|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Inline the get_cipher implementation (including the special handling
for DTLS) in ssl_cipher_collect_ciphers() (the only consumer), remove
the get_cipher member of SSL_METHOD and mop up dtls1_get_cipher().
ssl3_get_cipher() has always had a strange property of being a reverse
index, which is relied on by the cipher list ordering code, since it
currently assumes that high cipher suite values are preferable. Rather
than complicating ssl3_get_cipher() (and regress), change the iteration
order in ssl_cipher_collect_ciphers() to match what it requires. Lastly,
rename ssl3_get_cipher() to be more descriptive.
ok tb@ | 
| | 
| 
| 
| 
| 
| | With the guentherizer 9000
ok tb@ | 
| | 
| 
| 
| 
| | And remove the tendrils. This was useful for transition but we are now
well past this. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.
discussed with jsing,
no objection bcook | 
| | 
| 
| 
| 
| 
| 
| 
| | The code for dtls1_dispatch_alert() and ssl3_dispatch_alert() is largely
identical - with a bit of reshuffling we can use ssl3_dispatch_alert() for
both protocols and remove the ssl_dispatch_alert function pointer.
ok inoguchi@ tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | The num_ciphers, get_cipher_by_char and put_cipher_by_char function
pointers use the same function for all methods - call ssl3_num_ciphers()
directly, absorb ssl3_get_cipher_by_char() into SSL_CIPHER_find() and
remove the unused ssl3_put_cipher_by_char() code.
ok inoguchi@ tb@ | 
| | 
| 
| 
| 
| 
| 
| | Now that SSL_METHOD is opaque and in internal headers, we can remove
SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.
ok tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| | Now that the DTLS structs are opaque, add a dtls_locl.h header and move
internal-only structs from dtls1.h, along with prototypes from ssl_locl.h.
Only pull this header in where DTLS code actually exists.
ok inoguchi@ tb@ | 
| | 
| 
| 
| | ok bcook inoguchi jsing | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | DTLS protocol version numbers are the 1's compliment of human readable TLS
version numbers, which means that newer versions decrease in value and
there is no direct mapping between TLS protocol version numbers and DTLS
protocol version numbers.
Rather than having to deal with this internally, only use TLS versions
internally and map between DTLS and TLS protocol versions when necessary.
Rename functions and variables to use 'tls_version' when they contain a
TLS version (and never a DTLS version).
ok tb@ | 
| | 
| 
| 
| 
| 
| | These are currently guarded by LIBRESSL_HAS_DTLS1_2 and LIBRESSL_INTERNAL.
ok tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | The method unification broke an API promise of SSL_is_server(). According
to the documentation, calling SSL_is_server() on SSL objects constructed
from generic and server methods would result in 1 even before any call to
SSL_set_accept_state(). This means the information needs to be available
when SSL_new() is called, so must come from the method itself.
Prior to the method unification, s->server would be set to 0 or 1 in
SSL_new() depending on whether the accept method was undefined or not.
Instead, introduce a flag to the internal structs to distinguish client
methods from server and generic methods and copy that flag to s->server in
SSL_new().
This problem was reported to otto due to breakage of DoH in net/dnsdist.
The reason for this is that www/h2o relies on SSL_is_server() to decide
whether to call SSL_accept() or SSL_connect(). Thus, the h2o server would
end up responding to a ClientHello with another ClientHello, which results
in a handshake failure. The bandaid applied to www/h2o can be removed once
this fix has made it into snaps. No other breakage is known.
This commit brings back only about half of the duplication removed in the
method unification, so is preferable to a full revert.
ok jsing | 
| | 
| 
| 
| 
| 
| 
| 
| | Rather than inferring DTLS from the method version, add a field that marks
a method as specifically being DTLS. Have SSL_IS_DTLS condition on this
rather than on version.
ok tb@ | 
| | 
| 
| 
| 
| 
| 
| | with #defines for the per-version initializers instead of extern
globals.  Add SSL_USE_SHA256_PRF() to complete the abstraction.
ok tb@ jsing@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Historically, OpenSSL has had client and server specific methods - the only
difference between these is that the .ssl_connect or .ssl_accept function
pointer is set to ssl_undefined_function, with the intention of reducing
code size for a statically linked binary that was only a client or server.
These days the difference is minimal or non-existant in many cases and
we can reduce the amount of code and complexity by having single method.
Internally remove all of the client and server specific methods,
simplifying code in the process. The external client/server specific API
remain, however these now return the same thing as TLS_method() does.
ok tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| | DTLSv1 is TLSv1.1 over datagrams - there is no need for a separate
SSL3_ENC_METHOD struct, just use TLSv1_1_enc_data and remove
DTLSv1_enc_data entirely.
ok tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | There are three places where we call tls1_get_{client,server}_method() and
if that returns NULL, call dtls1_get_{client,server}_method(). Simplify
this by combining the lookup into a single function. While here also use
uint16_t for version types.
ok inoguchi@ millert@ | 
| | 
| 
| 
| 
| 
| 
| | Now that get_ssl_method is no longer used, we can garbage collect the
function pointer and some associated machinery.
ok beck@ | 
| | 
| 
| 
| 
| 
| | ssl_version is completely unused and get_timeout is the same everywhere.
ok beck@ inoguchi@ tb@ | 
| | 
| 
| 
| 
| 
| | This can be done now that we have both TLSv1.3 client and server.
ok beck@ inoguchi@ tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| | While we do not currently do session resumption, just return the
TLS_client_method() or TLS_server_method() when asked for a method that
does TLSv1.3.
ok tb@ (who also arrived at the same diff) | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | ssl_get_message is essentially a switch between ssl3_get_message and
dtls1_get_message, both only used by the legacy stack. Instead, use
SSL_IS_DTLS() in ssl3_get_message to call  the DTLS function when
necessary.
ok beck@ inoguchi@ tb@ | 
| | 
| 
| 
| 
| 
| | Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@ | 
| | 
| 
| 
| 
| 
| 
| | This will allow the TLSv1.3 stack to provide its own implementation. Nuke
a completely bogus comment from SSL_pending() whilst here.
ok beck@ | 
| | 
| 
| 
| 
| 
| 
| 
| | This currently only has enough code to handle fallback to the legacy TLS
stack for TLSv1.2 or earlier, however allows for further development and
testing.
ok beck@ | 
| | 
| 
| 
| | Missed in an earlier commit. | 
| | 
| 
| 
| | ok beck@ tb@ | 
| | 
| 
| 
| 
| 
| 
| | For now ssl3_shutdown() is called in all cases, however TLSv1.3 will soon
get its own version.
ok beck@ | 
| | 
| 
| 
| | ok tb@ | 
| | |  | 
| | 
| 
| 
| | ok tb@ | 
|  | Discussed with tb@ |