| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For some strange historical reason ECDSA_sign() and ECDSA_verify}() have
a type argument that they ignore. For another strange historical reason,
the type passed to them from libssl is pkey->save_type, which is used to
avoid expensive engine lookups when setting the pkey type... Whatever the
aforementioned reasons were, we can't access pkey->save_type with the
OpenSSL 1.1 API, and this is thus in the way of making EVP_PKEY opaque.
Simply pass in 0 instead.
ok jsing
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
With the introduction of TLSv1.3, we need the ability to determine our
maximum legacy version and to track our peer's maximum legacy version.
This is needed for both the TLS record layer when using TLSv1.3, plus
it is needed for RSA key exhange in TLS prior to TLSv1.3, where the
maximum legacy version is incorporated in the pre-master secret to
avoid downgrade attacks.
This unbreaks RSA KEX for the TLS client when the non-version specific
method is used with TLSv1.0 or TLSv1.1 (clearly no one does this).
ok tb@
|
| |
|
|
|
|
|
| |
Now that DTLS1_STATE is opaque, fold DTLS1_STATE_INTERNAL back into
DTLS1_STATE and remove D1I() usage.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function currently has a long return type that may be <= 0 on
error/retry (which is then cast to an int in order to return it up the
stack), or it returns the length of the handshake message (on success).
This obviously means that 0 can be returned for both success and failure,
which is the reason why a separate 'ok' argument has to exist.
Untangle this mess by changing the return value to an int that indicates
success (1) or error/retry (<= 0). The length never needs to actually be
returned as it is already stored in s->internal->init_num (which is where
the return value is read from anyway).
ok tb@
|
| |
|
|
|
|
|
|
| |
Now that SSL_SESSION is opaque, change tlsext_tick_lifetime_hint from long
to uint32_t (matching RFC4507), rather than continuing to work around an
inappropriate type choice.
ok tb@
|
| |
|
|
|
|
| |
Found by tlsfuzzer.
ok beck@
|
| |
|
|
|
|
| |
here or we break the handshake with BAD_MESSAGE
ok tb@
|
| |
|
|
|
|
|
|
| |
message, even if it has received a "status_request" extension in the client
hello message and has sent a "status_request" extention in the server hello
message. Genua found a site that is this broken. This makes it work.
ok jsing@
|
| |
|
|
|
|
|
|
|
| |
The info and msg callbacks result in duplication - both for code that
refers to the function pointers and for the call sites. Avoid this by
providing typedefs for the function pointers and pulling the calling
sequences into their own functions.
ok inoguchi@ tb@
|
| |
|
|
| |
This was inadvertently broken during sigalgs refactoring.
|
| |
|
|
|
|
|
|
| |
This means that we do sigalg selection for all cases, including those
where are are not sending sigalgs. This is needed in order to track our
signature type in legacy cases.
ok tb@
|
| |
|
|
| |
This is needed for upcoming API additions.
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Also, rather than passing in a check_curve flag, pass in the SSL * and
handle version checks internally to ssl_sigalg_pkey_ok(), simplifying
the callers.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
ssl3_send_client_verify() already has a pointer to the EVP_PKEY for the
certificate - pass this as an argument to the functions that it calls,
rather than duplicating code/variable declarations.
|
| |
|
|
|
|
|
|
|
| |
Rather that passing in a sigalg list at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_from_value() perform the
sigalg list selection itself. This allows the sigalg lists to be made
internal to the sigalgs code.
ok tb@
|
| |
|
|
|
|
|
| |
This makes the code more self-documenting and avoids the ambiguity between
ssl_sigalg the struct and ssl_sigalg the function.
ok tb@
|
| |
|
|
|
| |
Consistently include local headers in the same location, using the same
grouping/sorting across all files.
|
| |
|
|
|
|
|
|
| |
Now that the DTLS structs are opaque, add a dtls_locl.h header and move
internal-only structs from dtls1.h, along with prototypes from ssl_locl.h.
Only pull this header in where DTLS code actually exists.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.
|
| |
|
|
|
|
|
|
| |
Replace flag gymnastics at call sites with separate read and write,
functions which call the common code. Condition on s->server instead of
using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into
separate read and write functions. Move the calls of these functions into
tls1_change_cipher_state() so they directly follow the change of cipher
state in the record layer, which avoids having to duplicate the calls in
the client and server.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
The master key and its length are only stored in one location, so it makes
no sense to handle these outside of the derivation function (the current
'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on
and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Make this process more readable by having specific client/server functions,
calling the correct one based on s->server. This allows to remove various
SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Currently cert_req is used by clients and cert_request is used by servers.
Replace this by a single cert_request used by either client or server.
Remove the certificate types as they are currently unused. This also fixes
a bug whereby if the number of certificate types exceeds SSL3_CT_NUMBER
the number of bytes read in is insufficient, which will break decoding.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
TLSv1.2 handshake struct.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This variable is used in the legacy stack to decide whether we are
a server or a client. That's what s->server is for...
The new TLSv1.3 stack failed to set s->internal->type, which resulted
in hilarious mishandling of previous_{client,server}_finished. Indeed,
both client and server would first store the client's verify_data in
previous_server_finished and later overwrite it with the server's
verify_data. Consequently, renegotiation has been completely broken
for more than a year. In fact, server side renegotiation was broken
during the 6.5 release cycle. Clearly, no-one uses this.
This commit fixes client side renegotiation and restores the previous
behavior of SSL_get_client_CA_list(). Server side renegotiation will
be fixed in a later commit.
ok jsing
|
| |
|
|
|
|
|
|
| |
This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Now that we store our maximum TLS version at the start of the handshake,
we can check against that directly.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add handshake fields for our minimum TLS version, our maximum TLS version
and the TLS version negotiated during the handshake. Initialise our min/max
versions at the start of the handshake and leave these unchanged. The
negotiated TLS version is set in the client once we receive the ServerHello
and in the server at the point we select the highest shared version.
Provide an ssl_effective_version() function that returns the negotiated TLS
version if known, otherwise our maximum TLS version - this is effectively
what is stored in s->version currently.
Convert most of the internal code to use one of these three version fields,
which greatly simplifies code (especially in the TLS extension handling
code).
ok tb@
|
| |
|
|
|
|
|
| |
This consolidates the version handling code and will make upcoming changes
easier.
ok tb@
|
| | |
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
|
|
|
| |
better and doesn't look odd if there's trailing data for exapmle.
Indent a few labels in the neighborhood while there.
ok jsing
|
| |
|
|
|
|
|
|
| |
Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always contain
DTLSv1.0 - ensure this is the case on the server side, allow both DTLSv1.0
and DTLSv1.2 on the client.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
The mess that is ssl_get_algorithm2() only exists to upgrade the handshake
MAC of a pre-TLSv1.2 cipher suite to SHA256 when used with TLSv1.2. We can
readily do this in ssl_get_handshake_evp_md(), which is far more readable.
ok tb@
|
| |
|
|
|
|
|
| |
Also check for explicit version numbers, rather than just the major version
value.
ok tb@
|
| |
|
|
|
|
| |
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Historically, OpenSSL has had client and server specific methods - the only
difference between these is that the .ssl_connect or .ssl_accept function
pointer is set to ssl_undefined_function, with the intention of reducing
code size for a statically linked binary that was only a client or server.
These days the difference is minimal or non-existant in many cases and
we can reduce the amount of code and complexity by having single method.
Internally remove all of the client and server specific methods,
simplifying code in the process. The external client/server specific API
remain, however these now return the same thing as TLS_method() does.
ok tb@
|
| |
|
|
|
|
|
| |
The d1_{clnt,srvr}.c contain a single function each - merge these into the
ssl_{clnt,srvr}.c, renaming them with an ssl3_ prefix for consistency.
ok beck@ tb@
|
| |
|
|
| |
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
There are three places where we call tls1_get_{client,server}_method() and
if that returns NULL, call dtls1_get_{client,server}_method(). Simplify
this by combining the lookup into a single function. While here also use
uint16_t for version types.
ok inoguchi@ millert@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When parsing a cipher string, a cipher list is created, before being
duplicated and sorted - the second copy being stored as cipher_list_by_id.
This is done only so that a client can ensure that the cipher selected by
a server is in the cipher list. This is pretty pointless given that most
clients are short-lived and that we already had to iterate over the cipher
list in order to build the client hello. Additionally, any update to the
cipher list requires that cipher_list_by_id also be updated and kept in
sync.
Remove all of this and replace it with a simple linear scan - the overhead
of duplicating and sorting the cipher list likely exceeds that of a simple
linear scan over the cipher list (64 maximum, more typically ~9 or so).
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
Move is_server and msg_type right after the SSL object so that CBS
and CBB and alert come last. This brings these functions more in
line with other internal functions and separates state from data.
requested by jsing
|
