| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This is a better version of the fix for the missing pointer invalidation
but a bit larger, so errata got the minimal fix.
tested by jcs
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On creation of an SSL using SSL_new(), randomize the order in which the
extensions will be sent. There are several constraints: the PSK extension
must always come last. The order cannot be randomized on a per-message
basis as the strict interpretation of the standard chosen in the CH hashing
doesn't allow changing the order between first and second ClientHello.
Another constraint is that the current code calls callbacks directly on
parsing an extension, which means that the order callbacks are called
depends on the order in which the peer sent the extensions. This results
in breaking apache-httpd setups using virtual hosts with full ranomization
because virtual hosts don't work if the SNI is unknown at the time the
ALPN callback is called. So for the time being, we ensure that SNI always
precedes ALPN to avoid issues until this issue is fixed.
This is based on an idea by David Benjamin
https://boringssl-review.googlesource.com/c/boringssl/+/48045
Input & ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.
discussed with jsing,
no objection bcook
|
| |
|
|
|
|
|
| |
Replace the grotty TLSv1.2 key exporter with a cleaner version that uses
CBB and CBS.
ok tb@
|
| |
|
|
|
|
|
|
| |
These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.
Prompted by tb@
|
| |
|
|
|
|
| |
Use this from the TLSv1.3 code.
ok tb@
|
| |
|
|
|
|
|
| |
While more work is still required, this is sufficient to get ngtcp2 to
compile with QUIC and for curl to be able to make HTTP/3 requests.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This provides SSL_QUIC_METHOD (aka ssl_quic_method_st), which allows for
QUIC callback hooks to be passed to an SSL_CTX or SSL. This is largely
ported/adapted from BoringSSL.
It is worth noting that this struct is not opaque and the original
interface exposed by BoringSSL differs to the one they now use. The
original interface was copied by quictls and it appears that this API
will not be updated to match BoringSSL.
To make things even more challenging, at least one consumer does not use
named initialisers, making code completely dependent on the order in
which the function pointers are defined as struct members. In order to
try to support both variants, the set_read_secret/set_write_secret
functions are included, however they have to go at the end.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.
This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.
ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
This makes the code both shorter and safer since freeing, allocation,
and copying are handled by CBS_stow() internally.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
This wonderful API requires users to pass the protocol list in wire
format. This list is then sent as part of the ClientHello. Validate
it to be of the correct form. This reuses tlsext_alpn_check_format()
that was split out of tlsext_alpn_server_parse().
Similar checks were introduced in OpenSSL 86a90dc7
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This simplifies the freeing, assigning and copying of the passed
protocols by replacing all that code with a pair of CBS_init() and
CBS_stow(). In addition, this aligns the behavior with OpenSSL,
which no longer errors on NULL proto or 0 proto_len since 86a90dc7.
ok jsing
|
| |
|
|
|
|
|
|
| |
This function will allow code to know if the SSL connection is configured
for use with QUIC or not. Also move existing SSL_.*quic.* functions under
LIBRESSL_HAS_QUIC to prevent exposing them prematurely.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff
is now confined into ssl_seclevel.c and the rest of the library can make
use of the more straightforward wrappers, which makes it a lot easier on
the eyes.
ok beck jsing
|
| |
|
|
|
|
|
| |
To this end, hand the SSL_CERT through about 5 levels of indirection to
set an integer on it.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
| |
This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.
Inspired by boringssl's https://boringssl-review.googlesource.com/24464
ok jsing@ tb@
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing sthen
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
In order for SSL_get_error() to work with SSL_read_ex() and SSL_write_ex()
the error handling needs to be performed without checking i <= 0. This is
effectively part of OpenSSL 8051ab2b6f8 and should bring the behaviour of
SSL_get_error() largely inline with OpenSSL 1.1.
Issue reported by Johannes Nixdorf.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.
ok inoguchi@ tb@
|
| |
|
|
| |
Trivial conversion to cope with opaque BIO.
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
The 'peer' member of SSL_SESSION is the leaf/end-entity certificate
provided by our peer. Rename it since 'peer' on its own is unhelpful.
ok inoguchi@ tb@
|
| |
|
|
|
| |
If a libssl function takes an SSL *, it should normally be the first
argument.
|
| |
|
|
|
|
|
| |
There is no reason for SESS_CERT to exist - remove it and merge its members
into SSL_SESSION for the time being. More clean up to follow.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Nearly all structs in libssl start with an SSL_ suffix, rename CERT and
CERT_PKEY for consistency.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Support for non-ephemeral DH was removed a long time ago - as such, the
dh_tmp and dh_tmp_cb are used for DHE parameters. Rename them to reflect
reality.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Provide ssl_kex_generate_dhe_params_auto() which handles DHE key generation
based on parameters determined by the specified key bits. Convert the
existing DHE auto parameter selection code into a function that just tells
us how many key bits to use.
Untangle and rework the server side DHE key exchange to use the ssl_kex_*
functions.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
The code assumes that the server certificate has an RSA key and bases
the calculation of the size of the ephemeral DH key on this assumption.
So instead of checking whether we have any key by inspecting the dh
part of the union, let's check that we actually have an RSA key.
While here, make sure that its length is non-negative.
ok jsing
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
| |
using X509_get_key_usage().
ok beck jsing
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
| |
symbol will be exposed with tb@'s forthcoming bump
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Since we don't support session tickets in LibreSSL at the moment
these functions currently do not have any effect.
Again, symbols will appear with tb@'s reptar sized bump..
ok tb@
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
| |
As these still meet the usual expectations for special, I will leave
it up to ingo to decide to either document separately or in one man
page like OpenSSL did.
Will also need Symbols.list additions by tb@ when he starts the rapture
ok tb@ jsing@
|
| |
|
|
|
|
|
| |
These are no longer public, so we can mop them up along with the machinery
needed to set/clear them.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
Now that DTLS1_STATE is opaque, fold DTLS1_STATE_INTERNAL back into
DTLS1_STATE and remove D1I() usage.
ok tb@
|
| |
|
|
|
|
|
|
| |
Some things in ports care about calling these functions. Since we will
not provide private key logging functionality they are documented
as being for compatibility and that they don't do anything.
ok tb@
|
| |
|
|
| |
ok beck
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok bcook jsing
|
| |
|
|
|
|
|
| |
This is needed for telephony/coturn and telephony/resiprocate to compile
without opaque SSL.
ok inoguchi jsing
|
| |
|
|
|
|
|
| |
in Openssl 1.1.1 for when to call the session callbacks. I believe it
to also generates a lot less eye bleed, confirmed by tb@
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
| |
The info and msg callbacks result in duplication - both for code that
refers to the function pointers and for the call sites. Avoid this by
providing typedefs for the function pointers and pulling the calling
sequences into their own functions.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Now that SSL_METHOD is opaque and in internal headers, we can remove
SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.
ok tb@
|
| |
|
|
|
|
| |
This allows for regress to test edge cases for epoch handling.
ok tb@
|
