| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
| |
This moves the finish_md and peer_finish_md from the 'tmp' struct to the
handshake struct, renaming to finished and peer_finished in the process.
This also allows the remaining S3I(s) references to be removed from the
TLSv1.3 client and server.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This variable is used in the legacy stack to decide whether we are
a server or a client. That's what s->server is for...
The new TLSv1.3 stack failed to set s->internal->type, which resulted
in hilarious mishandling of previous_{client,server}_finished. Indeed,
both client and server would first store the client's verify_data in
previous_server_finished and later overwrite it with the server's
verify_data. Consequently, renegotiation has been completely broken
for more than a year. In fact, server side renegotiation was broken
during the 6.5 release cycle. Clearly, no-one uses this.
This commit fixes client side renegotiation and restores the previous
behavior of SSL_get_client_CA_list(). Server side renegotiation will
be fixed in a later commit.
ok jsing
|
| |
|
|
|
|
|
|
| |
This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
DTLS protocol version numbers are the 1's compliment of human readable TLS
version numbers, which means that newer versions decrease in value and
there is no direct mapping between TLS protocol version numbers and DTLS
protocol version numbers.
Rather than having to deal with this internally, only use TLS versions
internally and map between DTLS and TLS protocol versions when necessary.
Rename functions and variables to use 'tls_version' when they contain a
TLS version (and never a DTLS version).
ok tb@
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
|
|
|
|
|
|
| |
OpenSSL's SSL{_CTX,}_get_{min,max}_proto_version() return a version of zero
if the minimum or maximum has been set to zero (which means the minimum or
maximum version supported by the method). Previously we returned the
minimum or maximum version supported by the method, instead of zero. Match
OpenSSL's behaviour by using shadow variables.
Discussed with tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
ECC and OCSP can be used with DTLS, so remove bogus checks that currently
prevent it. These are long lasting remnants from the original OpenSSL code.
ok tb@
|
| |
|
|
| |
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
Yet another one of these X509_VERIFY_PARAM reacharounds into
libcrypto. Recently found in imapfilter, also used elsewhere.
Will be made publicly visible with the next minor bump.
ok jsing
|
| |
|
|
|
|
|
| |
This allows for all of the DTLS sequence number save/restore code to be
removed.
ok inoguchi@ "whee!" tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSL_get_shared_ciphers() has been quite broken forever (see BUGS).
What's maybe even worse than those bugs is that it only ever returned
the string representing the client's ciphers which happen to fit into
buf. That's kind of odd, given its name.
This commit brings it in line with OpenSSL's version which changed
behavior almost three years ago.
reviewed and stupid bug caught by schwarze
ok beck inoguchi jsing
commit a216df599a6076147c27acea6c976fb11f505b1a
Author: Matt Caswell <matt@openssl.org>
Date: Fri Apr 27 11:20:52 2018 +0100
Fix SSL_get_shared_ciphers()
The function SSL_get_shared_ciphers() is supposed to return
ciphers shared by the client and the server. However it only
ever returned the client ciphers.
Fixes #5317
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6113)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The method unification broke an API promise of SSL_is_server(). According
to the documentation, calling SSL_is_server() on SSL objects constructed
from generic and server methods would result in 1 even before any call to
SSL_set_accept_state(). This means the information needs to be available
when SSL_new() is called, so must come from the method itself.
Prior to the method unification, s->server would be set to 0 or 1 in
SSL_new() depending on whether the accept method was undefined or not.
Instead, introduce a flag to the internal structs to distinguish client
methods from server and generic methods and copy that flag to s->server in
SSL_new().
This problem was reported to otto due to breakage of DoH in net/dnsdist.
The reason for this is that www/h2o relies on SSL_is_server() to decide
whether to call SSL_accept() or SSL_connect(). Thus, the h2o server would
end up responding to a ClientHello with another ClientHello, which results
in a handshake failure. The bandaid applied to www/h2o can be removed once
this fix has made it into snaps. No other breakage is known.
This commit brings back only about half of the duplication removed in the
method unification, so is preferable to a full revert.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This implements the key material exporter for TLSv1.3, as defined in
RFC8446 section 7.5.
Issue reported by nmathewson on github.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
| |
|
|
|
|
|
| |
For now this is #ifdef LIBRESSL_INTERNAL and will be exposed during the
next library bump.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Historically, OpenSSL has had client and server specific methods - the only
difference between these is that the .ssl_connect or .ssl_accept function
pointer is set to ssl_undefined_function, with the intention of reducing
code size for a statically linked binary that was only a client or server.
These days the difference is minimal or non-existant in many cases and
we can reduce the amount of code and complexity by having single method.
Internally remove all of the client and server specific methods,
simplifying code in the process. The external client/server specific API
remain, however these now return the same thing as TLS_method() does.
ok tb@
|
| |
|
|
| |
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
This is a convenience reacharound to libcrypto that trivially wraps
X509_VERIFY_PARAM_get0_peername(). It is used by unbound 1.11.0 for
better logging. As it's part of the API that landed with OpenSSL's
DANE, more recent postfix snapshots use it as well.
ok beck inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
We do not support this feature but need to provide OpenSSL's API since
software assumes it's available whenever TLS1_3_VERSION is available.
These are minimal stubs that should have a decent chance to interact
reasonably with software expecting the tricky upstream semantics, but
this will have to be sorted out with runtime testing, so will likely
have to be refined and revisited.
ok beck jsing
|
| |
|
|
|
|
|
| |
Similar to the SSL_SESSION versions, these are noops that are expected
to be available by some configure tests.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rather than silently leaving a NULL pointer in ssl->cert.
Kurt Roeckx fixed the same bug similarly in OpenSSL in 2015.
While here,
(1) make the code easier to read and more robust by returning right
away when ssl still uses the context it was created from and the ctx
argument is NULL, rather than doing a lot of work that changes
nothing unless data is already corrupt, and
(2) use the shorter and more inituitive SSL_CTX_up_ref(3) rather
than manually calling CRYPTO_add(3), which means no functional
change and is also in the OpenSSL 1.1 branch.
OK tb@
|
| |
|
|
|
|
|
| |
for compatibility with OpenSSL
and for consistency with neighbouring functions;
suggested by jsing@ after i documented the crash;
OK jsing@.
|
| |
|
|
|
|
|
| |
In particular, figure what the handshake_func should be early on, so we
can just assign later.
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we use the default method (now TLSv1.3) and end up talking to a TLSv1.2
server that gives us a session ticket, then try to resume that session,
we end up trying to talk TLS without doing a handshake.
This is caused by the state (S3I(s)->hs.state) getting cleared, which
results in SSL_do_handshake() and others thinking they do not need to do
anything (as SSL_in_init() and SSL_in_before() are not true).
The reason this occurs is due to SSL_set_ssl_method() calling ssl_free()
and ssl_new() when switching methods. The end result is that the S3I(s)
has been freed and reallocated, losing the state in the process.
Since the state is part of the S3I(s) structure, move its initialisation
into ssl3_clear() - this ensures it gets correctly reinitialised across a
SSL_set_ssl_method() call.
Issue noticed by sthen@ with nginx and unifi.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide
this API, while retaining the current behaviour of being able to configure
TLSv1.3 via the existing interface.
Note that this is not currently exposed in the headers/exported symbols.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When parsing a cipher string, a cipher list is created, before being
duplicated and sorted - the second copy being stored as cipher_list_by_id.
This is done only so that a client can ensure that the cipher selected by
a server is in the cipher list. This is pretty pointless given that most
clients are short-lived and that we already had to iterate over the cipher
list in order to build the client hello. Additionally, any update to the
cipher list requires that cipher_list_by_id also be updated and kept in
sync.
Remove all of this and replace it with a simple linear scan - the overhead
of duplicating and sorting the cipher list likely exceeds that of a simple
linear scan over the cipher list (64 maximum, more typically ~9 or so).
ok beck@ tb@
|
| |
|
|
| |
ok beck@, tb@
|
| |
|
|
|
|
|
|
|
|
| |
The name ssl_cipher_is_permitted() is not entirely specific - what it
really means is "can this cipher be used with a given version range".
Use ssl_cipher_allowed_in_version_range() to more clearly indicate this.
Bikeshedded with tb@
ok tb@
|
| |
|
|
|
|
|
| |
Consistently use the names 'ciphers' and 'cipher' instead of 'sk' and 'c'.
Remove some redundant code, unnecessary parentheses and fix some style(9).
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
This takes the same design/approach used in TLSv1.3 and provides an
opaque struct that is self contained and cannot reach back into other
layers. For now this just implements/replaces the writing of records
for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the
plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
The error path does the same as the currently duplicated code.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
This is no longer necessary since the TLS_method() now supports TLSv1.3.
Reverts r1.211 of ssl_lib.c.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
| |
ssl_version is completely unused and get_timeout is the same everywhere.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In TLSv1.2 and earlier, when an application goes to read application data,
handshake messages may be received instead, when the peer has triggered
renegotation. A similar thing occurs in TLSv1.3 when key updates are
triggered or the server sends new session tickets. Due to the SSL_read()
API there is no way to indicate that we got no application data, instead
after processing the in-band handshake messages it would be normal to
return SSL_ERROR_WANT_READ and have the caller call SSL_read() again.
However, various applications expect SSL_read() to return with either
application data or a fatal error, when used on a blocking socket. These
applications do not play well with TLSv1.3 post-handshake handshake
messages (PHH), as they fail to handle SSL_ERROR_WANT_READ. The same code
is also broken in the case of a TLSv1.2 or older renegotiation, however
these are less likely to be encountered. Such code should set
SSL_MODE_AUTO_RETRY in order to avoid these issues.
Contrary to the naming, SSL_MODE_AUTO_RETRY does not actually retry in
every case - it retries following handshake messages in the application
data stream (i.e. renegotiation and PHH messages). This works around the
unretried SSL_read() on a blocking socket case, however in the case where
poll/select is used with blocking sockets, the retry will likely result
in the read blocking after the handshake messages are processed.
Rather than pushing for broken code to be fixed, OpenSSL decided to enable
SSL_MODE_AUTO_RETRY by default, instead breaking code that does poll or
select on blocking sockets (like s_client and s_server). Unfortunately we
get to follow suit.
ok beck@ inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
| |
Prompted by tb@
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some time prior to SSLeay 0.8.1b, SSL_PKEY_RSA_SIGN got added with the
intention of handling RSA sign only certificates... this incomplete code
had the following comment:
/* check to see if this is a signing only certificate */
/* EAY EAY EAY EAY */
And while the comment was removed in 2005, the incomplete RSA sign-only
handling has remained ever since.
Remove SSL_PKEY_RSA_SIGN and rename SSL_PKEY_RSA_ENC to SSL_PKEY_RSA. While
here also remove the unused SSL_PKEY_DH_RSA.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
The OCSP response length is currently an integer, which is overloaded with
-1 meaning "unset". Use a size_t for the OCSP response length and infer
unset from the OCSP response being NULL. This makes code more readable,
simpler and less error prone.
ok beck@
|
| |
|
|
|
|
|
|
|
| |
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
| |
incoming method if it is a client.
This addresses the case where TLS_method() is used to initialise a SSL_CTX,
then a TLS_client_method() is then set, resulting in TLSv1.2 being used
instead of TLSv1.3. This is observable in smtpd.
ok beck@
|
| |
|
|
|
|
|
|
|
|
| |
Currently, TLSv1.3 cipher suites are filtered out by the fact that
they have authentication and key exchange algorithms that are not
being set in ssl_set_cert_masks(). Fix this so that ssl3_choose_cipher()
works for TLSv1.3, however we also now need to ensure that we filter out
TLSv1.3 for non-TLSv1.3 and only select TLSv1.3 for TLSv1.3.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
This will allow the TLSv1.3 stack to provide its own implementation. Nuke
a completely bogus comment from SSL_pending() whilst here.
ok beck@
|
| |
|
|
|
|
|
|
|
| |
SSL_{clear,free}(3). Make sure the handshake context is
cleaned up completely: the hs_tls13 reacharound is taken
care of by ssl3_{clear,free}(3). Add a missing
tls13_handshake_msg_free() call to tls13_ctx_free().
ok beck jsing
|
| |
|
|
|
|
|
| |
For now ssl3_shutdown() is called in all cases, however TLSv1.3 will soon
get its own version.
ok beck@
|
| |
|
|
| |
poison the context. ok and help jsing@ tb@
|
