| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Now that SSL_METHOD is opaque and in internal headers, we can remove
SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.
ok tb@
|
| |
|
|
|
|
| |
This ensures that diff reports the correct function prototype.
Prompted by tb@
|
| |
|
|
|
| |
Consistently include local headers in the same location, using the same
grouping/sorting across all files.
|
| |
|
|
| |
ok jsing kn
|
| |
|
|
|
|
|
| |
with #defines for the per-version initializers instead of extern
globals. Add SSL_USE_SHA256_PRF() to complete the abstraction.
ok tb@ jsing@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Use more descriptive variable names, explain why NID_undef is fine
and simplify the logic.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is only set in one place and read in one place to set the badly
named tlsext_ticket_expected flag. It seems preferable to set this
flag directly, thus simplifying the logic. This slightly changes the
behavior in that this flag is now set earlier, but this seems preferable
anyway. Any error between the old and the new position where the flag
is set is either fatal (so the connection will be closed) or a decrypt
error (so the flag will be set).
discussed with jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ssl_get_prev_session() hands the session id down to tls_decrypt_ticket()
which then copies it into the session pointer that it is about to return.
It's a lot simpler to retrieve the session pointer and copy the session id
inside ssl_get_prev_session().
Also, 'goto err' directly in TLS1_TICKET_NOT_DECRYPTED instead of skipping
a couple of long if clauses before doing so.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
| |
The only path that sets TLS1_TICKET_NOT_DECRPYTED is through this label
and the ERR_clear_error() is called conditionally on this. We clear the
errors to make decrypt errors non-fatal. The free functions should not
set the errors and if they do, we don't want to hide that.
discussed with jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tls1_process_ticket() - the only caller of tls_decrypt_ticket() - ends
in a switch over the return value of tls_decrypt_ticket() to decide
whether or not to set s->internal->tlsext_ticket_expected = 1.
Since tls_decrypt_ticket() already knows what it will return and
partly bases its decision on what to return on whether or not the
ticket needs to be renewed, it can also take care of setting this flag.
This way we don't need to have a confusing switch that conflates some
return values and sets this flag. Moreover, we can get rid of the ugly
TLS1_TICKET_DECRYPTED_RENEW whose only purpose is to signal that the
flag should be set.
ok jsing
|
| |
|
|
|
|
|
|
| |
In tls1_process_ticket() and tls_decrypt_ticket() use #defines with
descriptive names instead of hardcoding -1 1 2 3 4 and occasionally
explaining the magic numbers with comments.
ok beck inoguchi
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ssl_get_prev_session() can fail for various reasons some of which
may be internal_error others decode_error alerts. Propagate the
appropriate alert up to the caller so we can abort the handshake
by sending a fatal alert instead of rudely closing the pipe.
Currently only 28 of 292 test cases of tlsfuzzer's test-extension.py pass.
With this diff, 272 pass. The rest will require fixes elsewhere.
ok beck inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A certain VPN provider appears to have configured their servers to only
accept P-521 for TLSv1.3 key exchange. The particular VPN software in use
also does not currently allow for the TLSv1.3 key share groups to be
configured, which means that there is no way to easily use LibreSSL in
this situation.
Include P-521 in the list of curves that are supported by default in the
client, in order to increase interoperability.
Discussed at length with beck@, inoguchi@ and tb@.
ok tb@
|
| |
|
|
|
|
| |
ssl_version is completely unused and get_timeout is the same everywhere.
ok beck@ inoguchi@ tb@
|
| |
|
|
| |
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
The OCSP response length is currently an integer, which is overloaded with
-1 meaning "unset". Use a size_t for the OCSP response length and infer
unset from the OCSP response being NULL. This makes code more readable,
simpler and less error prone.
ok beck@
|
| |
|
|
|
|
|
| |
The enc function pointers do not serve any purpose these days - remove
a layer of indirection and call dtls1_enc()/tls1_enc() directly.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
The decrypted session ticket contains key material.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
allocating on stack.
While here also check the return values from EVP_DecryptInit_ex() and
HMAC_Init_ex().
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Rename mlen to hlen since it is a hmac (and this matches hctx and hmac).
Rename ctx to cctx since it is a cipher context and ctx is usually used to
mean SSL_CTX in this code.
ok tb@
|
| |
|
|
|
|
| |
This removes various pointer arithmetic and manual length checks.
ok tb@
|
| |
|
|
|
|
| |
This handles the ret = 2 case and makes the code more readable.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Convert ssl_get_prev_session(), tls1_process_ticket() and
tls1_decrypt_ticket() to handle the session ID from the client hello
as a CBS. While here also swap the order of arguments for
tls1_decrypt_ticket() so that it is consistent with the other functions.
ok tb@
|
| |
|
|
|
|
|
| |
There is not much point having a tlsext_tick_md macro that replaces
EVP_sha256() in two places, when the cipher is just hardcoded.
ok tb@
|
| |
|
|
|
|
|
|
| |
We only have to find one extension, so do that first then proceed with
processing and decryption. This makes the code more readable and drops
two levels of indent.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
Separate the malloc() check and EVP_DecryptUpdate() - the malloc() failure
is fatal while a EVP_DecryptUpdate() is a decryption failure.
Also ensure that we clear the error stack in all cases where we are
indicating a failure to decrypt or decode the ticket - otherwise
SSL_error() while later return failure when it should not.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Rather than returning from multiple places and trying to clean up as we go,
move to a single exit point and clean/free in one place. Also invert the
logic that handles NULL sessions - fail early, rather than having an
indented if test for success.
ok tb@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
|
|
|
|
| |
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@
|
| |
|
|
| |
to the one I intended to commit
|
| |
|
|
|
|
|
|
|
| |
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@
|
| |
|
|
|
|
| |
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@
|
| |
|
|
|
| |
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
The tls1_check_ec_tmp_key() function is now rather misnamed, so just inline
the code. Also, rather than running tls1_get_shared_curve() once per EC
cipher suite, we can run it once at the start of the ssl3_choose_cipher()
function.
ok bluhm@ tb@
|
| |
|
|
| |
ok bluhm@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The original implementation is rather crazy and means that we effectively
have two lots of code that parse a ClientHello and two lots of code that
parse TLS extensions. Partially simplify this by passing a CBS containing
the extension block through to the session handling functions, removing the
need to reimplement the ClientHello parsing.
While here standarise on naming for session_id and session_id_len.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Now that all callers of tls12_get_sigandhash() have been converted to CBB,
collapse tls12_get_sigandhash() and tls12_get_sigandhash_cbb() into a
single function. Rename it to tls12_gethashandsig() to be representative
of the actual order of the sigalgs parameters, and perform some other
clean up.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.
This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This removes ssl_parse_clienthello_tlsext() and allows the CBS to be
passed all the way through from ssl3_get_client_hello(). The renegotation
check gets pulled up into ssl3_get_client_hello() which is where other
such checks exist.
The TLS extension parsing now also ensures that we do not get duplicates
of any known extensions (the old pre-rewrite code only did this for some
extensions).
ok inoguchi@
|
| |
|
|
|
|
|
| |
As part of this, change ssl_cipher_list_to_bytes() to take a CBB argument,
rather than a pointer/length. Some additional clean up/renames while here.
Based on a diff from doug@
|
| |
|
|
| |
Based on a diff from doug@
|
| |
|
|
|
|
| |
leaving ssl_add_{client,server}hello_tlsext() as pointer to CBB wrappers.
ok doug@
|
| |
|
|
| |
input + ok beck@, jsing@
|
| |
|
|
|
| |
ok bcook@ beck@
input + ok jsing@
|
| | |
|
| |
|
|
|
|
|
|
| |
This was added as a workaround for broken F5 TLS termination, which then
created issues talking to broken IronPorts. The size of the padding is
hardcoded so it cannot be used in any generic sense.
ok bcook@ beck@ doug@
|
