summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_srvr.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Deduplicate peer certificate chain processing code.jsing2022-08-171-13/+10
| | | | | | | | | | | | | | Rather than reimplement this in each TLS client and server, deduplicate it into a single function. Furthermore, rather than dealing with the API hazard that is SSL_get_peer_cert_chain() in this code, simply produce two chains - one that has the leaf and one that does not. SSL_get_peer_cert_chain() can then return the appropriate one. This also moves the peer cert chain from the SSL_SESSION to the SSL_HANDSHAKE, which makes more sense since it is not available on resumption. ok tb@
* Simplify certificate list handling code in legacy server.jsing2022-07-031-62/+50
| | | | | | | | | | | | | A client is required to send an empty list if it does not have a suitable certificate - handle this case up front, rather than going through the normal code path and ending up with an empty certificate list. This matches what we do in the TLSv1.3 stack and will allow for ruther clean up (in addition to making the code more readable). Also tidy up the CBS code and remove some unnecessary length checks. Use 'cert' and 'certs' for certificates, rather than 'x' and 'sk'. ok tb@
* Rename uses 'curve' to 'group' and rework tls1 group API.tb2022-07-021-2/+2
| | | | | | | | | | This reworks various tls1_ curve APIs to indicate success via a boolean return value and move the output to an out parameter. This makes the caller code easier and more consistent. Based on a suggestion by jsing ok jsing
* Add checks to ensure we do not initiate or negotiate handshakes withtb2022-06-301-1/+8
| | | | | | versions below the minimum required by the security level. input & ok jsing
* Check the security of DH key sharestb2022-06-291-1/+7
| | | | ok beck, looks good to jsing
* Check the security level when building sigalgstb2022-06-291-3/+3
| | | | ok beck jsing
* Free ciphers before assigning to themtb2022-06-281-6/+6
| | | | | | | | While this is not a leak currently, it definitely looks like one. Pointed out by jsing on review of a diff that touched the vicinity a while ago. ok jsing
* Add error checking to tls_session_secret_cb() callstb2022-06-071-23/+30
| | | | | | | | | | | Failure of this undocumented callback was previously silently ignored. Follow OpenSSL's behavior and throw an internal error (for lack of a better choice) if the callback failed or if it set the master_key_length to a negative number. Unindent the success path and clean up some strange idioms. ok jsing
* Bye bye S3I.jsing2022-02-051-136/+136
| | | | | | | | S3I has served us well, however now that libssl is fully opaque it is time to say goodbye. Aside from removing the calloc/free/memset, the rest is mechanical sed. ok inoguchi@ tb@
* Remove peer_pkeys from SSL_SESSION.jsing2022-01-111-8/+6
| | | | | | | | | | peer_pkeys comes from some world where peers can send multiple certificates - in fact, one of each known type. Since we do not live in such a world, get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2 and TLSv1.3, both clients and servers can only send a single leaf (aka end-entity) certificate). ok inoguchi@ tb@
* Rename 'peer' to 'peer_cert' in SSL_SESSION.jsing2022-01-111-13/+13
| | | | | | | The 'peer' member of SSL_SESSION is the leaf/end-entity certificate provided by our peer. Rename it since 'peer' on its own is unhelpful. ok inoguchi@ tb@
* Plumb decode errors through key share parsing code.jsing2022-01-111-7/+22
| | | | | | | | | | | | Distinguish between decode errors and other errors, so that we can send a SSL_AD_DECODE_ERROR alert when appropriate. Fixes a tlsfuzzer failure, due to it expecting a decode error alert and not receiving one. Prompted by anton@ ok tb@
* Clean up ssl3_{send,get}_client_kex_gost()jsing2022-01-091-20/+20
| | | | | | | | Fix leaks, use sizeof() instead of hardcoded sizes, actually check return codes, explicit_bzero() the premaster secret on the server side and generally try to kick the GOST kex code into some sort of shape. ok inoguchi@ tb@
* Return 0/1 from ssl3_{send,get}_client_kex_gost()jsing2022-01-091-3/+3
| | | | | | | Like other KEX handling functions, there is no need to return anything other than failure/success here. ok inoguchi@ tb@
* Fix GOST skip certificate verify handling.jsing2022-01-091-19/+11
| | | | | | | | | | | GOST skip certificate verify handling got broken in r1.132 of s3_srvr.c circa 2016. Prior to this, ssl3_get_client_key_exchange() returned an 'extra special' value to indicate that the state machine should skip certificate verify. Fix this by setting and checking the TLS1_FLAGS_SKIP_CERT_VERIFY flag, which is the same as is done in the client. ok inoguchi@ tb@
* Merge SESS_CERT into SSL_SESSION.jsing2022-01-081-17/+5
| | | | | | | There is no reason for SESS_CERT to exist - remove it and merge its members into SSL_SESSION for the time being. More clean up to follow. ok inoguchi@ tb@
* Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY.jsing2022-01-081-2/+2
| | | | | | | Nearly all structs in libssl start with an SSL_ suffix, rename CERT and CERT_PKEY for consistency. ok inoguchi@ tb@
* Rename dh_tmp to dhe_params.jsing2022-01-071-5/+5
| | | | | | | | Support for non-ephemeral DH was removed a long time ago - as such, the dh_tmp and dh_tmp_cb are used for DHE parameters. Rename them to reflect reality. ok inoguchi@ tb@
* Convert legacy server to tls_key_share.jsing2022-01-071-202/+40
| | | | | | | | | | | This requires a few more additions to the DHE key share code - we need to be able to either set the DHE parameters or specify the number of key bits for use with auto DHE parameters. Additionally, we need to be able to serialise the DHE parameters to send to the client. This removes the infamous 'tmp' struct from ssl3_state_internal_st. ok inoguchi@ tb@
* Return 0 on failure from send/get kex functions in the legacy stack.jsing2022-01-041-18/+18
| | | | | | | | | | | | | In the legacy stack, a message handling function returns -1 for failure, 0 for need more data and 1 for success (although in extra special cases 2 may also be used). However, the various send/get kex functions only need to indicate success or failure - switch these to return 0 on failure (rather than -1) and use normal result testing. This leaves GOST unchanged for now, as that code is special and needs extra work. ok inoguchi@ tb@
* Hoist memset of CBB above EVP_MD_CTX_new() and HMAC_CTX_new() to avoidtb2021-12-261-3/+3
| | | | | | | | | a use of uninitialized in the unlikely event that either of them fails. Problem introduced in r1.128. CID 345113 ok jsing
* Convert ssl_srvr.c to opaque EVP_MD_CTX.tb2021-12-091-42/+44
| | | | ok inoguchi jsing
* Clean up and refactor server side DHE key exchange.jsing2021-12-041-78/+55
| | | | | | | | | | | | Provide ssl_kex_generate_dhe_params_auto() which handles DHE key generation based on parameters determined by the specified key bits. Convert the existing DHE auto parameter selection code into a function that just tells us how many key bits to use. Untangle and rework the server side DHE key exchange to use the ssl_kex_* functions. ok inoguchi@ tb@
* Convert server serialisation of DHE parameters/public key to new functions.jsing2021-11-291-24/+3
| | | | ok inoguchi@ tb@
* Stop reaching into EVP_PKEY in the rest of libssl.tb2021-11-261-10/+22
| | | | ok inoguchi jsing
* libssl: don't reach for pkey->save_type.tb2021-11-191-2/+2
| | | | | | | | | | | | For some strange historical reason ECDSA_sign() and ECDSA_verify}() have a type argument that they ignore. For another strange historical reason, the type passed to them from libssl is pkey->save_type, which is used to avoid expensive engine lookups when setting the pkey type... Whatever the aforementioned reasons were, we can't access pkey->save_type with the OpenSSL 1.1 API, and this is thus in the way of making EVP_PKEY opaque. Simply pass in 0 instead. ok jsing
* Fold SSL_SESSION_INTERNAL back into SSL_SESSION.jsing2021-10-251-6/+6
| | | | ok beck@ tb@
* Provide a way to determine our maximum legacy version.jsing2021-10-231-10/+8
| | | | | | | | | | | | | | With the introduction of TLSv1.3, we need the ability to determine our maximum legacy version and to track our peer's maximum legacy version. This is needed for both the TLS record layer when using TLSv1.3, plus it is needed for RSA key exhange in TLS prior to TLSv1.3, where the maximum legacy version is incorporated in the pre-master secret to avoid downgrade attacks. This unbreaks RSA KEX for the TLS client when the non-version specific method is used with TLSv1.0 or TLSv1.1 (clearly no one does this). ok tb@
* Fold DTLS1_STATE_INTERNAL into DTLS1_STATE.jsing2021-10-231-21/+21
| | | | | | | Now that DTLS1_STATE is opaque, fold DTLS1_STATE_INTERNAL back into DTLS1_STATE and remove D1I() usage. ok tb@
* Untangle ssl3_get_message() return values.jsing2021-10-231-36/+33
| | | | | | | | | | | | | | | This function currently has a long return type that may be <= 0 on error/retry (which is then cast to an int in order to return it up the stack), or it returns the length of the handshake message (on success). This obviously means that 0 can be returned for both success and failure, which is the reason why a separate 'ok' argument has to exist. Untangle this mess by changing the return value to an int that indicates success (1) or error/retry (<= 0). The length never needs to actually be returned as it is already stored in s->internal->init_num (which is where the return value is read from anyway). ok tb@
* Ensure that a client hello does not have trailing data.jsing2021-09-031-1/+4
| | | | | | Found by tlsfuzzer. ok beck@
* Clean up and simplify info and msg callbacks.jsing2021-08-301-16/+8
| | | | | | | | | The info and msg callbacks result in duplication - both for code that refers to the function pointers and for the call sites. Avoid this by providing typedefs for the function pointers and pulling the calling sequences into their own functions. ok inoguchi@ tb@
* Track sigalg used by ourselves and our peer in the legacy stack.jsing2021-06-291-1/+3
| | | | This is needed for upcoming API additions.
* Convert legacy stack server to ssl_sigalg_for_peer().jsing2021-06-291-47/+29
| | | | ok inoguchi@ tb@
* Move the RSA-PSS check for TLSv1.3 to ssl_sigalg_pkey_ok().jsing2021-06-291-2/+2
| | | | | | | | Also, rather than passing in a check_curve flag, pass in the SSL * and handle version checks internally to ssl_sigalg_pkey_ok(), simplifying the callers. ok inoguchi@ tb@
* Change ssl_sigalgs_from_value() to perform sigalg list selection.jsing2021-06-271-3/+3
| | | | | | | | | Rather that passing in a sigalg list at every call site, pass in the appropriate TLS version and have ssl_sigalgs_from_value() perform the sigalg list selection itself. This allows the sigalg lists to be made internal to the sigalgs code. ok tb@
* Rename ssl_sigalg() to ssl_sigalg_from_value().jsing2021-06-271-3/+3
| | | | | | | This makes the code more self-documenting and avoids the ambiguity between ssl_sigalg the struct and ssl_sigalg the function. ok tb@
* Change ssl_sigalgs_build() to perform sigalg list selection.jsing2021-06-271-3/+5
| | | | | | | | | Rather that doing sigalg list selection at every call site, pass in the appropriate TLS version and have ssl_sigalgs_build() perform the sigalg list selection itself. This reduces code duplication, simplifies the calling code and is the first step towards internalising the sigalg lists. ok tb@
* Make local header inclusion consistent.jsing2021-05-161-3/+2
| | | | | Consistently include local headers in the same location, using the same grouping/sorting across all files.
* Move DTLS structs/definitions/prototypes to dtls_locl.h.jsing2021-05-161-1/+2
| | | | | | | | Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists. ok inoguchi@ tb@
* Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*jsing2021-05-161-4/+6
| | | | | | Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
* Clean up tls1_change_cipher_state().jsing2021-05-021-5/+3
| | | | | | | | Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code. ok inoguchi@ tb@
* In the TLSv1.2 server, set up the key block after sending the CCS.jsing2021-05-021-7/+7
| | | | | | | This avoids calling into the key block setup code multiple times and makes the server code consistent with the client. ok inoguchi@ tb@
* Clean up dtls1_reset_seq_numbers().jsing2021-05-021-4/+1
| | | | | | | | | | Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server. ok inoguchi@ tb@
* Clean up and harden TLSv1.2 master key derivation.jsing2021-04-301-15/+11
| | | | | | | | | | | The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites. If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later. ok inoguchi@ tb@
* Clean up derivation of finished/peer finished.jsing2021-04-251-5/+3
| | | | | | | | Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code. ok inoguchi@ tb@
* Clean up TLSv1.2 certificate request handshake data.jsing2021-04-211-5/+5
| | | | | | | | | | Currently cert_req is used by clients and cert_request is used by servers. Replace this by a single cert_request used by either client or server. Remove the certificate types as they are currently unused. This also fixes a bug whereby if the number of certificate types exceeds SSL3_CT_NUMBER the number of bytes read in is insufficient, which will break decoding. ok inoguchi@ tb@
* Move reuse_message, message_type, message_size and cert_verify into thejsing2021-04-191-11/+11
| | | | | | TLSv1.2 handshake struct. ok inoguchi@ tb@
* Avoid transcript initialisation when sending a TLS HelloRequest.jsing2021-03-291-4/+6
| | | | | | | | | | When server side renegotiation is triggered, the TLSv1.2 state machine sends a HelloRequest before going to ST_SW_FLUSH and ST_OK. In this case we do not need the transcript and currently hit the sanity check in ST_OK that ensures the transcript has been freed, breaking server initiated renegotiation. We do however need the transcript in the DTLS case. ok tb@
* Garbage collect s->internal->typetb2021-03-271-3/+1
| | | | | | | | | | | | | | | | | | | This variable is used in the legacy stack to decide whether we are a server or a client. That's what s->server is for... The new TLSv1.3 stack failed to set s->internal->type, which resulted in hilarious mishandling of previous_{client,server}_finished. Indeed, both client and server would first store the client's verify_data in previous_server_finished and later overwrite it with the server's verify_data. Consequently, renegotiation has been completely broken for more than a year. In fact, server side renegotiation was broken during the 6.5 release cycle. Clearly, no-one uses this. This commit fixes client side renegotiation and restores the previous behavior of SSL_get_client_CA_list(). Server side renegotiation will be fixed in a later commit. ok jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 07:20:23 +0000