| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we finish sending a flight of records, flush the record layer output.
This effectively means calling BIO_flush() on the wbio.
Some things (such as apache2) have custom BIOs that perform buffering and
do not actually send on BIO_write(). Without BIO_flush() the server thinks
it has sent data and starts receiving records, however the client never
sends records since it never received those that the server should have
sent.
Joint work with tb@
ok tb@
|
| |
|
|
|
|
| |
succeeding unconditionally. Makes muststaple work with tls1.3 in nc
ok tb@
|
| |
|
|
|
|
|
|
|
| |
The info and msg callbacks result in duplication - both for code that
refers to the function pointers and for the call sites. Avoid this by
providing typedefs for the function pointers and pulling the calling
sequences into their own functions.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In order to fail gracefully on encountering a self-signed cert, curl looks
at the top-most error on the stack and needs specific SSL_R_ error codes.
This mechanism was broken when the tls13_alert_sent_cb() was added after
people complained about unhelpful unknown errors. Fix this by only setting
the error code from a fatal alert if no error has been set previously.
Issue reported by Christopher Reid
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are currently three different handshake structs that are in use -
the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct
(as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous
'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)).
This is the first step towards cleaning up the handshake structs so that
shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2
and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside
SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct
instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code
to access the shared handshake data without needing the SSL struct.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
A parent CBB retains a reference to a child CBB until CBB_flush() or
CBB_cleanup() is called. As such, the cert_exts CBB must be at function
scope.
Reported by Ilya Shipitsin.
ok tb@
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This implements the key material exporter for TLSv1.3, as defined in
RFC8446 section 7.5.
Issue reported by nmathewson on github.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
TLS13_ALERT_* defines.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
As abieber@ found the hard way, some python frameworks (twisted, synapse)
thought it a great idea to use the info callback mechanism (designed to
get state information about SSL objects) to modify state information such
as setting and verifying the SNI. The switch of TLS_method() to default
to TLSv1.3 broke these contraptions. Further bits of the info callback
mechanism will likely metastasize throughout the TLSv1.3 stack if we
need them, so we only do what's really necessary now.
Lots of debugging, crucial hint and testing by abieber
input & ok jsing
|
| |
|
|
|
|
|
|
| |
Move is_server and msg_type right after the SSL object so that CBS
and CBB and alert come last. This brings these functions more in
line with other internal functions and separates state from data.
requested by jsing
|
| |
|
|
|
|
|
|
| |
section 4.1.2 to ensure subsequent ClientHello messages after a
HelloRetryRequest messages must be unchanged from the initial
ClientHello.
ok tb@ jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
for the moment that is all we support. fixes an issue where gnuTLS
cares that mistmatching staples come back on the certs in the chain.
This should be fixed correctly later by associating the staple
to the individual certs rather than the ssl, so this is temporary.
running on www@.
ok tb@, "got that's oopy but an interim ok" jsing@
|
| |
|
|
|
|
| |
unindent a bunch of code.
Suggested by jsing
|
| |
|
|
|
|
| |
respectively.
Discussed with jsing
|
| |
|
|
|
|
|
|
|
| |
in the following tls13_handshake_msg_start() call. Add a check.
Stop clobbering the ctx's hs_msg variable, use a local variable
instead.
ok beck jsing
|
| |
|
|
|
|
| |
messages with oscp staples.
ok jsing@ tb@
|
| |
|
|
|
|
|
| |
sending back illegal parameter if our phh key share request type
is not 0 or 1.
ok jsing@ tb@
|
| |
|
|
| |
ok tb@ jsing@
|
| |
|
|
|
|
|
|
| |
Use this to push an error on to the SSL error stack so that we report the
details of the alert that we sent, rather than failing with an unknown
error.
ok tb@
|
| |
|
|
|
|
|
|
| |
This makes the code more readable, requires less code churn when adding
a new callback and is likely to avoid bugs due to function argument
ordering.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_*
defines, provide our own TLS13_ALERT_* defines and use those. This also
provides the alerts that are new to TLSv1.3.
ok beck@
|
| |
|
|
|
|
|
|
|
| |
The OCSP response length is currently an integer, which is overloaded with
-1 meaning "unset". Use a size_t for the OCSP response length and infer
unset from the OCSP response being NULL. This makes code more readable,
simpler and less error prone.
ok beck@
|
| |
|
|
|
|
|
| |
This variable is currently overloaded - a value of -1 means that it is
"unset" and any other value is a length.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok jsing@, tb@, inoguchi@
|
| |
|
|
|
|
|
|
| |
The server-side will need to use the same function.
No functional change.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Move all of the TLSv1.3 constants to the top of tls13_lib.c. Also mark
these all as const so that they end up in .rodata rather than .data.
ok tb@
|
| |
|
|
|
|
| |
separate file.
Discussed with beck@ and tb@
|
| |
|
|
|
|
| |
their own CBS as a preparation for upcoming HRR diffs.
ok jsing
|
| |
|
|
|
|
|
|
| |
on the error stack, refrain from pushing an 'unknown' error on the stack.
This should allow libcrypto errors (including bio) to be visible, where we
have nothing better to offer.
ok tb@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
| |
support. Makes openssl s_client -msg work for handshake messages.
ok beck jsing
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
| |
This means that we actually try to process and use signature algorithms.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
new retry conditions from the record layer all the way up to the
callers. Instead we catch them at the top of the record layer
and retry the operations, unless we actually got a retry indicated
from actual IO operations.
ok jsing@ tb@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
|
|
|
|
| |
Currently, TLSv1.3 cipher suites are filtered out by the fact that
they have authentication and key exchange algorithms that are not
being set in ssl_set_cert_masks(). Fix this so that ssl3_choose_cipher()
works for TLSv1.3, however we also now need to ensure that we filter out
TLSv1.3 for non-TLSv1.3 and only select TLSv1.3 for TLSv1.3.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
set by a 1.3 server when it downgrades to tls 1.2 or 1.1 as per
RFC 8446 section 4.1.3
ok jsing@
|
| |
|
|
|
|
| |
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending
an alert resulted in EOF, do not propagate this back since we do not want
to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
This avoids every receive handler from having to get the handshake message
content itself. Additionally, pull the trailing data check up so that each
receive handler does not have to implement it. This makes the code more
readable and reduces duplication.
ok beck@ tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
| |
We currently don't support sending a modified clienthello
ok jsing@ tb@
|
| |
|
|
| |
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This allows us to indicate that the cause of the failure is unknown, rather
than implying that it was an internal error when it was not.
ok beck@
|
| |
|
|
|
|
|
|
|
| |
SSL_{clear,free}(3). Make sure the handshake context is
cleaned up completely: the hs_tls13 reacharound is taken
care of by ssl3_{clear,free}(3). Add a missing
tls13_handshake_msg_free() call to tls13_ctx_free().
ok beck jsing
|
| |
|
|
|
|
|
| |
This is based on the libtls error handling code, but adds machine readable
codes and subcodes. We then map these codes back to libssl error codes.
ok beck@ inoguchi@
|
| |
|
|
|
|
| |
tested against openssl 1.1's server.
ok jsing@ tb@
|
