| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Use this from the TLSv1.3 code.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This provides SSL_QUIC_METHOD (aka ssl_quic_method_st), which allows for
QUIC callback hooks to be passed to an SSL_CTX or SSL. This is largely
ported/adapted from BoringSSL.
It is worth noting that this struct is not opaque and the original
interface exposed by BoringSSL differs to the one they now use. The
original interface was copied by quictls and it appears that this API
will not be updated to match BoringSSL.
To make things even more challenging, at least one consumer does not use
named initialisers, making code completely dependent on the order in
which the function pointers are defined as struct members. In order to
try to support both variants, the set_read_secret/set_write_secret
functions are included, however they have to go at the end.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This splits tls1_get_supported_group() into a few helper functions to
be able to count shared groups and to return the n-th shared group since
someone thought it is a great idea to expose that in a single API and
some others thought it is useful to add this info to log noise.
This is all made a bit more complicated thanks to the security level
having its tentacles everywhere and because a user-provided security
callback can influence the list of groups shared by the peers.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Refactor ssl_security_supported_group() into a wrapper of a new internal
ssl_security_group() which takes a secop as an argument. This allows
adding ssl_security_shared_group() which will be needed in upcoming
commits.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.
This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
QUIC uses TLS to complete the handshake, however unlike normal TLS it does
not use the TLS record layer, rather it provides its own transport. This
means that we need to intercept all communication between the TLS handshake
and the record layer. This allows TLS handshake message writes to be
directed to QUIC, likewise for TLS handshake message reads. Alerts also
need to be sent via QUIC, plus it needs to be provided with the traffic
keys that are derived by TLS.
ok tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
Change alpn_client_proto_list and alpn_selected from unsigned char *
to uint8_t and change alpn_client_proto_list_len to be a size_t instead
of an unsigned int.
ok jsing
|
| |
|
|
|
|
|
|
| |
This function will allow code to know if the SSL connection is configured
for use with QUIC or not. Also move existing SSL_.*quic.* functions under
LIBRESSL_HAS_QUIC to prevent exposing them prematurely.
ok beck@ tb@
|
| |
|
|
| |
not exposed in the public API.
|
| |
|
|
|
|
|
| |
that are no longer needed now that libcrypto exposes the necessary
security-bits API.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff
is now confined into ssl_seclevel.c and the rest of the library can make
use of the more straightforward wrappers, which makes it a lot easier on
the eyes.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
| |
This reworks various tls1_ curve APIs to indicate success via a boolean
return value and move the output to an out parameter. This makes the
caller code easier and more consistent.
Based on a suggestion by jsing
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
versions below the minimum required by the security level.
input & ok jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
|
|
|
| |
To this end, hand the SSL_CERT through about 5 levels of indirection to
set an integer on it.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
| |
This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.
Inspired by boringssl's https://boringssl-review.googlesource.com/24464
ok jsing@ tb@
|
| | |
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck, looks good to jsing
|
| | |
|
| |
|
|
| |
ok beck jsing sthen
|
| |
|
|
|
|
| |
And here is where the fun starts. The tentacles will grow everywhere.
ok beck jsing sthen
|
| |
|
|
| |
ok beck jsing sthen
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
This will be used to indicate client side support for DHE key
establishment.
ok jsing
|
| |
|
|
|
|
|
| |
This function populates the passed *out argument, hence it should not be
marked const.
ok tb@
|
| |
|
|
|
|
|
|
| |
Factor out the code that handles the processing of a change cipher spec
message that has been read in the legacy stack, deduplicating code in the
DTLS stack.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pull out the code that processes incoming alerts - a chunk of the
complexity is due to the fact that in TLSv1.2 and earlier, alerts can be
fragmented across multiple records or multiple alerts can be delivered
in a single record.
In DTLS there is no way that we can reassemble fragmented alerts (although
the RFC is silent on this), however we could have multiple alerts in the
same record. This change means that we will handle this situation more
appropriately and if we encounter a fragmented alert we will now treat this
as a decode error (instead of silently ignoring it).
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Remove the X509 argument as it is unused - this was passed so that
ssl_cert_type() can get the public key from the X509 object if the
EVP_PKEY argument is NULL, however this is never the case.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
peer_pkeys comes from some world where peers can send multiple certificates
- in fact, one of each known type. Since we do not live in such a world,
get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2
and TLSv1.3, both clients and servers can only send a single leaf
(aka end-entity) certificate).
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
The 'peer' member of SSL_SESSION is the leaf/end-entity certificate
provided by our peer. Rename it since 'peer' on its own is unhelpful.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Distinguish between decode errors and other errors, so that we can send
a SSL_AD_DECODE_ERROR alert when appropriate.
Fixes a tlsfuzzer failure, due to it expecting a decode error alert and
not receiving one.
Prompted by anton@
ok tb@
|
| |
|
|
|
| |
If a libssl function takes an SSL *, it should normally be the first
argument.
|
| |
|
|
|
|
|
| |
There is no reason for SESS_CERT to exist - remove it and merge its members
into SSL_SESSION for the time being. More clean up to follow.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
| |
Nearly all structs in libssl start with an SSL_ suffix, rename CERT and
CERT_PKEY for consistency.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Support for non-ephemeral DH was removed a long time ago - as such, the
dh_tmp and dh_tmp_cb are used for DHE parameters. Rename them to reflect
reality.
ok inoguchi@ tb@
|
