summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_internal.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Support legacy message callbacks. First step for SSL_set_msg_callback(3)tb2020-01-251-1/+5
| | | | | | support. Makes openssl s_client -msg work for handshake messages. ok beck jsing
* It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3jsing2020-01-251-1/+2
| | | | | | | | | | | | client hello. Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3. Noticed by ajacoutot@ while connecting to www.openprinting.org. ok tb@
* Complete the initial TLSv1.3 implementation.jsing2020-01-241-1/+2
| | | | ok beck@ tb@
* Switch to encrypted records in the TLSv1.3 server.jsing2020-01-241-1/+2
| | | | | | | This adds code to perform key derivation and set the traffic keys once the ServerHello message has been sent, enabling encrypted records. ok beck@ tb@
* Fix breakage in SSL_connect, SSL_accept, etc. by not propagatingbeck2020-01-241-2/+3
| | | | | | | | | new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations. ok jsing@ tb@
* Implement client hello processing in the TLSv1.3 server.jsing2020-01-231-4/+5
| | | | ok beck@
* Add checking int the client to check the magic values which arebeck2020-01-231-1/+4
| | | | | | | set by a 1.3 server when it downgrades to tls 1.2 or 1.1 as per RFC 8446 section 4.1.3 ok jsing@
* Implement pending for TLSv1.3.jsing2020-01-231-1/+3
| | | | | | Makes `openssl s_client -peekaboo` work with TLSv1.3. ok beck@ tb@
* Add a TLS13_IO_ALERT return value so that we can explicitly signal whenjsing2020-01-231-4/+5
| | | | | | | | | | we sent or received a fatal alert. Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure). ok beck@ tb@
* Pass a CBB to TLSv1.3 send handlers.jsing2020-01-231-15/+15
| | | | | | | This avoids the need for each send handler to call tls13_handshake_msg_start() and tls13_handshake_msg_finish(). ok beck@ tb@
* Pass a handshake message content CBS to TLSv1.3 receive handlers.jsing2020-01-221-15/+16
| | | | | | | | | This avoids every receive handler from having to get the handshake message content itself. Additionally, pull the trailing data check up so that each receive handler does not have to implement it. This makes the code more readable and reduces duplication. ok beck@ tb@
* Implement support for SSL_peek() in the TLSv1.3 record layer.jsing2020-01-221-1/+2
| | | | ok beck@ tb@
* After the ClientHello has been sent or received and before the peer'stb2020-01-221-1/+2
| | | | | | | | Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it. ok jsing
* The legacy_record_version must be set to TLS1_2_VERSION excepttb2020-01-221-1/+4
| | | | | | | | | in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire. ok beck jsing
* Add minimal support for hello retry request for RFC conformance.beck2020-01-221-1/+2
| | | | | | We currently don't support sending a modified clienthello ok jsing@ tb@
* Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.jsing2020-01-221-1/+6
| | | | ok beck@ inoguchi@ tb@
* Correct legacy fallback for TLSv1.3 client.jsing2020-01-211-1/+2
| | | | | | | | | When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data. ok beck@ tb@
* Add alert processing in tls client code, by adding alert to thebeck2020-01-211-1/+2
| | | | | | | tls13 context, and emiting the alert at the upper layers when the lower level code fails ok jsing@, tb@
* Provide an error framework for use with the TLSv1.3 code.jsing2020-01-201-1/+28
| | | | | | | This is based on the libtls error handling code, but adds machine readable codes and subcodes. We then map these codes back to libssl error codes. ok beck@ inoguchi@
* Add support for TLS 1.3 post handshake messages and key updating.beck2019-11-261-5/+14
| | | | | | tested against openssl 1.1's server. ok jsing@ tb@
* Add accessors to change the buffer in a handshake message.beck2019-11-201-1/+3
| | | | | | Needed for doing TLS 1.3 Post Handshake Handshake messages. ok jsing@
* Add prototypes for the functions that update application secretsbeck2019-11-181-1/+3
| | | | so that the regress tests will work for them
* Provide a clean interface for sending TLSv1.3 alerts.jsing2019-11-181-3/+3
| | | | ok beck@
* Change tls13_record_layer_phh() to take a CBS as this avoids ownershipjsing2019-11-171-3/+2
| | | | | | issues and makes call sites cleaner. ok beck@
* Provide framework for sending alerts and post-handshake handshake messages.jsing2019-11-171-1/+5
| | | | | | Discussed at length with beck@ ok beck@ tb@
* Add the initial framework for the TLSv1.3 server.jsing2019-11-171-1/+2
| | | | ok beck@
* Separate the callbacks for recieved and completed post handshake messagesbeck2019-11-171-3/+5
| | | | | | from the record layer ok jsing@
* By design, our state machine is a DAG contrary to the state machine intb2019-04-051-1/+3
| | | | | | | | | | | | the spec. To avoid the obvious loop in the RFC's state machine, we added a CLIENT_HELLO_RETRY state which is a second ClientHello with special rules. There is, however, no state to react to this second client hello. This adds a matching SERVER_HELLO_RETRY state to the handshakes table. This means in particular that the WITH_HRR state cannot be set in tls13_server_hello_recv(), so remove this now dead check. ok jsing
* Implement legacy fallback for the TLS 1.3 client.jsing2019-04-041-1/+2
| | | | | | | If the Server Hello received indicates that the server did not negotiate TLS 1.3, fallback to the original TLS client implementation. ok bcook@, tb@
* Remove the alert level from the TLSv1.3 alert callback.jsing2019-03-171-3/+2
| | | | | | | | In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback. ok tb@
* Automatically complete the handshake from tls13_legacy_{read,write}_bytes()jsing2019-02-281-1/+2
| | | | | | | | | | | | | | If the TLS handshake has not been completed, automatically complete the handshake as part of the read/write call, implementing the current SSL_read()/SSL_write() behaviour. Once the TLS handshake is completed we push a WANT_POLLIN or WANT_POLLOUT back up to the caller, since some applications appear to incorrectly call SSL_read() or SSL_write(), rather than repeating the previous call. This can lead to attempts to read data that does not exist, since the WANT_POLLIN was actually triggered as part of the handshake. ok inoguchi@ tb@
* Fix gcc3 compilation error by using a forward declaration instead of atb2019-02-251-3/+3
| | | | | | repeated typedef. Found the hard way by aoyama who also tested the fix. ok jsing
* revert "Move struct ssl_handshake_tls13_st definition", i.e., movetb2019-02-251-23/+2
| | | | | | SSL_HANDSHAKE_TLS13 back to ssl_locl.h. discussed with jsing and inoguchi
* Add a handshake action sent handler and use it for client finished.jsing2019-02-251-1/+2
| | | | | | | | | | The write traffic key needs to be changed to the client application traffic key after the client finished message has been sent. The send handler generates the client finished message, however we cannot switch keys at this stage since the client finished message has not yet been protected by the record layer. ok tb@
* Move struct ssl_handshake_tls13_st definitioninoguchi2019-02-251-2/+23
| | | | | | This solves build error on luna88k with gcc3. ok aoyama@ jca@ jsing@ tb@
* Change the alert callback return type from int to void.jsing2019-02-211-2/+2
| | | | | | | | There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1. ok tb@
* Split tls13_record_layer_set_traffic_keys() into two separate functions.jsing2019-02-141-3/+5
| | | | | | | | | This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake. ok tb@
* Provide a TLS 1.3 capable client method.jsing2019-02-141-1/+2
| | | | ok tb@
* Provide a reference from the TLSv1.3 context to the handshake state.jsing2019-02-091-1/+4
| | | | | | | This allows ctx->hs to be used throughout the TLSv1.3 code, rather than S3I(ctx->ssl)->hs_tls13. ok inoguchi@ tb@
* Implement parsing and processing of TLSv1.3 ServerHello messages.jsing2019-02-041-1/+8
| | | | ok tb@
* Provide the initial TLSv1.3 client implementation.jsing2019-01-211-1/+8
| | | | | | | | | Move tls13_connect() to a new tls13_client.c file and provide a legacy wrapper to it, which allocates a struct tls_ctx if necessary. Also move tls13_client_hello_send() to tls13_client.c and actual implement the building of a client hello. ok tb@
* Wire up the handshake message send and recv actions.jsing2019-01-211-1/+4
| | | | | | | This means that we actually receive and send handshake messages to and from the record layer. ok tb@
* The main handshake loop can be shared between client and server.jsing2019-01-211-1/+3
| | | | | | | Pull the shared code up into a function and call it from tls13_connect() and tls13_accept() instead of duplicating it. "Yes, please!" tb@
* Provide TLS 1.3 cipher AEAD/hash and legacy I/O handling functions.jsing2019-01-211-1/+11
| | | | | | | | | Provide functionality for determining AEADs and hashes for TLS 1.3 ciphers. Also provide wire read/write callbacks that interface with BIO and functions that interface between SSL_read/SSL_write and the TLS 1.3 record layer API. ok tb@
* Move struct tls13_ctx into a header since other things need access to it.jsing2019-01-211-3/+12
| | | | | | | | While here, rename struct handshake to struct handshake_stage to avoid potential ambiguity/conflict with the handshake data struct. Also add forward and back pointers between SSL and struct tls13_ctx. ok tb@
* Provide a handshake message handling implementation for TLS 1.3.jsing2019-01-201-2/+23
| | | | | | | | It receives handshake messages by reading and parsing data from the record layer. It also provides support for building and sending handshake messages. ok tb@
* Provide an initial implementation of the TLS 1.3 record layer.jsing2019-01-201-3/+29
| | | | | | | | | | | This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data(). This currently lacks some functionality, however will be worked on in tree. ok tb@
* Tweak return value handling in the TLSv1.3 handshake code.jsing2019-01-191-2/+3
| | | | | | | | | | | | | The I/O paths are from the tls13_handshake_send_action() and tls13_handshake_recv_action() functions - both of these need to propagate I/O conditions (EOF, failure, want poll in, want poll out) up the stack, so we need to capture and return values <= 0. Use an I/O condition to indicate successful handshake completion. Also, the various send/recv functions are currently unimplemented, so return 0 (failure) rather than 1 (success). ok tb@
* Expose some symbols in a new tls13_handshake.h for regression testing.tb2019-01-181-7/+1
| | | | | | | | Update the handshake state tables and flag names according to the design decisions and naming conventions in the hackroom. Garbage collect some things that turn out not to belong here. ok jsing
* Provide an extensible buffer implementation that uses a read callback.jsing2019-01-171-1/+20
| | | | | | | | | | | | The read callback returns a TLS13_IO_* value on EOF, failure, want pollin or want pollout, or a positive value indicating the number of bytes read. This will be used by upcoming TLSv1.3 handshake message and record processing code, both of which need the ability to read a fixed size header, before extending the buffer to the number of bytes specified in the header. ok beck@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 23:52:03 +0000