| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
No functional change.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
The server-side will need to use the same function.
No functional change.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Move functions so that they are in the order that the TLSv1.3 messages are
processed. While here, also move tls13_client_end_of_early_data_send() from
tls13_client.c to tls13_server.c.
No functional change.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The state machine currently handles the HelloRetryRequest case by using
WITH_HRR - in other words, we're explicitly indicating when we transition
to the alternate path. The problem here is that we do not know if we're
going to receive a ServerHello or a HelloRetryRequest until we process
the message. This means that the ServerHello processing code has to handle
both types of messages.
The state machine and associated processing code becomes cleaner if we flip
this around so that we assume we are going to receive a HelloRetryRequest
and upon discovering that it is not, trigger WITHOUT_HRR and hand off to
the ServerHello processing function. In particular, this makes the logic
much more straight forward on the server side, when adding support for HRR.
With feedback from tb@
ok tb@
|
| |
|
|
|
|
|
| |
Move all of the TLSv1.3 constants to the top of tls13_lib.c. Also mark
these all as const so that they end up in .rodata rather than .data.
ok tb@
|
| |
|
|
|
|
|
|
| |
Generate a client key share using our preferred group, rather than always
using X25519. This means that the key share group can be controlled via
SSL{_CTX,}_set1_groups() and SSL{_CTX,}_set1_groups_list().
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Generate an unpredictable 32-byte legacy session ID during client
initialisation, rather than when the ClientHello message is being created.
Otherwise in the case of a HelloRetryRequest the legacy session ID values
will differ between the first and second ClientHello messages, which is
not permitted by the RFC.
Fixes an issue talking TLSv1.3 to smtp.mail.yahoo.com.
ok beck@
|
| |
|
|
|
|
|
|
|
| |
If the maximum version is less than TLSv1.3, send a zero-length session
identifier (matching the behaviour of the legacy TLS stack), rather than
a 32 byte random identifier. The 32 byte random identifier is only needed
for "compatibility" mode in TLSv1.3.
ok beck@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
messages must terminate the connection with a decrypt_error alert, so
replace the use of the deprecated decryption_failed alert accordingly.
ok beck inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
| |
In the case of a hello retry request, we need to replace the client hello
with a synthetic handshake message, switch key share to that selected by
the server, build and send a new client hello, then process the resulting
server hello.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use flags to signal the need to switch to the legacy client and to identify
a hello retry request. This allows the caller to take appropriate action,
rather than trying to do this in the parsing/processing code.
Split the key deriviation and record protection engagement code into a
separate function, both for readability and reuse.
Change handshake states outside of the processing code.
ok tb@
|
| |
|
|
|
|
|
| |
This got added to the wrong functions (server side, not client) - swap the
now unimplemented send/recv functions between client and server.
ok tb@
|
| |
|
|
|
|
|
|
| |
Unlike TLSv1.2 there is only a single hash in use, hence as soon as we
know what the hash is and have initialised the transcript hash, we can
free the transcript buffers.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Pull out the key share handling code and provide a clean/self contained
interface. This will make it easier to support groups other than X25519.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
on the error stack, refrain from pushing an 'unknown' error on the stack.
This should allow libcrypto errors (including bio) to be visible, where we
have nothing better to offer.
ok tb@
|
| |
|
|
|
|
|
|
| |
handshake function pointer.
Fixes an isssue found by jca@ with OpenVPN.
ok beck@ tb@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
| |
Issue noticed by kn@ when talking to a TLSv1.3 capable mail server, but
with smtpd capping max version to TLSv1.2.
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the
server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that
we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
| |
|
|
|
|
| |
according to RFC8446.
ok jsing@
|
| |
|
|
|
|
|
| |
set by a 1.3 server when it downgrades to tls 1.2 or 1.1 as per
RFC 8446 section 4.1.3
ok jsing@
|
| |
|
|
|
|
| |
the same from the server.
ok jsing@ tb@
|
| |
|
|
|
|
|
| |
This avoids the need for each send handler to call
tls13_handshake_msg_start() and tls13_handshake_msg_finish().
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
This avoids every receive handler from having to get the handshake message
content itself. Additionally, pull the trailing data check up so that each
receive handler does not have to implement it. This makes the code more
readable and reduces duplication.
ok beck@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
Finished message has been received, a change cipher spec may be received
and must be ignored. Add a flag to the record layer struct and set it at
the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
| |
|
|
|
|
|
| |
The legacy version field is capped at TLSv1.2, however it may be lower than
this if we are only choosing to use TLSv1.0 or TLSv1.1.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
in the ClientHello where it may be set to TLS1_VERSION. Use
the minimal supported version to decide whether we choose to do
so or not. Use a sent hook to set it back TLS1_2_VERSION right
after the ClientHello message is on the wire.
ok beck jsing
|
| |
|
|
|
|
| |
We currently don't support sending a modified clienthello
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
| |
When falling back to the legacy TLS client, in the case where a server has
sent a TLS record that contains more than one handshake message, we also
need to stash the unprocessed record data for later processing. Otherwise
we end up with missing handshake data.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
tls13 context, and emiting the alert at the upper layers when
the lower level code fails
ok jsing@, tb@
|
| |
|
|
|
|
|
| |
This is based on the libtls error handling code, but adds machine readable
codes and subcodes. We then map these codes back to libssl error codes.
ok beck@ inoguchi@
|
| | |
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
| |
from a tls 1.3 connection, for now.
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
the spec. To avoid the obvious loop in the RFC's state machine, we added
a CLIENT_HELLO_RETRY state which is a second ClientHello with special
rules. There is, however, no state to react to this second client hello.
This adds a matching SERVER_HELLO_RETRY state to the handshakes table.
This means in particular that the WITH_HRR state cannot be set in
tls13_server_hello_recv(), so remove this now dead check.
ok jsing
|
| |
|
|
|
|
|
| |
If the Server Hello received indicates that the server did not negotiate
TLS 1.3, fallback to the original TLS client implementation.
ok bcook@, tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).
Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.
Joint work with beck@.
|
| |
|
|
|
|
|
|
| |
Set the SSL state to SSL_ST_CONNECT during the TLSv1.3 handshake and to
SSL_ST_OK once the handshake completes, since some applications currently
rely on this information to function correctly.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
The write traffic key needs to be changed to the client application traffic
key after the client finished message has been sent. The send handler
generates the client finished message, however we cannot switch keys at
this stage since the client finished message has not yet been protected
by the record layer.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Switch the read traffic key to the server application traffic key once
the server finished message has been processed. Switch the write traffic
key to the client application traffic key after sending the client
finished message.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
This allows the read traffic key to be set independently of the write
traffic key. This will become necessary for KeyUpdate handling, however
also allows for switching to application traffic keys at more appropriate
stages of the handshake.
ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
This adds support for processing of the server finished message and
generation of the client finished message.
ok tb@
|
| |
|
|
|
|
|
| |
This allows the TLS 1.3 client to process the certificates that the server
has sent and verify that the server has possession of the private key.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
While handshake hash is correct (in as far as it is a hash of handshake
messages), using tls1_transcript_hash*() aligns them with the naming of the
tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses
Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
