and ssl_srvr.c, renaming as appropriate and removing the s->server conditionals. Also move the client and server function prototypes from ssl_locl.h into the .c files, making them static in the process. ok tb@
* Deduplicate peer certificate chain processing code.jsing2022-08-171-32/+4
| | | | | | | | | | | | | | Rather than reimplement this in each TLS client and server, deduplicate it into a single function. Furthermore, rather than dealing with the API hazard that is SSL_get_peer_cert_chain() in this code, simply produce two chains - one that has the leaf and one that does not. SSL_get_peer_cert_chain() can then return the appropriate one. This also moves the peer cert chain from the SSL_SESSION to the SSL_HANDSHAKE, which makes more sense since it is not available on resumption. ok tb@
* Remove redeclaration of rettb2022-08-151-2/+1
| | | | | | | When ret was introduced in an outer scope in r1.113, this declaration wasn't garbage collected. ok jsing
* Simplify certificate list handling code in legacy client.jsing2022-07-031-45/+33
| | | | | | | Tidy up CBS code and remove some unnecessary length checks. Use 'cert' and 'certs' for certificates, rather than 'x' and 'sk'. ok tb@
* Rename uses 'curve' to 'group' and rework tls1 group API.tb2022-07-021-7/+7
| | | | | | | | | | This reworks various tls1_ curve APIs to indicate success via a boolean return value and move the output to an out parameter. This makes the caller code easier and more consistent. Based on a suggestion by jsing ok jsing
* Add checks to ensure we do not initiate or negotiate handshakes withtb2022-06-301-1/+8
| | | | | | versions below the minimum required by the security level. input & ok jsing
* There's tentacles, tentacles everywheretb2022-06-291-1/+7
| | | | ok beck jsing
* Check the security of DH key sharestb2022-06-291-1/+7
| | | | ok beck, looks good to jsing
* Simplify various CBS_write_bytes() callstb2022-06-071-4/+3
| | | | | | | Now that session_id_length is a size_t, we can pass it directly to CBS_write_bytes() instead of using a temporary variable. ok jsing
* Add missing error check call in ssl3_get_new_session_ticket()tb2022-06-071-4/+9
| | | | | | | EVP_Digest() can fail, so handle failure appropriately and prepare switch of session_id_length to a size_t. ok jsing
* Another small readability tweak: compare explicitly against 0 and NULL,tb2022-06-071-4/+3
| | | | | | respectively ok jsing
* Add error checking to tls_session_secret_cb() callstb2022-06-071-9/+19
| | | | | | | | | | | Failure of this undocumented callback was previously silently ignored. Follow OpenSSL's behavior and throw an internal error (for lack of a better choice) if the callback failed or if it set the master_key_length to a negative number. Unindent the success path and clean up some strange idioms. ok jsing
* Remove incorrect and ungrammattical commenttb2022-06-061-3/+2
| | | | | The fallback to SHA-1 if SHA-256 is disabled fell victim to tedu many moons ago when this file was still called s3_clnt.c and had no RCS ID.
* Bye bye S3I.jsing2022-02-051-136/+136
| | | | | | | | S3I has served us well, however now that libssl is fully opaque it is time to say goodbye. Aside from removing the calloc/free/memset, the rest is mechanical sed. ok inoguchi@ tb@
* Cleanup/simplify ssl_cert_type()jsing2022-02-031-2/+2
| | | | | | | | Remove the X509 argument as it is unused - this was passed so that ssl_cert_type() can get the public key from the X509 object if the EVP_PKEY argument is NULL, however this is never the case. ok tb@
* Garbage collect unused ret in ssl3_get_new_session_ticket()tb2022-01-241-5/+4
| | | | | | | ret is used to bubble up an error from ssl3_get_message() and is unused otherwise. Zap dead store and silly ret = 1; return ret; ok inoguchi jsing
* In ssl3_get_server_key_exchange() switch a 'goto err' totb2022-01-241-2/+2
| | | | | | | 'goto fatal_err' so that the illegal_parameter alert is actually sent in case of X509_get0_pubkey() failure. ok inoguchi jsing
* Remove peer_pkeys from SSL_SESSION.jsing2022-01-111-49/+32
| | | | | | | | | | peer_pkeys comes from some world where peers can send multiple certificates - in fact, one of each known type. Since we do not live in such a world, get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2 and TLSv1.3, both clients and servers can only send a single leaf (aka end-entity) certificate). ok inoguchi@ tb@
* Rename 'peer' to 'peer_cert' in SSL_SESSION.jsing2022-01-111-3/+3
| | | | | | | The 'peer' member of SSL_SESSION is the leaf/end-entity certificate provided by our peer. Rename it since 'peer' on its own is unhelpful. ok inoguchi@ tb@
* Plumb decode errors through key share parsing code.jsing2022-01-111-14/+25
| | | | | | | | | | | | Distinguish between decode errors and other errors, so that we can send a SSL_AD_DECODE_ERROR alert when appropriate. Fixes a tlsfuzzer failure, due to it expecting a decode error alert and not receiving one. Prompted by anton@ ok tb@
* ssl_check_srvr_ecc_cert_and_alg() only returns 0/1 - test accordingly.jsing2022-01-091-3/+3
|
* Swap arguments to ssl_check_srvr_ecc_cert_and_alg()jsing2022-01-091-3/+3
| | | | | If a libssl function takes an SSL *, it should normally be the first argument.
* Clean up ssl3_{send,get}_client_kex_gost()jsing2022-01-091-21/+26
| | | | | | | | Fix leaks, use sizeof() instead of hardcoded sizes, actually check return codes, explicit_bzero() the premaster secret on the server side and generally try to kick the GOST kex code into some sort of shape. ok inoguchi@ tb@
* Return 0/1 from ssl3_{send,get}_client_kex_gost()jsing2022-01-091-4/+4
| | | | | | | Like other KEX handling functions, there is no need to return anything other than failure/success here. ok inoguchi@ tb@
* Remove a comment from Captain Obvious.jsing2022-01-091-4/+2
|
* Clean up pkey handling in ssl3_get_server_key_exchange()jsing2022-01-091-42/+22
| | | | | | | | | | With TLSv1.2 and earlier, the authentication algorithm used to sign the ServerKeyExchange message is dependent on the cipher suite in use and has nothing to do with the key exchange algorithm. As such, check the authentication algorithm based on the cipher suite in ssl3_get_server_key_exchange() and handle things accordingly. ok inoguchi@ tb@
* Merge SESS_CERT into SSL_SESSION.jsing2022-01-081-66/+33
| | | | | | | There is no reason for SESS_CERT to exist - remove it and merge its members into SSL_SESSION for the time being. More clean up to follow. ok inoguchi@ tb@
* Convert legacy TLS client to tls_key_share.jsing2022-01-061-175/+35
| | | | | | | | | This requires adding DHE support to tls_key_share. In doing so, tls_key_share_peer_public() has to lose the group argument and gains an invalid_key argument. The one place that actually needs the group check is tlsext_keyshare_client_parse(), so add code to do this. ok inoguchi@ tb@
* Return 0 on failure from send/get kex functions in the legacy stack.jsing2022-01-041-25/+25
| | | | | | | | | | | | | In the legacy stack, a message handling function returns -1 for failure, 0 for need more data and 1 for success (although in extra special cases 2 may also be used). However, the various send/get kex functions only need to indicate success or failure - switch these to return 0 on failure (rather than -1) and use normal result testing. This leaves GOST unchanged for now, as that code is special and needs extra work. ok inoguchi@ tb@
* Use normal result testing for tls1_check_curve().jsing2022-01-041-2/+2
|
* Refactor ssl3_get_server_kex_ecdhe() to separate parsing and validation.jsing2022-01-041-20/+18
| | | | | | | | | If we receive something other than a "named curve", send a handshake failure alert as we're unable to complete the handshake with the given parameters. If the server responded with a curve that we did not advertise send an illegal parameter alert. ok inoguchi@ tb@
* Convert ssl_clnt.c to opaque EVP_MD_CTXtb2021-12-091-26/+29
| | | | ok inoguchi jsing
* Move the minimum DHE key size check into ssl_kex_peer_params_dhe()jsing2021-12-041-8/+5
| | | | ok inoguchi@ tb@
* Check DH public key in ssl_kex_peer_public_dhe().jsing2021-12-041-2/+8
| | | | | | | Call DH_check_pub_key() after decoding the peer public key - this will be needed for the server DHE key exchange, but also benefits the client. ok inoguchi@ tb@
* Factor out/rewrite DHE key exchange.jsing2021-11-291-64/+20
| | | | | | | | | This follows what was done previously for ECDHE EC point key exchange and will allow for deduplication and further code improvement. Convert the TLSv1.2 client to use the new DHE key exchange functions. ok inoguchi@ tb@
* Stop reaching into EVP_PKEY in the rest of libssl.tb2021-11-261-12/+18
| | | | ok inoguchi jsing
* libssl: don't reach for pkey->save_type.tb2021-11-191-3/+3
| | | | | | | | | | | | For some strange historical reason ECDSA_sign() and ECDSA_verify}() have a type argument that they ignore. For another strange historical reason, the type passed to them from libssl is pkey->save_type, which is used to avoid expensive engine lookups when setting the pkey type... Whatever the aforementioned reasons were, we can't access pkey->save_type with the OpenSSL 1.1 API, and this is thus in the way of making EVP_PKEY opaque. Simply pass in 0 instead. ok jsing
* Fold SSL_SESSION_INTERNAL back into SSL_SESSION.jsing2021-10-251-18/+18
| | | | ok beck@ tb@
* Unhandroll X509_up_ref()tb2021-10-231-3/+3
| | | | ok beck jsing
* Provide a way to determine our maximum legacy version.jsing2021-10-231-36/+16
| | | | | | | | | | | | | | With the introduction of TLSv1.3, we need the ability to determine our maximum legacy version and to track our peer's maximum legacy version. This is needed for both the TLS record layer when using TLSv1.3, plus it is needed for RSA key exhange in TLS prior to TLSv1.3, where the maximum legacy version is incorporated in the pre-master secret to avoid downgrade attacks. This unbreaks RSA KEX for the TLS client when the non-version specific method is used with TLSv1.0 or TLSv1.1 (clearly no one does this). ok tb@
* Fold DTLS1_STATE_INTERNAL into DTLS1_STATE.jsing2021-10-231-18/+18
| | | | | | | Now that DTLS1_STATE is opaque, fold DTLS1_STATE_INTERNAL back into DTLS1_STATE and remove D1I() usage. ok tb@
* Untangle ssl3_get_message() return values.jsing2021-10-231-94/+81
| | | | | | | | | | | | | | | This function currently has a long return type that may be <= 0 on error/retry (which is then cast to an int in order to return it up the stack), or it returns the length of the handshake message (on success). This obviously means that 0 can be returned for both success and failure, which is the reason why a separate 'ok' argument has to exist. Untangle this mess by changing the return value to an int that indicates success (1) or error/retry (<= 0). The length never needs to actually be returned as it is already stored in s->internal->init_num (which is where the return value is read from anyway). ok tb@
* Change tlsext_tick_lifetime_hint to uint32_t.jsing2021-10-231-5/+2
| | | | | | | | Now that SSL_SESSION is opaque, change tlsext_tick_lifetime_hint from long to uint32_t (matching RFC4507), rather than continuing to work around an inappropriate type choice. ok tb@
* Ensure that a server hello does not have trailing data.jsing2021-09-031-1/+4
| | | | | | Found by tlsfuzzer. ok beck@