| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In January 2017 we added SSL_OP_NO_CLIENT_RENEGOTIATION, which results in a
SSL_AD_NO_RENEGOTIATION fatal alert if a ClientHello message is seen on an
active connection (client initiated renegotation). Then in May 2017 OpenSSL
added SSL_OP_NO_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION
warning alert if a server receives a ClientHello on an active connection
(client initiated renegotation), or a client receives a HelloRequest
(server requested renegotation). This option also causes calls to
SSL_renegotiate() and SSL_renegotiate_abbreviated() to fail. Then in 2021,
OpenSSL also added SSL_OP_ALLOW_CLIENT_RENEGOTIATION, which trumps
SSL_OP_NO_RENEGOTIATION but only for incoming ClientHello messages
(apparently unsetting SSL_OP_NO_RENEGOTIATION is too hard).
Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION,
primarily to make life easier for ports. If SSL_OP_NO_CLIENT_RENEGOTIATION
is set it will take precedence and render SSL_OP_ALLOW_CLIENT_RENEGOTIATION
ineffective. The rest of the behaviour should match OpenSSL, with the
exception of ClientHellos triggering fatal alerts instead of warnings.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL has had the concept of cipher IDs, which were a way of working
around overlapping cipher suite values between SSLv2 and SSLv3. Given
that we no longer have to deal with this issue, replace the use of IDs
with cipher suite values. In particular, this means that we can stop
mapping back and forth between the two, simplifying things considerably.
While here, remove the 'valid' member of the SSL_CIPHER. The ssl3_ciphers[]
table is no longer mutable, meaning that ciphers cannot be disabled at
runtime (and we have `#if 0' if we want to do it at compile time).
Clean up the comments and add/update RFC references for cipher suites.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For a long time SSL_SESSION has had both a cipher ID and a pointer to
an SSL_CIPHER (and not both are guaranteed to be populated). There is also
a pointer to an SSL_CIPHER in the SSL_HANDSHAKE that denotes the cipher
being used for this connection. Some code has been using the cipher from
SSL_SESSION and some code has been using the cipher from SSL_HANDSHAKE.
Remove cipher from SSL_SESSION and use the version in SSL_HANDSHAKE
everywhere. If resuming from a session then we need to use the SSL_SESSION
cipher ID to set the SSL_HANDSHAKE cipher. And we still need to ensure that
we update the cipher ID in the SSL_SESSION whenever the SSL_HANDSHAKE
cipher changes (this only occurs in a few places).
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
F5 is well-known for needing workaround (go read RFC 8446). In this
particular case, it required implementation sending CHs larger than
255 bytes to 0x0300 otherwise their server would hang. This is the
same hang that required the CH padding extension which broke other
implementations. The CH padding extension was removed ~6 years ago,
so hopefully this kludge will no longer needed either.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.
discussed with jsing,
no objection bcook
|
| |
|
|
|
|
|
|
|
|
| |
This converts the legacy TLS stack to tls_content - records are now
opened into a tls_content structure, rather than being written back into
the same buffer that the sealed record was read into.
This will allow for further clean up of the legacy record layer.
ok tb@
|
| |
|
|
|
|
| |
This avoids a bunch of pointer munging and a handrolled memmove.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
While ssl3_setup_read_buffer() success alone is enough to imply that
the read bufer is non-NULL, several static analyzers fail to recognize
that and throw fits about possible NULL accesses.
CID 331010
Fix from and ok jsing
|
| |
|
|
|
|
|
|
| |
These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.
Prompted by tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
Now that {dtls1,ssl3}_read_bytes() have been refactored, do a clean up
pass - this cleans up various parts of the code and reduces differences
between these two functions.
ok = 1; *(&(ok)) tb@
ok inoguchi@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Rewrite the code that handles unexpected handshake messages in the legacy
TLS stack. Parse the TLS message header up front, then process it based on
the message type. Overall the code should be more strict and we should
reject various invalid messages that would have previously been accepted.
I also reviewed steve's experimental code and fixed the bug that it
contained.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TLS record layer has to be able to handle unexpected handshake messages
that result when it has been asked to read application data. The way that
this is currently done in the legacy stack is a layering violation - the
record layer knows about DTLS/TLS handshake messages, parsing them and then
deciding what action to take. This is further complicated by the need to
handle handshake message fragments.
For now, factor this code out with minimal changes - since it is a layering
violation we have to retain separate code for DTLS and TLS.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Factor out the code that handles the processing of a change cipher spec
message that has been read in the legacy stack, deduplicating code in the
DTLS stack.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pull out the code that processes incoming alerts - a chunk of the
complexity is due to the fact that in TLSv1.2 and earlier, alerts can be
fragmented across multiple records or multiple alerts can be delivered
in a single record.
In DTLS there is no way that we can reassemble fragmented alerts (although
the RFC is silent on this), however we could have multiple alerts in the
same record. This change means that we will handle this situation more
appropriately and if we encounter a fragmented alert we will now treat this
as a decode error (instead of silently ignoring it).
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
This is effectively the same record processing limit that was previously
added to the legacy TLS stack - without this a single session can be made
to spin on a stream of alerts or other similar records.
ok beck@ tb@
|
| |
|
|
|
|
| |
Also mop up some mostly unhelpful comments while here.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
The info and msg callbacks result in duplication - both for code that
refers to the function pointers and for the call sites. Avoid this by
providing typedefs for the function pointers and pulling the calling
sequences into their own functions.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
Noted by tb@ during review of a larger change.
|
| | |
|
| |
|
|
|
|
|
|
| |
The code for dtls1_dispatch_alert() and ssl3_dispatch_alert() is largely
identical - with a bit of reshuffling we can use ssl3_dispatch_alert() for
both protocols and remove the ssl_dispatch_alert function pointer.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
Per RFC 5246 section 6.2.1, zero-length fragments are only permitted for
application data - reject all others.
Reported via GitHub issue #675.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After running the preprocessor, this function becomes:
switch (code) {
case 0:
return (0);
case 10:
return (10);
case 20:
return (20);
...
}
Its intended purpose was to prevent SSLv3 alerts being sent from TLS code,
however now that we've removed "no_certificate" from LibreSSL's reach, it
no longer does anything useful.
ok tb@
|
| |
|
|
|
| |
Consistently include local headers in the same location, using the same
grouping/sorting across all files.
|
| |
|
|
|
|
|
|
| |
Replace flag gymnastics at call sites with separate read and write,
functions which call the common code. Condition on s->server instead of
using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Make this process more readable by having specific client/server functions,
calling the correct one based on s->server. This allows to remove various
SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
This moves the finish_md and peer_finish_md from the 'tmp' struct to the
handshake struct, renaming to finished and peer_finished in the process.
This also allows the remaining S3I(s) references to be removed from the
TLSv1.3 client and server.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add handshake fields for our minimum TLS version, our maximum TLS version
and the TLS version negotiated during the handshake. Initialise our min/max
versions at the start of the handshake and leave these unchanged. The
negotiated TLS version is set in the client once we receive the ServerHello
and in the server at the point we select the highest shared version.
Provide an ssl_effective_version() function that returns the negotiated TLS
version if known, otherwise our maximum TLS version - this is effectively
what is stored in s->version currently.
Convert most of the internal code to use one of these three version fields,
which greatly simplifies code (especially in the TLS extension handling
code).
ok tb@
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
|
|
|
| |
DTLS is largely broken/useless without read ahead being enabled, so enforce
it for DTLS. This behaviour matches both our documentation and OpenSSL.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
Call these functions from code that needs to know if we've changed cipher
state and enabled record protection, rather than inconsistently checking
various pointers from other places in the code base. This also fixes a
minor bug where the wrong pointers are checked if we're operating with
AEAD.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in
place, which is not ideal for various reasons, however it is retained
for now as other code depends on this behaviour. Additionally, CBC
requires special handling to avoid timing oracles - for now the
existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
This takes the same design/approach used in TLSv1.3 and provides an
opaque struct that is self contained and cannot reach back into other
layers. For now this just implements/replaces the writing of records
for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the
plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously we used CBB to build the record headers, but not the entire
record. Use CBB_init_fixed() upfront, then build the record header and
add space for the record content. However, in order to do this we need
to determine the length of the record upfront.
This simplifies the code, removes a number of manual bounds checks and
makes way for further improvements.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
The write path can return a failure in the AEAD path and there is no reason
not to check a return value.
Spotted by tb@ during another review.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- Make the DTLS code much more consistent with the ssl3 code.
- Avoid assigning wr->input and wr->length just so they can be used as
arguments to memcpy().
- Remove the arc4random_buf() call for the explicit IV, since tls1_enc()
already does this for us.
ok tb@
|
| |
|
|
|
|
| |
ssl3_create_record().
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
This will allow for further changes to be made with less complexity and
easier review.
In particular, decide if we need an empty fragment early on and only do
the alignment calculation once (rather than in two separate parts of the
function.
ok tb@ inoguchi@
|
| |
|
|
|
|
|
|
|
| |
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
| |
Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
The enc function pointers do not serve any purpose these days - remove
a layer of indirection and call dtls1_enc()/tls1_enc() directly.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Use a bad_record_mac alert instead.
Found with tlsfuzzer's ChaCha20 test.
ok beck inoguchi jsing
|
