summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_lib.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Prepare to provide SSL_CTX_get0_privatekey()tb2021-09-101-1/+10
| | | | ok beck
* Provide SSL_SESSION_is_resumable and SSL_set_psk_use_session_callback stubstb2021-09-081-1/+7
| | | | ok jsing
* Prepare to provide API stubs for PHAtb2021-09-081-1/+19
| | | | ok bcook jsing
* Prepare to provide SSL_set0_rbio()tb2021-09-081-1/+8
| | | | | | | This is needed for telephony/coturn and telephony/resiprocate to compile without opaque SSL. ok inoguchi jsing
* Refactor ssl_update_cache. This now matches the logic used for TLS 1.3beck2021-09-041-22/+106
| | | | | | | in Openssl 1.1.1 for when to call the session callbacks. I believe it to also generates a lot less eye bleed, confirmed by tb@ ok jsing@ tb@
* Clean up and simplify info and msg callbacks.jsing2021-08-301-7/+23
| | | | | | | | | The info and msg callbacks result in duplication - both for code that refers to the function pointers and for the call sites. Avoid this by providing typedefs for the function pointers and pulling the calling sequences into their own functions. ok inoguchi@ tb@
* Merge SSL_METHOD_INTERNAL into SSL_METHOD.jsing2021-07-011-31/+31
| | | | | | | Now that SSL_METHOD is opaque and in internal headers, we can remove SSL_METHOD_INTERNAL by merging it back into SSL_METHOD. ok tb@
* Provide the ability to set the initial DTLS epoch value.jsing2021-06-191-4/+4
| | | | | | This allows for regress to test edge cases for epoch handling. ok tb@
* Indent all labels with a single space.jsing2021-06-111-4/+4
| | | | | | This ensures that diff reports the correct function prototype. Prompted by tb@
* Make local header inclusion consistent.jsing2021-05-161-3/+2
| | | | | Consistently include local headers in the same location, using the same grouping/sorting across all files.
* Move DTLS structs/definitions/prototypes to dtls_locl.h.jsing2021-05-161-1/+2
| | | | | | | | Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists. ok inoguchi@ tb@
* Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*jsing2021-05-161-1/+2
| | | | | | Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
* Provide SSL_CTX_get_ssl_method(3)tb2021-05-101-1/+7
| | | | ok jsing
* Remove pointless assignment in SSL_get0_alpn_selected().jsing2021-03-291-4/+1
| | | | ok tb@
* Move finished and peer finished to the handshake struct.jsing2021-03-291-5/+5
| | | | | | | | | This moves the finish_md and peer_finish_md from the 'tmp' struct to the handshake struct, renaming to finished and peer_finished in the process. This also allows the remaining S3I(s) references to be removed from the TLSv1.3 client and server. ok inoguchi@ tb@
* Garbage collect s->internal->typetb2021-03-271-4/+1
| | | | | | | | | | | | | | | | | | | This variable is used in the legacy stack to decide whether we are a server or a client. That's what s->server is for... The new TLSv1.3 stack failed to set s->internal->type, which resulted in hilarious mishandling of previous_{client,server}_finished. Indeed, both client and server would first store the client's verify_data in previous_server_finished and later overwrite it with the server's verify_data. Consequently, renegotiation has been completely broken for more than a year. In fact, server side renegotiation was broken during the 6.5 release cycle. Clearly, no-one uses this. This commit fixes client side renegotiation and restores the previous behavior of SSL_get_client_CA_list(). Server side renegotiation will be fixed in a later commit. ok jsing
* Rename new_cipher to cipher.jsing2021-03-241-8/+8
| | | | | | | | This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data. ok inoguchi@ tb@
* Fix misleading indentation in SSL_get_error()tb2021-03-021-2/+2
|
* Move handling of cipher/hash based cipher suites into the new record layer.jsing2021-02-271-11/+3
| | | | ok tb@
* Only use TLS versions internally (rather than both TLS and DTLS versions).jsing2021-02-251-11/+11
| | | | | | | | | | | | | | DTLS protocol version numbers are the 1's compliment of human readable TLS version numbers, which means that newer versions decrease in value and there is no direct mapping between TLS protocol version numbers and DTLS protocol version numbers. Rather than having to deal with this internally, only use TLS versions internally and map between DTLS and TLS protocol versions when necessary. Rename functions and variables to use 'tls_version' when they contain a TLS version (and never a DTLS version). ok tb@
* Rename f_err into fatal_err.tb2021-02-201-4/+4
| | | | discussed with jsing
* Return a min/max version of zero if set to zero.jsing2021-02-201-9/+17
| | | | | | | | | | OpenSSL's SSL{_CTX,}_get_{min,max}_proto_version() return a version of zero if the minimum or maximum has been set to zero (which means the minimum or maximum version supported by the method). Previously we returned the minimum or maximum version supported by the method, instead of zero. Match OpenSSL's behaviour by using shadow variables. Discussed with tb@
* Handle DTLS1_2_VERSION in various places.jsing2021-02-201-3/+5
| | | | ok tb@
* Remove bogus DTLS checks to disable ECC and OCSP.jsing2021-02-081-3/+1
| | | | | | | ECC and OCSP can be used with DTLS, so remove bogus checks that currently prevent it. These are long lasting remnants from the original OpenSSL code. ok tb@
* Move AEAD handling into the new TLSv1.2 record layer.jsing2021-01-281-13/+1
| | | | ok tb@
* zap a tabtb2021-01-261-2/+2
|
* Prepare to provide SSL_set_hostflags()tb2021-01-261-1/+7
| | | | | | | | Yet another one of these X509_VERIFY_PARAM reacharounds into libcrypto. Recently found in imapfilter, also used elsewhere. Will be made publicly visible with the next minor bump. ok jsing
* Move sequence numbers into the new TLSv1.2 record layer.jsing2021-01-261-5/+1
| | | | | | | This allows for all of the DTLS sequence number save/restore code to be removed. ok inoguchi@ "whee!" tb@
* Align SSL_get_shared_ciphers() with OpenSSLtb2021-01-091-10/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | SSL_get_shared_ciphers() has been quite broken forever (see BUGS). What's maybe even worse than those bugs is that it only ever returned the string representing the client's ciphers which happen to fit into buf. That's kind of odd, given its name. This commit brings it in line with OpenSSL's version which changed behavior almost three years ago. reviewed and stupid bug caught by schwarze ok beck inoguchi jsing commit a216df599a6076147c27acea6c976fb11f505b1a Author: Matt Caswell <matt@openssl.org> Date: Fri Apr 27 11:20:52 2018 +0100 Fix SSL_get_shared_ciphers() The function SSL_get_shared_ciphers() is supposed to return ciphers shared by the client and the server. However it only ever returned the client ciphers. Fixes #5317 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6113)
* Bring back *_client_method() structstb2020-12-011-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | The method unification broke an API promise of SSL_is_server(). According to the documentation, calling SSL_is_server() on SSL objects constructed from generic and server methods would result in 1 even before any call to SSL_set_accept_state(). This means the information needs to be available when SSL_new() is called, so must come from the method itself. Prior to the method unification, s->server would be set to 0 or 1 in SSL_new() depending on whether the accept method was undefined or not. Instead, introduce a flag to the internal structs to distinguish client methods from server and generic methods and copy that flag to s->server in SSL_new(). This problem was reported to otto due to breakage of DoH in net/dnsdist. The reason for this is that www/h2o relies on SSL_is_server() to decide whether to call SSL_accept() or SSL_connect(). Thus, the h2o server would end up responding to a ClientHello with another ClientHello, which results in a handshake failure. The bandaid applied to www/h2o can be removed once this fix has made it into snaps. No other breakage is known. This commit brings back only about half of the duplication removed in the method unification, so is preferable to a full revert. ok jsing
* Implement exporter for TLSv1.3.jsing2020-11-161-3/+12
| | | | | | | | | This implements the key material exporter for TLSv1.3, as defined in RFC8446 section 7.5. Issue reported by nmathewson on github. ok inoguchi@ tb@
* Replace SSL_IS_DTLS with SSL_is_dtls().jsing2020-10-141-3/+3
| | | | | | Garbage collect the now unused SSL_IS_DTLS macro. ok tb@
* Provide SSL_is_dtls().jsing2020-10-141-1/+7
| | | | | | | For now this is #ifdef LIBRESSL_INTERNAL and will be exposed during the next library bump. ok tb@
* Condense and simplify TLS methods.jsing2020-10-111-2/+2
| | | | | | | | | | | | | | | Historically, OpenSSL has had client and server specific methods - the only difference between these is that the .ssl_connect or .ssl_accept function pointer is set to ssl_undefined_function, with the intention of reducing code size for a statically linked binary that was only a client or server. These days the difference is minimal or non-existant in many cases and we can reduce the amount of code and complexity by having single method. Internally remove all of the client and server specific methods, simplifying code in the process. The external client/server specific API remain, however these now return the same thing as TLS_method() does. ok tb@
* Simplify the cleanup of init_buf via a ssl3_release_init_buffer() function.jsing2020-09-241-4/+3
| | | | ok beck@ inoguchi@ tb@
* Prepare to provide SSL_get0_peernametb2020-09-191-1/+7
| | | | | | | | | This is a convenience reacharound to libcrypto that trivially wraps X509_VERIFY_PARAM_get0_peername(). It is used by unbound 1.11.0 for better logging. As it's part of the API that landed with OpenSSL's DANE, more recent postfix snapshots use it as well. ok beck inoguchi jsing
* Prepare to provide stubbed out versions for reading/writing 0-RTT datatb2020-09-191-1/+29
| | | | | | | | | | | We do not support this feature but need to provide OpenSSL's API since software assumes it's available whenever TLS1_3_VERSION is available. These are minimal stubs that should have a decent chance to interact reasonably with software expecting the tricky upstream semantics, but this will have to be sorted out with runtime testing, so will likely have to be refined and revisited. ok beck jsing
* Prepare to provide SSL{,_CTX}_{get,set}_max_early_datatb2020-09-191-1/+24
| | | | | | | Similar to the SSL_SESSION versions, these are noops that are expected to be available by some configure tests. ok beck jsing
* If ssl_cert_dup() fails in SSL_set_SSL_CTX(3), return failureschwarze2020-09-181-5/+10
| | | | | | | | | | | | | | | | rather than silently leaving a NULL pointer in ssl->cert. Kurt Roeckx fixed the same bug similarly in OpenSSL in 2015. While here, (1) make the code easier to read and more robust by returning right away when ssl still uses the context it was created from and the ctx argument is NULL, rather than doing a lot of work that changes nothing unless data is already corrupt, and (2) use the shorter and more inituitive SSL_CTX_up_ref(3) rather than manually calling CRYPTO_add(3), which means no functional change and is also in the OpenSSL 1.1 branch. OK tb@
* Let SSL_CTX_get_ciphers(NULL) return NULL rather than crashschwarze2020-09-161-1/+3
| | | | | | | for compatibility with OpenSSL and for consistency with neighbouring functions; suggested by jsing@ after i documented the crash; OK jsing@.
* Cleanup/simplify SSL_set_ssl_method().jsing2020-09-151-18/+18
| | | | | | | In particular, figure what the handshake_func should be early on, so we can just assign later. ok beck@
* Move state initialisation from SSL_clear() to ssl3_clear().jsing2020-09-141-3/+1
| | | | | | | | | | | | | | | | | | | | | | If we use the default method (now TLSv1.3) and end up talking to a TLSv1.2 server that gives us a session ticket, then try to resume that session, we end up trying to talk TLS without doing a handshake. This is caused by the state (S3I(s)->hs.state) getting cleared, which results in SSL_do_handshake() and others thinking they do not need to do anything (as SSL_in_init() and SSL_in_before() are not true). The reason this occurs is due to SSL_set_ssl_method() calling ssl_free() and ssl_new() when switching methods. The end result is that the S3I(s) has been freed and reallocated, losing the state in the process. Since the state is part of the S3I(s) structure, move its initialisation into ssl3_clear() - this ensures it gets correctly reinitialised across a SSL_set_ssl_method() call. Issue noticed by sthen@ with nginx and unifi. ok beck@ tb@
* Implement SSL_{CTX_,}set_ciphersuites().jsing2020-09-131-6/+51
| | | | | | | | | | OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide this API, while retaining the current behaviour of being able to configure TLSv1.3 via the existing interface. Note that this is not currently exposed in the headers/exported symbols. ok beck@ inoguchi@ tb@
* Remove cipher_list_by_id.jsing2020-09-111-49/+6
| | | | | | | | | | | | | | | | | When parsing a cipher string, a cipher list is created, before being duplicated and sorted - the second copy being stored as cipher_list_by_id. This is done only so that a client can ensure that the cipher selected by a server is in the cipher list. This is pretty pointless given that most clients are short-lived and that we already had to iterate over the cipher list in order to build the client hello. Additionally, any update to the cipher list requires that cipher_list_by_id also be updated and kept in sync. Remove all of this and replace it with a simple linear scan - the overhead of duplicating and sorting the cipher list likely exceeds that of a simple linear scan over the cipher list (64 maximum, more typically ~9 or so). ok beck@ tb@
* Simplify SSL_get_ciphers().jsing2020-09-111-13/+7
| | | | ok beck@, tb@
* Rename ssl_cipher_is_permitted()jsing2020-09-111-2/+3
| | | | | | | | | | The name ssl_cipher_is_permitted() is not entirely specific - what it really means is "can this cipher be used with a given version range". Use ssl_cipher_allowed_in_version_range() to more clearly indicate this. Bikeshedded with tb@ ok tb@
* Various ciphers related clean up.jsing2020-09-111-41/+36
| | | | | | | Consistently use the names 'ciphers' and 'cipher' instead of 'sk' and 'c'. Remove some redundant code, unnecessary parentheses and fix some style(9). ok inoguchi@ tb@
* Start replacing the existing TLSv1.2 record layer.jsing2020-08-301-1/+14
| | | | | | | | | | This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire. ok inoguchi@ tb@
* In SSL_new() just 'goto err' on allocation failure.jsing2020-08-111-11/+6
| | | | | | The error path does the same as the currently duplicated code. ok inoguchi@ tb@
* Revert the TLSv1.3 version switching fix/hack.jsing2020-07-141-10/+1
| | | | | | | | This is no longer necessary since the TLS_method() now supports TLSv1.3. Reverts r1.211 of ssl_lib.c. ok beck@ inoguchi@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-27 12:47:46 +0000