summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_lib.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* This is errata/6.8/013_libressl.patch.siglibressl-v3.2.4tb2021-02-031-1/+73
| | | | | | | | | | | | | | | | | | | | | | | | | | | Various interoperability issues and memory leaks were discovered in libcrypto and libssl. The new verifier is not bug compatible with the old verifier and caused many issues by failing to propagate errors correctly, returning different error codes than some software was trained to expect and otherwise failing when it shouldn't. While much of this is fixed in -current, it's still not perfect, so switching back to the legacy verifier is preferable at this point. Other included fixes: * Unbreak DTLS retransmissions for flights that include a CCS * Only check BIO_should_read() on read and BIO_should_write() on write * Implement autochain for the TLSv1.3 server * Use the legacy verifier for AUTO_CHAIN * Implement exporter for TLSv1.3 * Free alert_data and phh_data in tls13_record_layer_free() * Plug leak in x509_verify_chain_dup() * Free the policy tree in x509_vfy_check_policy() Original commits by jsing and tb ok inoguchi jsing
* Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them withjsing2020-09-111-3/+3
| | | | | | TLS13_ALERT_* defines. ok beck@ tb@
* Add minimal info callback support for TLSv1.3tb2020-07-301-1/+15
| | | | | | | | | | | | | | As abieber@ found the hard way, some python frameworks (twisted, synapse) thought it a great idea to use the info callback mechanism (designed to get state information about SSL objects) to modify state information such as setting and verifying the SNI. The switch of TLS_method() to default to TLSv1.3 broke these contraptions. Further bits of the info callback mechanism will likely metastasize throughout the TLSv1.3 stack if we need them, so we only do what's really necessary now. Lots of debugging, crucial hint and testing by abieber input & ok jsing
* Improve argument order for the internal tlsext APItb2020-07-031-3/+3
| | | | | | | | Move is_server and msg_type right after the SSL object so that CBS and CBB and alert come last. This brings these functions more in line with other internal functions and separates state from data. requested by jsing
* Implement a rolling hash of the ClientHello message, Enforce RFC 8446beck2020-06-061-1/+80
| | | | | | | | section 4.1.2 to ensure subsequent ClientHello messages after a HelloRetryRequest messages must be unchanged from the initial ClientHello. ok tb@ jsing@
* Ensure we only attach an ocsp staple to a leaf certificate, becausebeck2020-05-221-3/+9
| | | | | | | | | | | | for the moment that is all we support. fixes an issue where gnuTLS cares that mistmatching staples come back on the certs in the chain. This should be fixed correctly later by associating the staple to the individual certs rather than the ssl, so this is temporary. running on www@. ok tb@, "got that's oopy but an interim ok" jsing@
* Simplify: transform a dangling else into an early return andtb2020-05-211-20/+20
| | | | | | unindent a bunch of code. Suggested by jsing
* Avoid a shadowing issue by renaming cbs and cbb to cbb_hs and cbb_hs,tb2020-05-211-8/+7
| | | | | | respectively. Discussed with jsing
* A failure of tls13_handshake_msg_new() could lead to a NULL dereftb2020-05-211-11/+15
| | | | | | | | | in the following tls13_handshake_msg_start() call. Add a check. Stop clobbering the ctx's hs_msg variable, use a local variable instead. ok beck jsing
* Add support for TLS 1.3 server to send certificate statusbeck2020-05-191-6/+6
| | | | | | messages with oscp staples. ok jsing@ tb@
* Send alerts back correctly when handling key shares, includingbeck2020-05-171-8/+19
| | | | | | | sending back illegal parameter if our phh key share request type is not 0 or 1. ok jsing@ tb@
* Free handshake message correctly, noticed by tb@beck2020-05-171-2/+2
| | | | ok tb@ jsing@
* Provide an alert sent record layer callback.jsing2020-05-111-3/+21
| | | | | | | | Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error. ok tb@
* Move the record layer callbacks into a struct.jsing2020-05-111-4/+10
| | | | | | | | This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering. ok beck@ inoguchi@ tb@
* Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.jsing2020-05-101-6/+6
| | | | | | | | Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3. ok beck@
* Use size_t for OCSP response length.jsing2020-05-101-2/+2
| | | | | | | | | The OCSP response length is currently an integer, which is overloaded with -1 meaning "unset". Use a size_t for the OCSP response length and infer unset from the OCSP response being NULL. This makes code more readable, simpler and less error prone. ok beck@
* Correct tlsext_ocsp_resplen check.jsing2020-05-101-2/+2
| | | | | | | This variable is currently overloaded - a value of -1 means that it is "unset" and any other value is a length. ok tb@
* Add a middlebox_compat flag and condition session ID randomisation on it.jsing2020-05-091-1/+3
| | | | ok tb@
* Add support for certificate status requests in TLS 1.3 clientbeck2020-05-091-1/+29
| | | | ok jsing@, tb@, inoguchi@
* Rename tls13_client_synthetic_handshake_message() and move to tls13_lib.c.jsing2020-04-281-1/+44
| | | | | | | | The server-side will need to use the same function. No functional change. ok inoguchi@ tb@
* Consolidate TLSv1.3 constants.jsing2020-04-211-23/+39
| | | | | | | Move all of the TLSv1.3 constants to the top of tls13_lib.c. Also mark these all as const so that they end up in .rodata rather than .data. ok tb@
* Move the TLSv1.3 code that interfaces with the legacy APIs/stack into ajsing2020-02-151-308/+1
| | | | | | separate file. Discussed with beck@ and tb@
* Rework tls13_legacy_handshake_message_{recv,sent}_cb() to usetb2020-02-051-11/+17
| | | | | | their own CBS as a preparation for upcoming HRR diffs. ok jsing
* If the TLSv1.3 code has not recorded an error and something already existsjsing2020-01-291-1/+5
| | | | | | | | on the error stack, refrain from pushing an 'unknown' error on the stack. This should allow libcrypto errors (including bio) to be visible, where we have nothing better to offer. ok tb@
* Move pad and verify context into tls13_lib.cbeck2020-01-261-1/+44
| | | | ok jsing@
* Support legacy message callbacks. First step for SSL_set_msg_callback(3)tb2020-01-251-1/+28
| | | | | | support. Makes openssl s_client -msg work for handshake messages. ok beck jsing
* Permit 0 length writes, because openssl s_client is specialbeck2020-01-241-2/+2
| | | | ok jsing@
* Enable SSL_ENC_FLAG_SIGALGS on TLSv1_3_enc_data.jsing2020-01-241-2/+2
| | | | | | This means that we actually try to process and use signature algorithms. ok beck@ tb@
* Fix breakage in SSL_connect, SSL_accept, etc. by not propagatingbeck2020-01-241-1/+5
| | | | | | | | | new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations. ok jsing@ tb@
* Implement client hello processing in the TLSv1.3 server.jsing2020-01-231-1/+4
| | | | ok beck@
* Correctly handle TLSv1.3 ciphers suites in ssl3_choose_cipher().jsing2020-01-231-1/+6
| | | | | | | | | | Currently, TLSv1.3 cipher suites are filtered out by the fact that they have authentication and key exchange algorithms that are not being set in ssl_set_cert_masks(). Fix this so that ssl3_choose_cipher() works for TLSv1.3, however we also now need to ensure that we filter out TLSv1.3 for non-TLSv1.3 and only select TLSv1.3 for TLSv1.3. ok beck@ tb@
* Add checking int the client to check the magic values which arebeck2020-01-231-1/+9
| | | | | | | set by a 1.3 server when it downgrades to tls 1.2 or 1.1 as per RFC 8446 section 4.1.3 ok jsing@
* Implement pending for TLSv1.3.jsing2020-01-231-1/+17
| | | | | | Makes `openssl s_client -peekaboo` work with TLSv1.3. ok beck@ tb@
* Add a TLS13_IO_ALERT return value so that we can explicitly signal whenjsing2020-01-231-3/+10
| | | | | | | | | | we sent or received a fatal alert. Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure). ok beck@ tb@
* Pass a handshake message content CBS to TLSv1.3 receive handlers.jsing2020-01-221-1/+4
| | | | | | | | | This avoids every receive handler from having to get the handshake message content itself. Additionally, pull the trailing data check up so that each receive handler does not have to implement it. This makes the code more readable and reduces duplication. ok beck@ tb@
* Implement support for SSL_peek() in the TLSv1.3 record layer.jsing2020-01-221-8/+6
| | | | ok beck@ tb@
* Don't add an extra unknown error if we got a fatal alertbeck2020-01-221-2/+3
| | | | ok jsing@
* Add minimal support for hello retry request for RFC conformance.beck2020-01-221-1/+4
| | | | | | We currently don't support sending a modified clienthello ok jsing@ tb@
* Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.jsing2020-01-221-1/+51
| | | | ok beck@ inoguchi@ tb@
* Provide SSL_R_UNKNOWN.jsing2020-01-211-2/+2
| | | | | | | This allows us to indicate that the cause of the failure is unknown, rather than implying that it was an internal error when it was not. ok beck@
* Clear and free the tls13_ctx that hangs off an SSL *s fromtb2020-01-211-1/+2
| | | | | | | | | SSL_{clear,free}(3). Make sure the handshake context is cleaned up completely: the hs_tls13 reacharound is taken care of by ssl3_{clear,free}(3). Add a missing tls13_handshake_msg_free() call to tls13_ctx_free(). ok beck jsing
* Provide an error framework for use with the TLSv1.3 code.jsing2020-01-201-4/+19
| | | | | | | This is based on the libtls error handling code, but adds machine readable codes and subcodes. We then map these codes back to libssl error codes. ok beck@ inoguchi@
* Add support for TLS 1.3 post handshake messages and key updating.beck2019-11-261-3/+147
| | | | | | tested against openssl 1.1's server. ok jsing@ tb@
* Separate the callbacks for recieved and completed post handshake messagesbeck2019-11-171-2/+2
| | | | | | from the record layer ok jsing@
* Remove the alert level from the TLSv1.3 alert callback.jsing2019-03-171-2/+2
| | | | | | | | In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback. ok tb@
* Don't index a void pointer, fixes compilation with visual studio.millert2019-03-041-2/+3
| | | | | Gcc/clang will treat void * as char * but this is non-standard. OK deraadt@ jsing@ inoguchi@
* Implement non-SSL_MODE_ENABLE_PARTIAL_WRITE in tls13_legacy_write_bytes().jsing2019-02-281-3/+34
| | | | | | | In non-SSL_MODE_ENABLE_PARTIAL_WRITE mode we have to write out all the things and only return success once all of the data has been sent. ok inoguchi@ tb@
* Automatically complete the handshake from tls13_legacy_{read,write}_bytes()jsing2019-02-281-1/+13
| | | | | | | | | | | | | | If the TLS handshake has not been completed, automatically complete the handshake as part of the read/write call, implementing the current SSL_read()/SSL_write() behaviour. Once the TLS handshake is completed we push a WANT_POLLIN or WANT_POLLOUT back up to the caller, since some applications appear to incorrectly call SSL_read() or SSL_write(), rather than repeating the previous call. This can lead to attempts to read data that does not exist, since the WANT_POLLIN was actually triggered as part of the handshake. ok inoguchi@ tb@
* Add appropriate length checks to tls13_legacy_{read,write}_bytes()jsing2019-02-281-3/+9
| | | | ok inoguchi@ tb@
* Correctly propagate EOF from BIO in tls13_legacy_wire_read().jsing2019-02-261-1/+3
| | | | ok tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 07:32:38 +0000