| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This makes SNI work correctly with TLSv1.3.
Found the hard way by danj@, gonzalo@ and others.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
In TLSv1.3 post-handshake handshake messages are used for key updates and
session tickets. These are in-band and mean that when the upper layer goes
to read application data, we can end up reading and having to process
handshake messages - this option changes whether we retry and read the
next TLS record, or if we return, signalling that we want more data to
be available.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
| |
messages with oscp staples.
ok jsing@ tb@
|
| |
|
|
|
|
| |
This was missed in previous tls13_server.c commit.
ok inoguchi@ tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
When legacy version is below TLSv1.2 ensure that the record version is
SSL3/TLS, however when the legacy version is set to TLSv1.2 require this
specifically.
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
Use this to push an error on to the SSL error stack so that we report the
details of the alert that we sent, rather than failing with an unknown
error.
ok tb@
|
| |
|
|
|
|
|
|
| |
This makes the code more readable, requires less code churn when adding
a new callback and is likely to avoid bugs due to function argument
ordering.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the client has requested middle box compatibility mode by sending
a non-empty legacy_session_id, the server must send a dummy CCS right
after its first handshake message. This means right after ServerHello
or HelloRetryRequest.
Two important improvements over the backed-out diffr: make sure that
First: client and server can send their dummy CCS at the correct moment
(right before the next flight or right after the current flight).
Second: as jsing noted, we also need to deal with the corner case that
tls13_send_dummy_ccs() can return TLS13_IO_WANT_POLLOUT.
with/ok jsing
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
|
|
| |
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_*
defines, provide our own TLS13_ALERT_* defines and use those. This also
provides the alerts that are new to TLSv1.3.
ok beck@
|
| |
|
|
|
|
|
|
| |
with TLSv1.2 servers, since it makes clients send their dummy CCS too
early... There's an obvious but dirty bandaid which I can't bring myself
to applying - this business is already disgusting enough.
Issue found the hard way by sthen
|
| |
|
|
|
|
|
|
|
| |
If the client has requested middle box compatibility mode by sending
a non-empty legacy_session_id, the server must send a dummy CCS right
after its first handshake message. This means right after ServerHello
or HelloRetryRequest.
ok jsing
|
| |
|
|
|
|
|
|
| |
When operating in middlebox compatibility mode, the TLSv1.3 client needs
to send a dummy ChangeCipherSpec message immediately before its second
flight of handshake messages (when early data is not offered).
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok jsing@, tb@, inoguchi@
|
| |
|
|
|
|
| |
No functional change.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
The server-side will need to use the same function.
No functional change.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The state machine currently handles the HelloRetryRequest case by using
WITH_HRR - in other words, we're explicitly indicating when we transition
to the alternate path. The problem here is that we do not know if we're
going to receive a ServerHello or a HelloRetryRequest until we process
the message. This means that the ServerHello processing code has to handle
both types of messages.
The state machine and associated processing code becomes cleaner if we flip
this around so that we assume we are going to receive a HelloRetryRequest
and upon discovering that it is not, trigger WITHOUT_HRR and hand off to
the ServerHello processing function. In particular, this makes the logic
much more straight forward on the server side, when adding support for HRR.
With feedback from tb@
ok tb@
|
| |
|
|
|
|
|
| |
Move all of the TLSv1.3 constants to the top of tls13_lib.c. Also mark
these all as const so that they end up in .rodata rather than .data.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
SSL_get_server_tmp_key() provides the peer ephemeral public key used
for key exchange. In the case of TLSv1.3 this is essentially the peer
public key from the key share used for TLSv1.3 key exchange, hence make it
availaable via SSL_get_server_tmp_key().
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Generate a client key share using our preferred group, rather than always
using X25519. This means that the key share group can be controlled via
SSL{_CTX,}_set1_groups() and SSL{_CTX,}_set1_groups_list().
ok beck@
|
| |
|
|
|
|
|
| |
Both session tickets and key updates are post-handshake handshake messages,
which were originally included in the handshake code.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
This is soon going to be used in the TLSv1.3 client code.
ok tb@
|
| |
|
|
|
|
| |
their own CBS as a preparation for upcoming HRR diffs.
ok jsing
|
| |
|
|
|
|
|
| |
Pull out the key share handling code and provide a clean/self contained
interface. This will make it easier to support groups other than X25519.
ok beck@ inoguchi@ tb@
|
| |
|
|
| |
ok jsing@
|
| | |
|
| |
|
|
|
|
| |
support. Makes openssl s_client -msg work for handshake messages.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the
server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that
we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
| |
This adds code to perform key derivation and set the traffic keys once the
ServerHello message has been sent, enabling encrypted records.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
new retry conditions from the record layer all the way up to the
callers. Instead we catch them at the top of the record layer
and retry the operations, unless we actually got a retry indicated
from actual IO operations.
ok jsing@ tb@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
|
| |
set by a 1.3 server when it downgrades to tls 1.2 or 1.1 as per
RFC 8446 section 4.1.3
ok jsing@
|
| |
|
|
|
|
| |
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending
an alert resulted in EOF, do not propagate this back since we do not want
to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
| |
|
|
|
|
|
| |
This avoids the need for each send handler to call
tls13_handshake_msg_start() and tls13_handshake_msg_finish().
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
This avoids every receive handler from having to get the handshake message
content itself. Additionally, pull the trailing data check up so that each
receive handler does not have to implement it. This makes the code more
readable and reduces duplication.
ok beck@ tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
Finished message has been received, a change cipher spec may be received
and must be ignored. Add a flag to the record layer struct and set it at
the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
in the ClientHello where it may be set to TLS1_VERSION. Use
the minimal supported version to decide whether we choose to do
so or not. Use a sent hook to set it back TLS1_2_VERSION right
after the ClientHello message is on the wire.
ok beck jsing
|
| |
|
|
|
|
| |
We currently don't support sending a modified clienthello
ok jsing@ tb@
|
| |
|
|
| |
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
When falling back to the legacy TLS client, in the case where a server has
sent a TLS record that contains more than one handshake message, we also
need to stash the unprocessed record data for later processing. Otherwise
we end up with missing handshake data.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
tls13 context, and emiting the alert at the upper layers when
the lower level code fails
ok jsing@, tb@
|
| |
|
|
|
|
|
| |
This is based on the libtls error handling code, but adds machine readable
codes and subcodes. We then map these codes back to libssl error codes.
ok beck@ inoguchi@
|
| |
|
|
|
|
| |
tested against openssl 1.1's server.
ok jsing@ tb@
|
| |
|
|
|
|
| |
Needed for doing TLS 1.3 Post Handshake Handshake messages.
ok jsing@
|
| |
|
|
| |
so that the regress tests will work for them
|
