| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
eight bytes of the server's random to a magic cookie (RFC 8446, 4.1.3).
The TLSv1.3 spec changes the TLSv1.2 spec in that it recommends that
TLSv1.2 servers that negotiate TLSv1.1 or below do the same. This gives
a limited additional protection against downgrade attacks beyond what is
already present in the Finished exchange.
The TLSv1.3 part was already implemented in Hobart and can be trivially
modified to do the TLSv1.2 bit as well.
ok inoguchi, jsing
|
| |
|
|
|
|
|
|
|
|
| |
Changed to use local variable to hold malloc address rather than directly
set to S3I(s)->tmp.x25519, and set that private_key pointer to
S3I(s)->tmp.x25519 after all the "goto err;".
Also added freezero for S3I(s)->tmp.x25519 to ssl3_free() and ssl3_clear().
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
| |
This reduces replication between the existing TLS client/server and allows
the code to soon be reused for TLSv1.3.
With feedback from inoguchi@ and tb@
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
ssl_get_message is essentially a switch between ssl3_get_message and
dtls1_get_message, both only used by the legacy stack. Instead, use
SSL_IS_DTLS() in ssl3_get_message to call the DTLS function when
necessary.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
downgrading from TLS 1.3. If we are, set the last 8 bytes of the
server_random value to the required values as per RFC 8446 section
4.1.3 indicating that we deliberately meant to downgrade.
ok jsing@
|
| |
|
|
|
|
|
|
|
| |
Convert ssl_get_prev_session(), tls1_process_ticket() and
tls1_decrypt_ticket() to handle the session ID from the client hello
as a CBS. While here also swap the order of arguments for
tls1_decrypt_ticket() so that it is consistent with the other functions.
ok tb@
|
| |
|
|
|
|
|
| |
There is not much point having a tlsext_tick_md macro that replaces
EVP_sha256() in two places, when the cipher is just hardcoded.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).
Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.
Joint work with beck@.
|
| |
|
|
|
|
|
|
|
|
| |
We will now include the certificates in the chain in the certificate list,
or use the existing extra_certs if present. Failing that we fall back to
the automatic chain building if not disabled.
This also simplifies the code significantly.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
While handshake hash is correct (in as far as it is a hash of handshake
messages), using tls1_transcript_hash*() aligns them with the naming of the
tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses
Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.
Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:
clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
around broken GOST implementations. It looks like client certificates with
GOST have been completely broken since reimport of the GOST code, so no-one
is using LibreSSL this way. The client side was fixed only last week for
TLSv1.0 and TLSv1.1. This workaround is now in the way of much needed
simplifcation and cleanup, so it is time for it to go.
suggested by and ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If DTLS sees a HelloVerifyRequest the transcript is reset - the previous
tls1_init_finished_mac() function could be called multiple times and would
discard any existing state. The replacement tls1_transcript_init() is more
strict and fails if a transcript already exists.
Provide an explicit tls1_transcript_reset() function and call it from the
appropriate places. This also lets us make DTLS less of a special snowflake
and call tls1_transcript_init() in the same place as used for TLS.
ok beck@ tb@
|
| |
|
|
|
| |
Include check for appropriate RSA key size when used with PSS.
ok tb@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
| |
Regression found by Perl module p5-IO-Socket-SSL tests.
with beck@ tb@
|
| |
|
|
|
|
| |
lightly tested, but will need sanity checks and regress test changes
before being added to any sigalgs list for real
ok jsing@ tb@
|
| |
|
|
|
|
| |
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@
|
| |
|
|
|
|
| |
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
| |
Add a priority list for tls 1.2
ok jsing@
|
| |
|
|
|
| |
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@
|
| |
|
|
|
|
|
| |
This provides a cleaner, simpler and more readable API, with code that uses
a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
Add a check at the completion of the client/server handshake to ensure that
the handshake transcript has been freed. Fix the case where a server asks
the client for a certificate, but it does not have one, resulting in the
handshake transcript being left around post-handshake.
ok bcook@ tb@
|
| |
|
|
| |
ok inoguchi@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The original code did a crazy encode/malloc/encode/decode/modify/encode
dance, in order to encode a session in the form needed to encrypt then add
to a session ticket. By modifying the encoding functions slightly, we can
do this entire dance as a single encode.
Inspired by similar changes in BoringSSL.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The original implementation is rather crazy and means that we effectively
have two lots of code that parse a ClientHello and two lots of code that
parse TLS extensions. Partially simplify this by passing a CBS containing
the extension block through to the session handling functions, removing the
need to reimplement the ClientHello parsing.
While here standarise on naming for session_id and session_id_len.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
Parse up until the extensions (if any), then proceed with processing,
rather than gradually parsing while processing. This makes the code
cleaner, requires messages to be valid before processing and makes way
for upcoming changes.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Now that all handshake messages are created using CBB, remove the non-CBB
ssl3_handshake_msg_start()/ssl3_handshake_msg_finish() functions. Rename
the CBB variants by dropping the _cbb suffix.
ok bcook@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
The CBB conversion resulted in the ticket encryption being handled
incorrectly, resulting in only the last block being used. Fix this and
restore the previous behaviour.
Issue found by inoguchi@ and sebastia@.
ok inoguchi@ and tb@
|
| |
|
|
|
|
|
|
|
|
| |
Now that all callers of tls12_get_sigandhash() have been converted to CBB,
collapse tls12_get_sigandhash() and tls12_get_sigandhash_cbb() into a
single function. Rename it to tls12_gethashandsig() to be representative
of the actual order of the sigalgs parameters, and perform some other
clean up.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
This removes a memorable BUF_MEM_grow() and associated comment.
ok inoguchi@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok bcook@ beck@ tb@
|
| |
|
|
|
|
| |
Everything can go through the single EVP_Sign* code path.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
have been converted to CBS, pull it up a level.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
client KEX DHE processing, rather than reusing the buffer that is used
to send/receive handshake messages.
ok beck@ inoguchi@
|
| |
|
|
|
|
|
| |
Also allocate a dedicated buffer to hold the shared secret, rather than
reusing init_buf.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
For pure ECDHE we do not need to construct a new key using the one that
was set up during the other half of the key exchange. Also, since we do not
support any form of ECDH the n == 0 case is not valid (per RFC 4492 section
5.7), so we can ditch this entirely.
ok inoguchi@ tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
Convert to CBS, use more appropriate variable names and improve validation.
Allocate a dedicated buffer to hold the decrypted result, rather than
decrypting into the handshake buffer (which is also used to send data).
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
| |
around the SSLv3/TLSv1.0 period... and buggy clients are buggy. This also
helps to clean up the RSA key exchange code.
ok "kill it with fire" beck@ tb@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.
The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).
ok inoguchi@
|
| |
|
|
| |
With review/feedback from inoguchi@
|
| |
|
|
| |
Based on a diff from doug@
|
| |
|
|
|
| |
length, since the caller has already been converted to CBS. A small amount
of additional clean up whilst here.
|
