| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
Provide a ssl3_release_buffer() function that correctly frees a buffer
and call it from the appropriate locations. While here also change
ssl3_release_{read,write}_buffer() to void since they cannot fail and
no callers check the return value currently.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
There are three places where we call tls1_get_{client,server}_method() and
if that returns NULL, call dtls1_get_{client,server}_method(). Simplify
this by combining the lookup into a single function. While here also use
uint16_t for version types.
ok inoguchi@ millert@
|
| |
|
|
|
|
|
| |
Now that get_ssl_method is no longer used, we can garbage collect the
function pointer and some associated machinery.
ok beck@
|
| |
|
|
|
|
|
|
|
|
| |
OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide
this API, while retaining the current behaviour of being able to configure
TLSv1.3 via the existing interface.
Note that this is not currently exposed in the headers/exported symbols.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When parsing a cipher string, a cipher list is created, before being
duplicated and sorted - the second copy being stored as cipher_list_by_id.
This is done only so that a client can ensure that the cipher selected by
a server is in the cipher list. This is pretty pointless given that most
clients are short-lived and that we already had to iterate over the cipher
list in order to build the client hello. Additionally, any update to the
cipher list requires that cipher_list_by_id also be updated and kept in
sync.
Remove all of this and replace it with a simple linear scan - the overhead
of duplicating and sorting the cipher list likely exceeds that of a simple
linear scan over the cipher list (64 maximum, more typically ~9 or so).
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
The name ssl_cipher_is_permitted() is not entirely specific - what it
really means is "can this cipher be used with a given version range".
Use ssl_cipher_allowed_in_version_range() to more clearly indicate this.
Bikeshedded with tb@
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ssl_get_prev_session() hands the session id down to tls_decrypt_ticket()
which then copies it into the session pointer that it is about to return.
It's a lot simpler to retrieve the session pointer and copy the session id
inside ssl_get_prev_session().
Also, 'goto err' directly in TLS1_TICKET_NOT_DECRYPTED instead of skipping
a couple of long if clauses before doing so.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tls1_process_ticket() - the only caller of tls_decrypt_ticket() - ends
in a switch over the return value of tls_decrypt_ticket() to decide
whether or not to set s->internal->tlsext_ticket_expected = 1.
Since tls_decrypt_ticket() already knows what it will return and
partly bases its decision on what to return on whether or not the
ticket needs to be renewed, it can also take care of setting this flag.
This way we don't need to have a confusing switch that conflates some
return values and sets this flag. Moreover, we can get rid of the ugly
TLS1_TICKET_DECRYPTED_RENEW whose only purpose is to signal that the
flag should be set.
ok jsing
|
| |
|
|
|
|
|
|
| |
In tls1_process_ticket() and tls_decrypt_ticket() use #defines with
descriptive names instead of hardcoding -1 1 2 3 4 and occasionally
explaining the magic numbers with comments.
ok beck inoguchi
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ssl_get_prev_session() can fail for various reasons some of which
may be internal_error others decode_error alerts. Propagate the
appropriate alert up to the caller so we can abort the handshake
by sending a fatal alert instead of rudely closing the pipe.
Currently only 28 of 292 test cases of tlsfuzzer's test-extension.py pass.
With this diff, 272 pass. The rest will require fixes elsewhere.
ok beck inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
| |
This takes the same design/approach used in TLSv1.3 and provides an
opaque struct that is self contained and cannot reach back into other
layers. For now this just implements/replaces the writing of records
for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the
plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
ssl_version is completely unused and get_timeout is the same everywhere.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
| |
This can be done now that we have both TLSv1.3 client and server.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
section 4.1.2 to ensure subsequent ClientHello messages after a
HelloRetryRequest messages must be unchanged from the initial
ClientHello.
ok tb@ jsing@
|
| |
|
|
|
|
|
| |
Replace the only occurrence of ssl_max_server_version() with a call
to ssl_downgrade_max_version() and remove ssl_max_server_version().
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
Previously only the enabled protocol versions were considered, however we
also have to consider the method in use which may be version pinned.
Found the hard way by danj@ with haproxy and force-tlsv12.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
This allows an EC certificate to be selected and used, if the client
sigalgs would allow it.
With feedback from tb@
ok inoguchi@ tb@
|
| |
|
|
| |
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some time prior to SSLeay 0.8.1b, SSL_PKEY_RSA_SIGN got added with the
intention of handling RSA sign only certificates... this incomplete code
had the following comment:
/* check to see if this is a signing only certificate */
/* EAY EAY EAY EAY */
And while the comment was removed in 2005, the incomplete RSA sign-only
handling has remained ever since.
Remove SSL_PKEY_RSA_SIGN and rename SSL_PKEY_RSA_ENC to SSL_PKEY_RSA. While
here also remove the unused SSL_PKEY_DH_RSA.
ok tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
The OCSP response length is currently an integer, which is overloaded with
-1 meaning "unset". Use a size_t for the OCSP response length and infer
unset from the OCSP response being NULL. This makes code more readable,
simpler and less error prone.
ok beck@
|
| |
|
|
|
|
|
|
|
| |
SSL_get_server_tmp_key() provides the peer ephemeral public key used
for key exchange. In the case of TLSv1.3 this is essentially the peer
public key from the key share used for TLSv1.3 key exchange, hence make it
availaable via SSL_get_server_tmp_key().
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Like much of the original DTLS code, dtls1_enc() is effectively a renamed
copy of tls1_enc(). Since then tls1_enc() has been modified, however the
non-AEAD code remains largely the same. As such, remove dtls1_enc() and
instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS,
however this is a non-issue since we do not support AEAD cipher suites with
DTLS currently.
ok tb@
|
| |
|
|
|
|
|
|
| |
Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
The enc function pointers do not serve any purpose these days - remove
a layer of indirection and call dtls1_enc()/tls1_enc() directly.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
In a hello retry request the server will only send the selected group and
not actually provide a key exchange. In this case we need to store the
server selected group for further processing.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use flags to signal the need to switch to the legacy client and to identify
a hello retry request. This allows the caller to take appropriate action,
rather than trying to do this in the parsing/processing code.
Split the key deriviation and record protection engagement code into a
separate function, both for readability and reuse.
Change handshake states outside of the processing code.
ok tb@
|
| |
|
|
|
|
| |
mangling.
ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
Pull out the key share handling code and provide a clean/self contained
interface. This will make it easier to support groups other than X25519.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
This reduces replication between the existing TLS client/server and allows
the code to soon be reused for TLSv1.3.
With feedback from inoguchi@ and tb@
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
ssl_get_message is essentially a switch between ssl3_get_message and
dtls1_get_message, both only used by the legacy stack. Instead, use
SSL_IS_DTLS() in ssl3_get_message to call the DTLS function when
necessary.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Currently, TLSv1.3 cipher suites are filtered out by the fact that
they have authentication and key exchange algorithms that are not
being set in ssl_set_cert_masks(). Fix this so that ssl3_choose_cipher()
works for TLSv1.3, however we also now need to ensure that we filter out
TLSv1.3 for non-TLSv1.3 and only select TLSv1.3 for TLSv1.3.
ok beck@ tb@
|
| |
|
|
|
|
| |
the same from the server.
ok jsing@ tb@
|
| |
|
|
|
|
|
| |
This will allow the TLSv1.3 stack to provide its own implementation. Nuke
a completely bogus comment from SSL_pending() whilst here.
ok beck@
|
| |
|
|
|
|
|
|
| |
This currently only has enough code to handle fallback to the legacy TLS
stack for TLSv1.2 or earlier, however allows for further development and
testing.
ok beck@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This also makes it available to clients that use libtls, including ftp(1)
and nc(1).
Note that this does not expose additional defines via public headers, which
means that any code conditioning on defines like TLS1_3_VERSION or
SSL_OP_NO_TLSv1_3 will not enable or use TLSv1.3. This approach is
necessary since too many pieces of software assume that if TLS1_3_VERSION
is available, other OpenSSL 1.1 API will also be available, which is not
necessarily the case.
ok beck@ tb@
|
| |
|
|
|
|
| |
reverts previous attempt which would have broken ports
ok jsing@
|
| |
|
|
|
|
|
| |
For now ssl3_shutdown() is called in all cases, however TLSv1.3 will soon
get its own version.
ok beck@
|
| |
|
|
|
|
|
|
|
| |
Convert ssl_get_prev_session(), tls1_process_ticket() and
tls1_decrypt_ticket() to handle the session ID from the client hello
as a CBS. While here also swap the order of arguments for
tls1_decrypt_ticket() so that it is consistent with the other functions.
ok tb@
|
| |
|
|
|
|
|
| |
There is not much point having a tlsext_tick_md macro that replaces
EVP_sha256() in two places, when the cipher is just hardcoded.
ok tb@
|
