summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_clnt.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Bye bye S3I.jsing2022-02-051-136/+136
| | | | | | | | S3I has served us well, however now that libssl is fully opaque it is time to say goodbye. Aside from removing the calloc/free/memset, the rest is mechanical sed. ok inoguchi@ tb@
* Cleanup/simplify ssl_cert_type()jsing2022-02-031-2/+2
| | | | | | | | Remove the X509 argument as it is unused - this was passed so that ssl_cert_type() can get the public key from the X509 object if the EVP_PKEY argument is NULL, however this is never the case. ok tb@
* Garbage collect unused ret in ssl3_get_new_session_ticket()tb2022-01-241-5/+4
| | | | | | | ret is used to bubble up an error from ssl3_get_message() and is unused otherwise. Zap dead store and silly ret = 1; return ret; ok inoguchi jsing
* In ssl3_get_server_key_exchange() switch a 'goto err' totb2022-01-241-2/+2
| | | | | | | 'goto fatal_err' so that the illegal_parameter alert is actually sent in case of X509_get0_pubkey() failure. ok inoguchi jsing
* Remove peer_pkeys from SSL_SESSION.jsing2022-01-111-49/+32
| | | | | | | | | | peer_pkeys comes from some world where peers can send multiple certificates - in fact, one of each known type. Since we do not live in such a world, get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2 and TLSv1.3, both clients and servers can only send a single leaf (aka end-entity) certificate). ok inoguchi@ tb@
* Rename 'peer' to 'peer_cert' in SSL_SESSION.jsing2022-01-111-3/+3
| | | | | | | The 'peer' member of SSL_SESSION is the leaf/end-entity certificate provided by our peer. Rename it since 'peer' on its own is unhelpful. ok inoguchi@ tb@
* Plumb decode errors through key share parsing code.jsing2022-01-111-14/+25
| | | | | | | | | | | | Distinguish between decode errors and other errors, so that we can send a SSL_AD_DECODE_ERROR alert when appropriate. Fixes a tlsfuzzer failure, due to it expecting a decode error alert and not receiving one. Prompted by anton@ ok tb@
* ssl_check_srvr_ecc_cert_and_alg() only returns 0/1 - test accordingly.jsing2022-01-091-3/+3
|
* Swap arguments to ssl_check_srvr_ecc_cert_and_alg()jsing2022-01-091-3/+3
| | | | | If a libssl function takes an SSL *, it should normally be the first argument.
* Clean up ssl3_{send,get}_client_kex_gost()jsing2022-01-091-21/+26
| | | | | | | | Fix leaks, use sizeof() instead of hardcoded sizes, actually check return codes, explicit_bzero() the premaster secret on the server side and generally try to kick the GOST kex code into some sort of shape. ok inoguchi@ tb@
* Return 0/1 from ssl3_{send,get}_client_kex_gost()jsing2022-01-091-4/+4
| | | | | | | Like other KEX handling functions, there is no need to return anything other than failure/success here. ok inoguchi@ tb@
* Remove a comment from Captain Obvious.jsing2022-01-091-4/+2
|
* Clean up pkey handling in ssl3_get_server_key_exchange()jsing2022-01-091-42/+22
| | | | | | | | | | With TLSv1.2 and earlier, the authentication algorithm used to sign the ServerKeyExchange message is dependent on the cipher suite in use and has nothing to do with the key exchange algorithm. As such, check the authentication algorithm based on the cipher suite in ssl3_get_server_key_exchange() and handle things accordingly. ok inoguchi@ tb@
* Merge SESS_CERT into SSL_SESSION.jsing2022-01-081-66/+33
| | | | | | | There is no reason for SESS_CERT to exist - remove it and merge its members into SSL_SESSION for the time being. More clean up to follow. ok inoguchi@ tb@
* Convert legacy TLS client to tls_key_share.jsing2022-01-061-175/+35
| | | | | | | | | This requires adding DHE support to tls_key_share. In doing so, tls_key_share_peer_public() has to lose the group argument and gains an invalid_key argument. The one place that actually needs the group check is tlsext_keyshare_client_parse(), so add code to do this. ok inoguchi@ tb@
* Return 0 on failure from send/get kex functions in the legacy stack.jsing2022-01-041-25/+25
| | | | | | | | | | | | | In the legacy stack, a message handling function returns -1 for failure, 0 for need more data and 1 for success (although in extra special cases 2 may also be used). However, the various send/get kex functions only need to indicate success or failure - switch these to return 0 on failure (rather than -1) and use normal result testing. This leaves GOST unchanged for now, as that code is special and needs extra work. ok inoguchi@ tb@
* Use normal result testing for tls1_check_curve().jsing2022-01-041-2/+2
|
* Refactor ssl3_get_server_kex_ecdhe() to separate parsing and validation.jsing2022-01-041-20/+18
| | | | | | | | | If we receive something other than a "named curve", send a handshake failure alert as we're unable to complete the handshake with the given parameters. If the server responded with a curve that we did not advertise send an illegal parameter alert. ok inoguchi@ tb@
* Convert ssl_clnt.c to opaque EVP_MD_CTXtb2021-12-091-26/+29
| | | | ok inoguchi jsing
* Move the minimum DHE key size check into ssl_kex_peer_params_dhe()jsing2021-12-041-8/+5
| | | | ok inoguchi@ tb@
* Check DH public key in ssl_kex_peer_public_dhe().jsing2021-12-041-2/+8
| | | | | | | Call DH_check_pub_key() after decoding the peer public key - this will be needed for the server DHE key exchange, but also benefits the client. ok inoguchi@ tb@
* Factor out/rewrite DHE key exchange.jsing2021-11-291-64/+20
| | | | | | | | | This follows what was done previously for ECDHE EC point key exchange and will allow for deduplication and further code improvement. Convert the TLSv1.2 client to use the new DHE key exchange functions. ok inoguchi@ tb@
* Stop reaching into EVP_PKEY in the rest of libssl.tb2021-11-261-12/+18
| | | | ok inoguchi jsing
* libssl: don't reach for pkey->save_type.tb2021-11-191-3/+3
| | | | | | | | | | | | For some strange historical reason ECDSA_sign() and ECDSA_verify}() have a type argument that they ignore. For another strange historical reason, the type passed to them from libssl is pkey->save_type, which is used to avoid expensive engine lookups when setting the pkey type... Whatever the aforementioned reasons were, we can't access pkey->save_type with the OpenSSL 1.1 API, and this is thus in the way of making EVP_PKEY opaque. Simply pass in 0 instead. ok jsing
* Fold SSL_SESSION_INTERNAL back into SSL_SESSION.jsing2021-10-251-18/+18
| | | | ok beck@ tb@
* Unhandroll X509_up_ref()tb2021-10-231-3/+3
| | | | ok beck jsing
* Provide a way to determine our maximum legacy version.jsing2021-10-231-36/+16
| | | | | | | | | | | | | | With the introduction of TLSv1.3, we need the ability to determine our maximum legacy version and to track our peer's maximum legacy version. This is needed for both the TLS record layer when using TLSv1.3, plus it is needed for RSA key exhange in TLS prior to TLSv1.3, where the maximum legacy version is incorporated in the pre-master secret to avoid downgrade attacks. This unbreaks RSA KEX for the TLS client when the non-version specific method is used with TLSv1.0 or TLSv1.1 (clearly no one does this). ok tb@
* Fold DTLS1_STATE_INTERNAL into DTLS1_STATE.jsing2021-10-231-18/+18
| | | | | | | Now that DTLS1_STATE is opaque, fold DTLS1_STATE_INTERNAL back into DTLS1_STATE and remove D1I() usage. ok tb@
* Untangle ssl3_get_message() return values.jsing2021-10-231-94/+81
| | | | | | | | | | | | | | | This function currently has a long return type that may be <= 0 on error/retry (which is then cast to an int in order to return it up the stack), or it returns the length of the handshake message (on success). This obviously means that 0 can be returned for both success and failure, which is the reason why a separate 'ok' argument has to exist. Untangle this mess by changing the return value to an int that indicates success (1) or error/retry (<= 0). The length never needs to actually be returned as it is already stored in s->internal->init_num (which is where the return value is read from anyway). ok tb@
* Change tlsext_tick_lifetime_hint to uint32_t.jsing2021-10-231-5/+2
| | | | | | | | Now that SSL_SESSION is opaque, change tlsext_tick_lifetime_hint from long to uint32_t (matching RFC4507), rather than continuing to work around an inappropriate type choice. ok tb@
* Ensure that a server hello does not have trailing data.jsing2021-09-031-1/+4
| | | | | | Found by tlsfuzzer. ok beck@
* We need to allow for either a CERTIFICATE or CERTIFICATE_STATUS messagebeck2021-09-021-2/+3
| | | | | | here or we break the handshake with BAD_MESSAGE ok tb@
* RFC 6066 section 8 allows the server MAY choose not send the CertificateStatusbeck2021-09-021-3/+37
| | | | | | | | message, even if it has received a "status_request" extension in the client hello message and has sent a "status_request" extention in the server hello message. Genua found a site that is this broken. This makes it work. ok jsing@
* Clean up and simplify info and msg callbacks.jsing2021-08-301-16/+8
| | | | | | | | | The info and msg callbacks result in duplication - both for code that refers to the function pointers and for the call sites. Avoid this by providing typedefs for the function pointers and pulling the calling sequences into their own functions. ok inoguchi@ tb@
* Correct sigalg hash usage when signing content for client verify.jsing2021-06-301-3/+2
| | | | This was inadvertently broken during sigalgs refactoring.
* Pull sigalg selection up into ssl3_send_client_verify().jsing2021-06-291-14/+11
| | | | | | | | This means that we do sigalg selection for all cases, including those where are are not sending sigalgs. This is needed in order to track our signature type in legacy cases. ok tb@
* Track sigalg used by ourselves and our peer in the legacy stack.jsing2021-06-291-1/+3
| | | | This is needed for upcoming API additions.
* Convert legacy stack client to ssl_sigalg_for_peer().jsing2021-06-291-34/+12
| | | | ok inoguchi@ tb@
* Move the RSA-PSS check for TLSv1.3 to ssl_sigalg_pkey_ok().jsing2021-06-291-2/+2
| | | | | | | | Also, rather than passing in a check_curve flag, pass in the SSL * and handle version checks internally to ssl_sigalg_pkey_ok(), simplifying the callers. ok inoguchi@ tb@
* Have ssl3_send_client_verify() pass *pkey to called functions.jsing2021-06-271-22/+11
| | | | | | ssl3_send_client_verify() already has a pointer to the EVP_PKEY for the certificate - pass this as an argument to the functions that it calls, rather than duplicating code/variable declarations.
* Change ssl_sigalgs_from_value() to perform sigalg list selection.jsing2021-06-271-3/+4
| | | | | | | | | Rather that passing in a sigalg list at every call site, pass in the appropriate TLS version and have ssl_sigalgs_from_value() perform the sigalg list selection itself. This allows the sigalg lists to be made internal to the sigalgs code. ok tb@
* Rename ssl_sigalg() to ssl_sigalg_from_value().jsing2021-06-271-3/+3
| | | | | | | This makes the code more self-documenting and avoids the ambiguity between ssl_sigalg the struct and ssl_sigalg the function. ok tb@
* Make local header inclusion consistent.jsing2021-05-161-3/+2
| | | | | Consistently include local headers in the same location, using the same grouping/sorting across all files.
* Move DTLS structs/definitions/prototypes to dtls_locl.h.jsing2021-05-161-1/+2
| | | | | | | | Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists. ok inoguchi@ tb@
* Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*jsing2021-05-161-1/+2
| | | | | | Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
* Clean up tls1_change_cipher_state().jsing2021-05-021-5/+3
| | | | | | | | Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code. ok inoguchi@ tb@
* Clean up dtls1_reset_seq_numbers().jsing2021-05-021-5/+1
| | | | | | | | | | Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server. ok inoguchi@ tb@
* Clean up and harden TLSv1.2 master key derivation.jsing2021-04-301-17/+12
| | | | | | | | | | | The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites. If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later. ok inoguchi@ tb@
* Clean up derivation of finished/peer finished.jsing2021-04-251-3/+2
| | | | | | | | Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code. ok inoguchi@ tb@
* Clean up TLSv1.2 certificate request handshake data.jsing2021-04-211-24/+12
| | | | | | | | | | Currently cert_req is used by clients and cert_request is used by servers. Replace this by a single cert_request used by either client or server. Remove the certificate types as they are currently unused. This also fixes a bug whereby if the number of certificate types exceeds SSL3_CT_NUMBER the number of bytes read in is insufficient, which will break decoding. ok inoguchi@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-16 05:01:42 +0000