| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
original commits:
CVSROOT: /cvs
Module name: src
Changes by: jsing@cvs.openbsd.org 2020/05/16 08:44:55
Modified files:
lib/libssl : tls13_client.c
Log message:
Ensure that a TLSv1.3 server has provided a certificate.
The RFC requires that a server always provide a certificate for
authentication. Ensure that this is the case, rather than proceeding and
attempting validation. In the case where validation was disabled and the
server returned an empty certificate list, this would have previously
resulted in a NULL pointer deference.
Issue reported by otto@
ok inoguchi@ tb@
CVSROOT: /cvs
Module name: src
Changes by: jsing@cvs.openbsd.org 2020/05/17 08:26:15
Modified files:
lib/libssl : tls13_client.c
Log message:
Send a decode error alert if a server provides an empty certificate list.
According to RFC 8446 section 4.4.2.4, a client receiving an empty
certificate list must abort the handshake with a decode error alert.
ok beck@ inoguchi@ tb@ ('it rarely is the alert you'd expect it to be...')
|
| |
|
|
|
|
| |
No functional change.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
The server-side will need to use the same function.
No functional change.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The state machine currently handles the HelloRetryRequest case by using
WITH_HRR - in other words, we're explicitly indicating when we transition
to the alternate path. The problem here is that we do not know if we're
going to receive a ServerHello or a HelloRetryRequest until we process
the message. This means that the ServerHello processing code has to handle
both types of messages.
The state machine and associated processing code becomes cleaner if we flip
this around so that we assume we are going to receive a HelloRetryRequest
and upon discovering that it is not, trigger WITHOUT_HRR and hand off to
the ServerHello processing function. In particular, this makes the logic
much more straight forward on the server side, when adding support for HRR.
With feedback from tb@
ok tb@
|
| |
|
|
|
|
|
| |
Move all of the TLSv1.3 constants to the top of tls13_lib.c. Also mark
these all as const so that they end up in .rodata rather than .data.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
SSL_get_server_tmp_key() provides the peer ephemeral public key used
for key exchange. In the case of TLSv1.3 this is essentially the peer
public key from the key share used for TLSv1.3 key exchange, hence make it
availaable via SSL_get_server_tmp_key().
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Generate a client key share using our preferred group, rather than always
using X25519. This means that the key share group can be controlled via
SSL{_CTX,}_set1_groups() and SSL{_CTX,}_set1_groups_list().
ok beck@
|
| |
|
|
|
|
|
| |
Both session tickets and key updates are post-handshake handshake messages,
which were originally included in the handshake code.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
This is soon going to be used in the TLSv1.3 client code.
ok tb@
|
| |
|
|
|
|
| |
their own CBS as a preparation for upcoming HRR diffs.
ok jsing
|
| |
|
|
|
|
|
| |
Pull out the key share handling code and provide a clean/self contained
interface. This will make it easier to support groups other than X25519.
ok beck@ inoguchi@ tb@
|
| |
|
|
| |
ok jsing@
|
| | |
|
| |
|
|
|
|
| |
support. Makes openssl s_client -msg work for handshake messages.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the
server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that
we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
| |
This adds code to perform key derivation and set the traffic keys once the
ServerHello message has been sent, enabling encrypted records.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
new retry conditions from the record layer all the way up to the
callers. Instead we catch them at the top of the record layer
and retry the operations, unless we actually got a retry indicated
from actual IO operations.
ok jsing@ tb@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
|
| |
set by a 1.3 server when it downgrades to tls 1.2 or 1.1 as per
RFC 8446 section 4.1.3
ok jsing@
|
| |
|
|
|
|
| |
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending
an alert resulted in EOF, do not propagate this back since we do not want
to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
| |
|
|
|
|
|
| |
This avoids the need for each send handler to call
tls13_handshake_msg_start() and tls13_handshake_msg_finish().
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
This avoids every receive handler from having to get the handshake message
content itself. Additionally, pull the trailing data check up so that each
receive handler does not have to implement it. This makes the code more
readable and reduces duplication.
ok beck@ tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
Finished message has been received, a change cipher spec may be received
and must be ignored. Add a flag to the record layer struct and set it at
the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
in the ClientHello where it may be set to TLS1_VERSION. Use
the minimal supported version to decide whether we choose to do
so or not. Use a sent hook to set it back TLS1_2_VERSION right
after the ClientHello message is on the wire.
ok beck jsing
|
| |
|
|
|
|
| |
We currently don't support sending a modified clienthello
ok jsing@ tb@
|
| |
|
|
| |
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
When falling back to the legacy TLS client, in the case where a server has
sent a TLS record that contains more than one handshake message, we also
need to stash the unprocessed record data for later processing. Otherwise
we end up with missing handshake data.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
tls13 context, and emiting the alert at the upper layers when
the lower level code fails
ok jsing@, tb@
|
| |
|
|
|
|
|
| |
This is based on the libtls error handling code, but adds machine readable
codes and subcodes. We then map these codes back to libssl error codes.
ok beck@ inoguchi@
|
| |
|
|
|
|
| |
tested against openssl 1.1's server.
ok jsing@ tb@
|
| |
|
|
|
|
| |
Needed for doing TLS 1.3 Post Handshake Handshake messages.
ok jsing@
|
| |
|
|
| |
so that the regress tests will work for them
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
| |
issues and makes call sites cleaner.
ok beck@
|
| |
|
|
|
|
| |
Discussed at length with beck@
ok beck@ tb@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
| |
from the record layer
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
the spec. To avoid the obvious loop in the RFC's state machine, we added
a CLIENT_HELLO_RETRY state which is a second ClientHello with special
rules. There is, however, no state to react to this second client hello.
This adds a matching SERVER_HELLO_RETRY state to the handshakes table.
This means in particular that the WITH_HRR state cannot be set in
tls13_server_hello_recv(), so remove this now dead check.
ok jsing
|
| |
|
|
|
|
|
| |
If the Server Hello received indicates that the server did not negotiate
TLS 1.3, fallback to the original TLS client implementation.
ok bcook@, tb@
|
| |
|
|
|
|
|
|
| |
In TLSv1.3 the alert level is effectively meaningless and the record layer
has already checked that it is appropriate. As such, drop it from the alert
callback.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the TLS handshake has not been completed, automatically complete the
handshake as part of the read/write call, implementing the current
SSL_read()/SSL_write() behaviour.
Once the TLS handshake is completed we push a WANT_POLLIN or WANT_POLLOUT
back up to the caller, since some applications appear to incorrectly call
SSL_read() or SSL_write(), rather than repeating the previous call. This
can lead to attempts to read data that does not exist, since the
WANT_POLLIN was actually triggered as part of the handshake.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
repeated typedef. Found the hard way by aoyama who also tested the fix.
ok jsing
|
| |
|
|
|
|
| |
SSL_HANDSHAKE_TLS13 back to ssl_locl.h.
discussed with jsing and inoguchi
|
| |
|
|
|
|
|
|
|
|
| |
The write traffic key needs to be changed to the client application traffic
key after the client finished message has been sent. The send handler
generates the client finished message, however we cannot switch keys at
this stage since the client finished message has not yet been protected
by the record layer.
ok tb@
|
| |
|
|
|
|
| |
This solves build error on luna88k with gcc3.
ok aoyama@ jca@ jsing@ tb@
|
| |
|
|
|
|
|
|
| |
There is nothing for the handler to really signal, since it cannot change
the fact that we received an alert. While here use TLS13_IO_FAILURE instead
of hardcoding -1.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
This allows the read traffic key to be set independently of the write
traffic key. This will become necessary for KeyUpdate handling, however
also allows for switching to application traffic keys at more appropriate
stages of the handshake.
ok tb@
|
