summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_internal.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Move legacy stack interfacing functions into tls13_legacy.c.jsing2020-04-281-1/+8
| | | | | | No functional change. ok inoguchi@ tb@
* Rename tls13_client_synthetic_handshake_message() and move to tls13_lib.c.jsing2020-04-281-1/+2
| | | | | | | | The server-side will need to use the same function. No functional change. ok inoguchi@ tb@
* Improve TLSv1.3 state machine for HelloRetryRequest handling.jsing2020-04-221-3/+3
| | | | | | | | | | | | | | | | | | | The state machine currently handles the HelloRetryRequest case by using WITH_HRR - in other words, we're explicitly indicating when we transition to the alternate path. The problem here is that we do not know if we're going to receive a ServerHello or a HelloRetryRequest until we process the message. This means that the ServerHello processing code has to handle both types of messages. The state machine and associated processing code becomes cleaner if we flip this around so that we assume we are going to receive a HelloRetryRequest and upon discovering that it is not, trigger WITHOUT_HRR and hand off to the ServerHello processing function. In particular, this makes the logic much more straight forward on the server side, when adding support for HRR. With feedback from tb@ ok tb@
* Consolidate TLSv1.3 constants.jsing2020-04-211-6/+7
| | | | | | | Move all of the TLSv1.3 constants to the top of tls13_lib.c. Also mark these all as const so that they end up in .rodata rather than .data. ok tb@
* Expose the peer ephemeral public key used for TLSv1.3 key exchange.jsing2020-04-181-1/+2
| | | | | | | | | SSL_get_server_tmp_key() provides the peer ephemeral public key used for key exchange. In the case of TLSv1.3 this is essentially the peer public key from the key share used for TLSv1.3 key exchange, hence make it availaable via SSL_get_server_tmp_key(). ok inoguchi@ tb@
* Generate client key share using our preferred group.jsing2020-04-171-2/+3
| | | | | | | | Generate a client key share using our preferred group, rather than always using X25519. This means that the key share group can be controlled via SSL{_CTX,}_set1_groups() and SSL{_CTX,}_set1_groups_list(). ok beck@
* Remove some unnecessary handshake enums/functions.jsing2020-03-101-3/+1
| | | | | | | Both session tickets and key updates are post-handshake handshake messages, which were originally included in the handshake code. ok inoguchi@ tb@
* Pull the handshake message transcript code into its own function.jsing2020-02-051-1/+2
| | | | | | This is soon going to be used in the TLSv1.3 client code. ok tb@
* Rework tls13_legacy_handshake_message_{recv,sent}_cb() to usetb2020-02-051-2/+2
| | | | | | their own CBS as a preparation for upcoming HRR diffs. ok jsing
* Provide struct/functions for handling TLSv1.3 key shares.jsing2020-01-301-1/+23
| | | | | | | Pull out the key share handling code and provide a clean/self contained interface. This will make it easier to support groups other than X25519. ok beck@ inoguchi@ tb@
* Move pad and verify context into tls13_lib.cbeck2020-01-261-1/+6
| | | | ok jsing@
* Add an underbar for consistency.tb2020-01-251-2/+2
|
* Support legacy message callbacks. First step for SSL_set_msg_callback(3)tb2020-01-251-1/+5
| | | | | | support. Makes openssl s_client -msg work for handshake messages. ok beck jsing
* It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3jsing2020-01-251-1/+2
| | | | | | | | | | | | client hello. Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3. Noticed by ajacoutot@ while connecting to www.openprinting.org. ok tb@
* Complete the initial TLSv1.3 implementation.jsing2020-01-241-1/+2
| | | | ok beck@ tb@
* Switch to encrypted records in the TLSv1.3 server.jsing2020-01-241-1/+2
| | | | | | | This adds code to perform key derivation and set the traffic keys once the ServerHello message has been sent, enabling encrypted records. ok beck@ tb@
* Fix breakage in SSL_connect, SSL_accept, etc. by not propagatingbeck2020-01-241-2/+3
| | | | | | | | | new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations. ok jsing@ tb@
* Implement client hello processing in the TLSv1.3 server.jsing2020-01-231-4/+5
| | | | ok beck@
* Add checking int the client to check the magic values which arebeck2020-01-231-1/+4
| | | | | | | set by a 1.3 server when it downgrades to tls 1.2 or 1.1 as per RFC 8446 section 4.1.3 ok jsing@
* Implement pending for TLSv1.3.jsing2020-01-231-1/+3
| | | | | | Makes `openssl s_client -peekaboo` work with TLSv1.3. ok beck@ tb@
* Add a TLS13_IO_ALERT return value so that we can explicitly signal whenjsing2020-01-231-4/+5
| | | | | | | | | | we sent or received a fatal alert. Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure). ok beck@ tb@
* Pass a CBB to TLSv1.3 send handlers.jsing2020-01-231-15/+15
| | | | | | | This avoids the need for each send handler to call tls13_handshake_msg_start() and tls13_handshake_msg_finish(). ok beck@ tb@
* Pass a handshake message content CBS to TLSv1.3 receive handlers.jsing2020-01-221-15/+16
| | | | | | | | | This avoids every receive handler from having to get the handshake message content itself. Additionally, pull the trailing data check up so that each receive handler does not have to implement it. This makes the code more readable and reduces duplication. ok beck@ tb@
* Implement support for SSL_peek() in the TLSv1.3 record layer.jsing2020-01-221-1/+2
| | | | ok beck@ tb@
* After the ClientHello has been sent or received and before the peer'stb2020-01-221-1/+2
| | | | | | | | Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it. ok jsing
* The legacy_record_version must be set to TLS1_2_VERSION excepttb2020-01-221-1/+4
| | | | | | | | | in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire. ok beck jsing
* Add minimal support for hello retry request for RFC conformance.beck2020-01-221-1/+2
| | | | | | We currently don't support sending a modified clienthello ok jsing@ tb@
* Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.jsing2020-01-221-1/+6
| | | | ok beck@ inoguchi@ tb@
* Correct legacy fallback for TLSv1.3 client.jsing2020-01-211-1/+2
| | | | | | | | | When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data. ok beck@ tb@
* Add alert processing in tls client code, by adding alert to thebeck2020-01-211-1/+2
| | | | | | | tls13 context, and emiting the alert at the upper layers when the lower level code fails ok jsing@, tb@
* Provide an error framework for use with the TLSv1.3 code.jsing2020-01-201-1/+28
| | | | | | | This is based on the libtls error handling code, but adds machine readable codes and subcodes. We then map these codes back to libssl error codes. ok beck@ inoguchi@
* Add support for TLS 1.3 post handshake messages and key updating.beck2019-11-261-5/+14
| | | | | | tested against openssl 1.1's server. ok jsing@ tb@
* Add accessors to change the buffer in a handshake message.beck2019-11-201-1/+3
| | | | | | Needed for doing TLS 1.3 Post Handshake Handshake messages. ok jsing@
* Add prototypes for the functions that update application secretsbeck2019-11-181-1/+3
| | | | so that the regress tests will work for them
* Provide a clean interface for sending TLSv1.3 alerts.jsing2019-11-181-3/+3
| | | | ok beck@
* Change tls13_record_layer_phh() to take a CBS as this avoids ownershipjsing2019-11-171-3/+2
| | | | | | issues and makes call sites cleaner. ok beck@
* Provide framework for sending alerts and post-handshake handshake messages.jsing2019-11-171-1/+5
| | | | | | Discussed at length with beck@ ok beck@ tb@
* Add the initial framework for the TLSv1.3 server.jsing2019-11-171-1/+2
| | | | ok beck@
* Separate the callbacks for recieved and completed post handshake messagesbeck2019-11-171-3/+5
| | | | | | from the record layer ok jsing@
* By design, our state machine is a DAG contrary to the state machine intb2019-04-051-1/+3
| | | | | | | | | | | | the spec. To avoid the obvious loop in the RFC's state machine, we added a CLIENT_HELLO_RETRY state which is a second ClientHello with special rules. There is, however, no state to react to this second client hello. This adds a matching SERVER_HELLO_RETRY state to the handshakes table. This means in particular that the WITH_HRR state cannot be set in tls13_server_hello_recv(), so remove this now dead check. ok jsing
* Implement legacy fallback for the TLS 1.3 client.jsing2019-04-041-1/+2
| | | | | | | If the Server Hello received indicates that the server did not negotiate TLS 1.3, fallback to the original TLS client implementation. ok bcook@, tb@
* Remove the alert level from the TLSv1.3 alert callback.jsing2019-03-171-3/+2
| | | | | | | | In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback. ok tb@
* Automatically complete the handshake from tls13_legacy_{read,write}_bytes()jsing2019-02-281-1/+2
| | | | | | | | | | | | | | If the TLS handshake has not been completed, automatically complete the handshake as part of the read/write call, implementing the current SSL_read()/SSL_write() behaviour. Once the TLS handshake is completed we push a WANT_POLLIN or WANT_POLLOUT back up to the caller, since some applications appear to incorrectly call SSL_read() or SSL_write(), rather than repeating the previous call. This can lead to attempts to read data that does not exist, since the WANT_POLLIN was actually triggered as part of the handshake. ok inoguchi@ tb@
* Fix gcc3 compilation error by using a forward declaration instead of atb2019-02-251-3/+3
| | | | | | repeated typedef. Found the hard way by aoyama who also tested the fix. ok jsing
* revert "Move struct ssl_handshake_tls13_st definition", i.e., movetb2019-02-251-23/+2
| | | | | | SSL_HANDSHAKE_TLS13 back to ssl_locl.h. discussed with jsing and inoguchi
* Add a handshake action sent handler and use it for client finished.jsing2019-02-251-1/+2
| | | | | | | | | | The write traffic key needs to be changed to the client application traffic key after the client finished message has been sent. The send handler generates the client finished message, however we cannot switch keys at this stage since the client finished message has not yet been protected by the record layer. ok tb@
* Move struct ssl_handshake_tls13_st definitioninoguchi2019-02-251-2/+23
| | | | | | This solves build error on luna88k with gcc3. ok aoyama@ jca@ jsing@ tb@
* Change the alert callback return type from int to void.jsing2019-02-211-2/+2
| | | | | | | | There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1. ok tb@
* Split tls13_record_layer_set_traffic_keys() into two separate functions.jsing2019-02-141-3/+5
| | | | | | | | | This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake. ok tb@
* Provide a TLS 1.3 capable client method.jsing2019-02-141-1/+2
| | | | ok tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-19 18:00:29 +0000