summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_lib.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add message callbacks for alerts in the TLSv1.3 stack.jsing2024-01-271-3/+39
| | | | | | | | This will make it easier to regress test shutdown behaviour in the TLSv1.3 stack. Additionally, `openssl -msg` now shows alerts for TLSv1.3 connections. ok tb@
* Make internal header file names consistenttb2022-11-261-2/+2
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Move tls13_exporter() code.jsing2022-11-071-71/+1
| | | | | | | It makes more sense to have tls13_exporter() in tls13_key_schedule.c, rather than tls13_lib.c ok tb@
* Initial parsing of the NewSessionTicket messagetb2022-10-201-2/+103
| | | | | | | | | | | | | | | | | | | | TLSv1.3 introduces a New Session Ticket post-handshake handshake message that allows a unique association between a ticket value and a pre-shared key derived from the resumption master secret. Servers may send this message arbitrarily often at any time after receiving the client's Finished message. Implement tls13_new_session_ticket_recv() which parses the contents of the NewSessionTicket message into a fresh session derived from the current session so as to avoid modifying sessions that are already in the session cache. This uses tls13_new_session_ticket_recv() in tls13_phh_received_cb(). We currently rely on the general rate limiting of 100 PHH messages per connection and hour to avoid problems from connecting to a misbehaving or malicious server. ok jsing
* Provide TLS13_MAX_TICKET_LIFETIME #definetb2022-10-201-1/+8
| | | | | | | | TLSv1.3 servers must not indicate a lifetime longer than 7 days and clients must not cache sessions for longer than 7 days. Encode this in a macro internal to tls13_lib.c for now. ok jsing
* Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.jsing2022-10-021-8/+8
| | | | | | | | These are no longer necessary due to SSL_CTX and SSL now being fully opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back into SSL. Prompted by tb@
* Provide a version of ssl_msg_callback() that takes a CBS.jsing2022-09-101-3/+3
| | | | | | Use this from the TLSv1.3 code. ok tb@
* Provide record layer callbacks for QUIC.jsing2022-07-241-9/+14
| | | | | | | | | | | | QUIC uses TLS to complete the handshake, however unlike normal TLS it does not use the TLS record layer, rather it provides its own transport. This means that we need to intercept all communication between the TLS handshake and the record layer. This allows TLS handshake message writes to be directed to QUIC, likewise for TLS handshake message reads. Alerts also need to be sent via QUIC, plus it needs to be provided with the traffic keys that are derived by TLS. ok tb@
* Move tls13_phh_done_cb() after tl13_phh_received_cb().jsing2022-07-241-12/+12
| | | | This is the order that they're called/run in.
* Provide QUIC encryption levels.jsing2022-07-241-3/+5
| | | | | | | | | | | | QUIC wants to know what "encryption level" handshake messages should be sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that defines these (of course quictls decided to make this an OSSL_ENCRYPTION_LEVEL typedef, so provide that as well). Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so that they can be used in upcoming commits. ok tb@
* Remove tls_buffer_set_data() and remove/revise callers.jsing2022-07-201-10/+7
| | | | | | | | | | | | | There is no way that tls_buffer_set_data() can currently work in conjunction with tls_buffer_expand(). This fact is currently hidden by the way that PHH works, which reads the same data from the record layer (which it needs to do anyway, since we may not have all of the handshake message in a single record). Since this is broken, mop it up and change the PHH callback to not provide the record data. ok beck@ tb@
* Correct server-side handling of TLSv1.3 key updates.jsing2022-07-201-20/+30
| | | | | | | | The existing code updates the correct secret, however then sets it for the wrong direction. Fix this, while untangling the code and consistenly using 'read' and 'write' rather than 'local' and 'peer'. ok beck@ tb@
* Disable TLSv1.3 middlebox compatibility mode for QUIC connections.jsing2022-07-171-2/+3
| | | | | | This is required by RFC 9001. ok tb@
* Pass SSL pointer to tls13_ctx_new().jsing2022-07-171-2/+6
| | | | | | | | struct tls13_ctx already knows about SSL's and this way tls13_ctx_new() can set up various pointers, rather than duplicating this in tls13_legacy_accept() and tls13_legacy_connect(). ok tb@
* Bye bye S3I.jsing2022-02-051-3/+3
| | | | | | | | S3I has served us well, however now that libssl is fully opaque it is time to say goodbye. Aside from removing the calloc/free/memset, the rest is mechanical sed. ok inoguchi@ tb@
* Implement flushing for TLSv1.3 handshakes.jsing2021-09-161-1/+2
| | | | | | | | | | | | | | | When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio. Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent. Joint work with tb@ ok tb@
* Call the ocsp callback if present and we get no response, instead ofbeck2021-09-021-3/+2
| | | | | | succeeding unconditionally. Makes muststaple work with tls1.3 in nc ok tb@
* Clean up and simplify info and msg callbacks.jsing2021-08-301-10/+4
| | | | | | | | | The info and msg callbacks result in duplication - both for code that refers to the function pointers and for the call sites. Avoid this by providing typedefs for the function pointers and pulling the calling sequences into their own functions. ok inoguchi@ tb@
* Avoid clobbering the error code when sending an alerttb2021-04-071-2/+3
| | | | | | | | | | | | In order to fail gracefully on encountering a self-signed cert, curl looks at the top-most error on the stack and needs specific SSL_R_ error codes. This mechanism was broken when the tls13_alert_sent_cb() was added after people complained about unhelpful unknown errors. Fix this by only setting the error code from a fatal alert if no error has been set previously. Issue reported by Christopher Reid ok jsing
* Move the TLSv1.3 handshake struct inside the shared handshake struct.jsing2021-03-211-22/+22
| | | | | | | | | | | | | | | | There are currently three different handshake structs that are in use - the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct (as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous 'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)). This is the first step towards cleaning up the handshake structs so that shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2 and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code to access the shared handshake data without needing the SSL struct. ok inoguchi@ tb@
* Avoid a use-after-scope in tls13_cert_add().jsing2021-03-211-4/+3
| | | | | | | | | | A parent CBB retains a reference to a child CBB until CBB_flush() or CBB_cleanup() is called. As such, the cert_exts CBB must be at function scope. Reported by Ilya Shipitsin. ok tb@
* Convert tls13_exporter() to tls13_secret_{init,cleanup}()tb2021-01-051-8/+5
| | | | ok jsing
* Implement exporter for TLSv1.3.jsing2020-11-161-1/+73
| | | | | | | | | This implements the key material exporter for TLSv1.3, as defined in RFC8446 section 7.5. Issue reported by nmathewson on github. ok inoguchi@ tb@
* Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them withjsing2020-09-111-3/+3
| | | | | | TLS13_ALERT_* defines. ok beck@ tb@
* Add minimal info callback support for TLSv1.3tb2020-07-301-1/+15
| | | | | | | | | | | | | | As abieber@ found the hard way, some python frameworks (twisted, synapse) thought it a great idea to use the info callback mechanism (designed to get state information about SSL objects) to modify state information such as setting and verifying the SNI. The switch of TLS_method() to default to TLSv1.3 broke these contraptions. Further bits of the info callback mechanism will likely metastasize throughout the TLSv1.3 stack if we need them, so we only do what's really necessary now. Lots of debugging, crucial hint and testing by abieber input & ok jsing
* Improve argument order for the internal tlsext APItb2020-07-031-3/+3
| | | | | | | | Move is_server and msg_type right after the SSL object so that CBS and CBB and alert come last. This brings these functions more in line with other internal functions and separates state from data. requested by jsing
* Implement a rolling hash of the ClientHello message, Enforce RFC 8446beck2020-06-061-1/+80
| | | | | | | | section 4.1.2 to ensure subsequent ClientHello messages after a HelloRetryRequest messages must be unchanged from the initial ClientHello. ok tb@ jsing@
* Ensure we only attach an ocsp staple to a leaf certificate, becausebeck2020-05-221-3/+9
| | | | | | | | | | | | for the moment that is all we support. fixes an issue where gnuTLS cares that mistmatching staples come back on the certs in the chain. This should be fixed correctly later by associating the staple to the individual certs rather than the ssl, so this is temporary. running on www@. ok tb@, "got that's oopy but an interim ok" jsing@
* Simplify: transform a dangling else into an early return andtb2020-05-211-20/+20
| | | | | | unindent a bunch of code. Suggested by jsing
* Avoid a shadowing issue by renaming cbs and cbb to cbb_hs and cbb_hs,tb2020-05-211-8/+7
| | | | | | respectively. Discussed with jsing
* A failure of tls13_handshake_msg_new() could lead to a NULL dereftb2020-05-211-11/+15
| | | | | | | | | in the following tls13_handshake_msg_start() call. Add a check. Stop clobbering the ctx's hs_msg variable, use a local variable instead. ok beck jsing
* Add support for TLS 1.3 server to send certificate statusbeck2020-05-191-6/+6
| | | | | | messages with oscp staples. ok jsing@ tb@
* Send alerts back correctly when handling key shares, includingbeck2020-05-171-8/+19
| | | | | | | sending back illegal parameter if our phh key share request type is not 0 or 1. ok jsing@ tb@
* Free handshake message correctly, noticed by tb@beck2020-05-171-2/+2
| | | | ok tb@ jsing@
* Provide an alert sent record layer callback.jsing2020-05-111-3/+21
| | | | | | | | Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error. ok tb@
* Move the record layer callbacks into a struct.jsing2020-05-111-4/+10
| | | | | | | | This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering. ok beck@ inoguchi@ tb@
* Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.jsing2020-05-101-6/+6
| | | | | | | | Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3. ok beck@
* Use size_t for OCSP response length.jsing2020-05-101-2/+2
| | | | | | | | | The OCSP response length is currently an integer, which is overloaded with -1 meaning "unset". Use a size_t for the OCSP response length and infer unset from the OCSP response being NULL. This makes code more readable, simpler and less error prone. ok beck@
* Correct tlsext_ocsp_resplen check.jsing2020-05-101-2/+2
| | | | | | | This variable is currently overloaded - a value of -1 means that it is "unset" and any other value is a length. ok tb@
* Add a middlebox_compat flag and condition session ID randomisation on it.jsing2020-05-091-1/+3
| | | | ok tb@
* Add support for certificate status requests in TLS 1.3 clientbeck2020-05-091-1/+29
| | | | ok jsing@, tb@, inoguchi@
* Rename tls13_client_synthetic_handshake_message() and move to tls13_lib.c.jsing2020-04-281-1/+44
| | | | | | | | The server-side will need to use the same function. No functional change. ok inoguchi@ tb@
* Consolidate TLSv1.3 constants.jsing2020-04-211-23/+39
| | | | | | | Move all of the TLSv1.3 constants to the top of tls13_lib.c. Also mark these all as const so that they end up in .rodata rather than .data. ok tb@
* Move the TLSv1.3 code that interfaces with the legacy APIs/stack into ajsing2020-02-151-308/+1
| | | | | | separate file. Discussed with beck@ and tb@
* Rework tls13_legacy_handshake_message_{recv,sent}_cb() to usetb2020-02-051-11/+17
| | | | | | their own CBS as a preparation for upcoming HRR diffs. ok jsing
* If the TLSv1.3 code has not recorded an error and something already existsjsing2020-01-291-1/+5
| | | | | | | | on the error stack, refrain from pushing an 'unknown' error on the stack. This should allow libcrypto errors (including bio) to be visible, where we have nothing better to offer. ok tb@
* Move pad and verify context into tls13_lib.cbeck2020-01-261-1/+44
| | | | ok jsing@
* Support legacy message callbacks. First step for SSL_set_msg_callback(3)tb2020-01-251-1/+28
| | | | | | support. Makes openssl s_client -msg work for handshake messages. ok beck jsing
* Permit 0 length writes, because openssl s_client is specialbeck2020-01-241-2/+2
| | | | ok jsing@
* Enable SSL_ENC_FLAG_SIGALGS on TLSv1_3_enc_data.jsing2020-01-241-2/+2
| | | | | | This means that we actually try to process and use signature algorithms. ok beck@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-17 12:22:15 +0000