|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| ... |  | 
| | 
| 
| 
| | ok beck@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | Currently, TLSv1.3 cipher suites are filtered out by the fact that
they have authentication and key exchange algorithms that are not
being set in ssl_set_cert_masks(). Fix this so that ssl3_choose_cipher()
works for TLSv1.3, however we also now need to ensure that we filter out
TLSv1.3 for non-TLSv1.3 and only select TLSv1.3 for TLSv1.3.
ok beck@ tb@ | 
| | 
| 
| 
| 
| 
| 
| | set by a 1.3 server when it downgrades to tls 1.2 or 1.1 as per
RFC 8446 section 4.1.3
ok jsing@ | 
| | 
| 
| 
| 
| 
| | Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending
an alert resulted in EOF, do not propagate this back since we do not want
to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | This avoids every receive handler from having to get the handshake message
content itself. Additionally, pull the trailing data check up so that each
receive handler does not have to implement it. This makes the code more
readable and reduces duplication.
ok beck@ tb@ | 
| | 
| 
| 
| | ok beck@ tb@ | 
| | 
| 
| 
| | ok jsing@ | 
| | 
| 
| 
| 
| 
| | We currently don't support sending a modified clienthello
ok jsing@ tb@ | 
| | 
| 
| 
| | ok beck@ inoguchi@ tb@ | 
| | 
| 
| 
| 
| 
| 
| | This allows us to indicate that the cause of the failure is unknown, rather
than implying that it was an internal error when it was not.
ok beck@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | SSL_{clear,free}(3).  Make sure the handshake context is
cleaned up completely: the hs_tls13 reacharound is taken
care of by ssl3_{clear,free}(3). Add a missing
tls13_handshake_msg_free() call to tls13_ctx_free().
ok beck jsing | 
| | 
| 
| 
| 
| 
| 
| | This is based on the libtls error handling code, but adds machine readable
codes and subcodes. We then map these codes back to libssl error codes.
ok beck@ inoguchi@ | 
| | 
| 
| 
| 
| 
| | tested against openssl 1.1's server.
ok jsing@ tb@ | 
| | 
| 
| 
| 
| 
| | from the record layer
ok jsing@ | 
| | 
| 
| 
| 
| 
| 
| 
| | In TLSv1.3 the alert level is effectively meaningless and the record layer
has already checked that it is appropriate. As such, drop it from the alert
callback.
ok tb@ | 
| | 
| 
| 
| 
| | Gcc/clang will treat void * as char * but this is non-standard.
OK deraadt@ jsing@ inoguchi@ | 
| | 
| 
| 
| 
| 
| 
| | In non-SSL_MODE_ENABLE_PARTIAL_WRITE mode we have to write out all the
things and only return success once all of the data has been sent.
ok inoguchi@ tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | If the TLS handshake has not been completed, automatically complete the
handshake as part of the read/write call, implementing the current
SSL_read()/SSL_write() behaviour.
Once the TLS handshake is completed we push a WANT_POLLIN or WANT_POLLOUT
back up to the caller, since some applications appear to incorrectly call
SSL_read() or SSL_write(), rather than repeating the previous call. This
can lead to attempts to read data that does not exist, since the
WANT_POLLIN was actually triggered as part of the handshake.
ok inoguchi@ tb@ | 
| | 
| 
| 
| | ok inoguchi@ tb@ | 
| | 
| 
| 
| | ok tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | In most cases a TLS13_IO_WANT_POLLIN or TLS13_IO_WANT_POLLOUT will have
bubbled up from the wire callbacks, in which case the BIO retry flag will
already be set. However, if we return TLS13_IO_WANT_POLLIN or
TLS13_IO_WANT_POLLOUT from a higher layer the BIO retry flag will not be
set and that will cause SSL_get_error() to return SSL_ERROR_SYSCALL rather
than the intended SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE.
ok beck@ tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | In TLSv1.3 there are two types of alerts "closure alerts" and
"error alerts". This makes the record layer more strict and handles closure
of the read and write channels. The callback then handles the record layer to
SSL mapping/behaviour.
ok tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Move tls13_connect() to a new tls13_client.c file and provide a legacy
wrapper to it, which allocates a struct tls_ctx if necessary. Also move
tls13_client_hello_send() to tls13_client.c and actual implement the
building of a client hello.
ok tb@ | 
| | |  | 
|  | Provide functionality for determining AEADs and hashes for TLS 1.3 ciphers.
Also provide wire read/write callbacks that interface with BIO and
functions that interface between SSL_read/SSL_write and the TLS 1.3 record
layer API.
ok tb@ |