| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
This is a small refactoring that wraps a direct call to the record layer's
alert_sent() callback into a handler for upcoming reuse in the QUIC code.
No functional change.
ok jsing
|
| |
|
|
|
|
|
|
| |
This will make it easier to regress test shutdown behaviour in the TLSv1.3
stack. Additionally, `openssl -msg` now shows alerts for TLSv1.3
connections.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
This converts the legacy TLS stack to tls_content - records are now
opened into a tls_content structure, rather than being written back into
the same buffer that the sealed record was read into.
This will allow for further clean up of the legacy record layer.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
QUIC uses TLS to complete the handshake, however unlike normal TLS it does
not use the TLS record layer, rather it provides its own transport. This
means that we need to intercept all communication between the TLS handshake
and the record layer. This allows TLS handshake message writes to be
directed to QUIC, likewise for TLS handshake message reads. Alerts also
need to be sent via QUIC, plus it needs to be provided with the traffic
keys that are derived by TLS.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
QUIC wants to know what "encryption level" handshake messages should be
sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that
defines these (of course quictls decided to make this an
OSSL_ENCRYPTION_LEVEL typedef, so provide that as well).
Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so
that they can be used in upcoming commits.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There is no way that tls_buffer_set_data() can currently work in
conjunction with tls_buffer_expand(). This fact is currently hidden by the
way that PHH works, which reads the same data from the record layer (which
it needs to do anyway, since we may not have all of the handshake message
in a single record).
Since this is broken, mop it up and change the PHH callback to not provide
the record data.
ok beck@ tb@
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
This brings the code more in line with the tls12_record_layer and reduces
the effort needed to make EVP_AEAD_CTX opaque.
Prompted by and ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we finish sending a flight of records, flush the record layer output.
This effectively means calling BIO_flush() on the wbio.
Some things (such as apache2) have custom BIOs that perform buffering and
do not actually send on BIO_write(). Without BIO_flush() the server thinks
it has sent data and starts receiving records, however the client never
sends records since it never received those that the server should have
sent.
Joint work with tb@
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently, the plaintext content from opened TLS records is handled via
the rbuf code in the TLSv1.3 record layer. Factor this out and provide a
separate struct tls_content, which knows how to track and manipulate the
content.
This makes the TLSv1.3 code cleaner, however it will also soon also be used
to untangle parts of the legacy record layer.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
On receiving the first flight from the peer, we do not yet know if
we are using TLSv1.3. In particular, we might get an alert record
with record version 0x0300 from a pre-TLSv1.2 peer in response to
our client hello. Ignore the record version instead of sending a
protocol version alert in that situtation. This may also be hit
when talking to a LibreSSL 3.3 server with an illegal SNI.
Part of an issue reported by danj.
ok jsing
|
| | |
|
| |
|
|
|
| |
Consistently include local headers in the same location, using the same
grouping/sorting across all files.
|
| |
|
|
|
|
|
|
| |
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while
it is not currently necessary from a functionality perspective, it makes
for more readable and simpler code.
ok inoguchi@ tb@
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
order of the struct members for reviewability.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
httpd(8)'s incorrect tls_close() after closing the underlying socket
led to a leak: tls_close()'s attempt to send out the close_notify won't
work very well over a closed pipe. This resulted in alert_data still
hanging off the TLSv1.3 context's record layer struct. The tls_free()
call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it
as well. This diff makes -current httpd(8) run in constant memory over
hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
| | |
|
| |
|
|
|
|
|
| |
This avoids naming confusion with an upcoming TLSv1.2 record layer change
and is more descriptive of this function.
Requested by tb@
|
| |
|
|
|
|
| |
TLS13_ALERT_* defines.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
When record protection is engaged, the plaintext must be followed by a
non-zero content type and optional zero padding. If the plaintext is zero
length or only consists of zero bytes then it is not a valid message,
since the content type is unspecified.
ok tb@
|
| |
|
|
|
|
|
|
| |
If a peer sends a bogus record consisting of all-zero plaintext,
the content_len would be decremented to -1 and cause a crash in
freezero.
ok inoguchi jsing
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
|
|
|
|
| |
own recv function. This simplifies tls13_recod_layer_read_internal()
greatly and makes the phh handling easier to reason about since the
code is no longer glued to the right hand edge of the terminal.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
the record layer that don't do I/O themselves. Use this mechanism
to send a record overflow alert for messages that have overlong
plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
| |
|
|
|
|
|
|
| |
In this situation we cannot return zero bytes, as that signals EOF. Rather
we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again,
at which point we'll pull up the next record.
ok tb@
|
| |
|
|
| |
Reminded by and ok beck@
|
| |
|
|
|
|
|
|
|
|
|
| |
In TLSv1.3 post-handshake handshake messages are used for key updates and
session tickets. These are in-band and mean that when the upper layer goes
to read application data, we can end up reading and having to process
handshake messages - this option changes whether we retry and read the
next TLS record, or if we return, signalling that we want more data to
be available.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution
for PHH in blocking mode, the breakage this causes is visible in
real things, and we've only managed to hit the PHH breakage in
a test case.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
After post-handshake handshake messages have been processed, we need to
return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter
will cause us to try to read another TLS record, when there may not be
any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
| | |
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
When legacy version is below TLSv1.2 ensure that the record version is
SSL3/TLS, however when the legacy version is set to TLSv1.2 require this
specifically.
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
Use this to push an error on to the SSL error stack so that we report the
details of the alert that we sent, rather than failing with an unknown
error.
ok tb@
|
| |
|
|
|
|
|
|
| |
This makes the code more readable, requires less code churn when adding
a new callback and is likely to avoid bugs due to function argument
ordering.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_*
defines, provide our own TLS13_ALERT_* defines and use those. This also
provides the alerts that are new to TLSv1.3.
ok beck@
|
| |
|
|
|
|
|
|
| |
When operating in middlebox compatibility mode, the TLSv1.3 client needs
to send a dummy ChangeCipherSpec message immediately before its second
flight of handshake messages (when early data is not offered).
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
terminate the connection with an unexpected_message alert.
See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message
immediately after its first handshake message. This is normally after the
ServerHello message, but it can be after the HelloRetryRequest message.
As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz
TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message
and the ServerHello message. This is unexpected and as far as I'm aware,
no other TLSv1.3 implementation does this. Unfortunately the RFC is rather
ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a
TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR
is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
We might remove static again for further regress around record layer
in the future.
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
| |
We currently throw an error on overflow, but still wrap. Check up front
if we would need to wrap and only increment if that case is excluded.
This simplifies the increment loop and makes the returns in this function
less magic.
ok jsing
|
| |
|
|
| |
Fix proposed by tb@
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
| |
traffic retries when not yet encrypting.
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the
server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that
we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
new retry conditions from the record layer all the way up to the
callers. Instead we catch them at the top of the record layer
and retry the operations, unless we actually got a retry indicated
from actual IO operations.
ok jsing@ tb@
|
