summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_server.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.jsing2020-05-101-11/+11
| | | | | | | | Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3. ok beck@
* Back out server side CCS sending. It breaks TLSv1.3 client communicationtb2020-05-091-24/+1
| | | | | | | | with TLSv1.2 servers, since it makes clients send their dummy CCS too early... There's an obvious but dirty bandaid which I can't bring myself to applying - this business is already disgusting enough. Issue found the hard way by sthen
* Send dummy ChangeCipherSpec messages from the TLSv1.3 servertb2020-05-091-1/+24
| | | | | | | | | If the client has requested middle box compatibility mode by sending a non-empty legacy_session_id, the server must send a dummy CCS right after its first handshake message. This means right after ServerHello or HelloRetryRequest. ok jsing
* Make the test for the legacy_compression_method vector in the ClientHellotb2020-05-091-12/+7
| | | | | | | | stricter. Previously, we would accept any vector if it advertised the "null" compression method. RFC 8446 4.1.2 specifies that the only legal vector has length one and contains a zero byte for the null method. ok jsing
* Add support for HelloRetryRequests in the TLSv1.3 server.jsing2020-05-091-8/+41
| | | | ok inoguchi@ tb@
* crazy whitespace on one linetb2020-05-091-2/+2
|
* Refactor tls13_server_hello_sent().jsing2020-05-091-30/+36
| | | | | | | | | Split the record protection engagement code into a separate tls13_server_engage_record_protection() function and call this from tls13_server_hello_sent(). Also move some functions around to keep the logical ordering/grouping. ok inoguchi@ tb@ (as part of a larger diff)
* Move legacy stack interfacing functions into tls13_legacy.c.jsing2020-04-281-95/+4
| | | | | | No functional change. ok inoguchi@ tb@
* Shuffle some functions around.jsing2020-04-271-228/+221
| | | | | | | | | | Move functions so that they are in the order that the TLSv1.3 messages are processed. While here, also move tls13_client_end_of_early_data_send() from tls13_client.c to tls13_server.c. No functional change. ok beck@ tb@
* Switch to NEGOTIATED when using WITHOUT_HRR.jsing2020-04-251-4/+9
| | | | | | | | | | This ensures that we remain in a valid handshake state in the TLSv1.3 server. Ideally we would not switch to NEGOTIATED until after record protection has been enabled, but we'll revisit this later. Issue noted by inoguchi@ ok tb@
* Improve TLSv1.3 state machine for HelloRetryRequest handling.jsing2020-04-221-6/+6
| | | | | | | | | | | | | | | | | | | The state machine currently handles the HelloRetryRequest case by using WITH_HRR - in other words, we're explicitly indicating when we transition to the alternate path. The problem here is that we do not know if we're going to receive a ServerHello or a HelloRetryRequest until we process the message. This means that the ServerHello processing code has to handle both types of messages. The state machine and associated processing code becomes cleaner if we flip this around so that we assume we are going to receive a HelloRetryRequest and upon discovering that it is not, trigger WITHOUT_HRR and hand off to the ServerHello processing function. In particular, this makes the logic much more straight forward on the server side, when adding support for HRR. With feedback from tb@ ok tb@
* Handle TLSv1.3 key shares other than X25519 on the server side.jsing2020-04-211-11/+15
| | | | | | | | Previously we would only select an X25519 key share from the client, ignoring any others. Change this so that we will select the first of the key shares that matches one of our supported groups. ok beck@ inoguchi@ tb@
* Generate client key share using our preferred group.jsing2020-04-171-2/+2
| | | | | | | | Generate a client key share using our preferred group, rather than always using X25519. This means that the key share group can be controlled via SSL{_CTX,}_set1_groups() and SSL{_CTX,}_set1_groups_list(). ok beck@
* Use ctx->hs->secrets rather than the S3I(s) version.jsing2020-03-101-2/+2
| | | | ok inoguchi@ tb@
* Remove some unnecessary handshake enums/functions.jsing2020-03-101-13/+1
| | | | | | | Both session tickets and key updates are post-handshake handshake messages, which were originally included in the handshake code. ok inoguchi@ tb@
* According to RFC 8446, Section 4.4.4, recipients of incorrect Finishedtb2020-02-231-2/+2
| | | | | | | messages must terminate the connection with a decrypt_error alert, so replace the use of the deprecated decryption_failed alert accordingly. ok beck inoguchi jsing
* drop unused include <openssl/curve25519.h>tb2020-02-181-3/+1
| | | | ok inoguchi jsing
* Remove the hello retry request processing code that was previously added.jsing2020-02-051-8/+2
| | | | | | | This got added to the wrong functions (server side, not client) - swap the now unimplemented send/recv functions between client and server. ok tb@
* Free the transcript as soon as we initialise the transcript hash.jsing2020-02-041-1/+2
| | | | | | | | Unlike TLSv1.2 there is only a single hash in use, hence as soon as we know what the hash is and have initialised the transcript hash, we can free the transcript buffers. ok inoguchi@ tb@
* Provide struct/functions for handling TLSv1.3 key shares.jsing2020-01-301-8/+12
| | | | | | | Pull out the key share handling code and provide a clean/self contained interface. This will make it easier to support groups other than X25519. ok beck@ inoguchi@ tb@
* If the TLSv1.3 code has not recorded an error and something already existsjsing2020-01-291-1/+2
| | | | | | | | on the error stack, refrain from pushing an 'unknown' error on the stack. This should allow libcrypto errors (including bio) to be visible, where we have nothing better to offer. ok tb@
* When switching back to a legacy client or server, ensure we reset thejsing2020-01-261-1/+2
| | | | | | | | handshake function pointer. Fixes an isssue found by jca@ with OpenVPN. ok beck@ tb@
* Add server side support for requesting client certificates in tls 1.3beck2020-01-261-4/+173
| | | | ok jsing@
* Add client certificate support for tls 1.3beck2020-01-261-13/+1
| | | | ok jsing@
* Move pad and verify context into tls13_lib.cbeck2020-01-261-46/+5
| | | | ok jsing@
* Complete the initial TLSv1.3 implementation.jsing2020-01-241-12/+296
| | | | ok beck@ tb@
* Store the legacy session identifier from the ClientHello so we can actuallyjsing2020-01-241-1/+10
| | | | | | echo it. ok beck@ tb@
* Switch to encrypted records in the TLSv1.3 server.jsing2020-01-241-2/+74
| | | | | | | This adds code to perform key derivation and set the traffic keys once the ServerHello message has been sent, enabling encrypted records. ok beck@ tb@
* Implement client hello processing in the TLSv1.3 server.jsing2020-01-231-5/+49
| | | | ok beck@
* Correct several issues in the current TLSv1.3 server code.jsing2020-01-231-6/+15
| | | | | | | | | | | | | Correct the parsing of the client hello support versions extension. This has one or more values, rather than just the single selected version. Allocate an SSL_SESSION - this is unused currently, but is needed as soon as we start parsing extensions. Also, pull the cipher suites list off correctly - this is u16 prefixed, not u8. ok beck@
* Implement sending client certificate requests for 1.3 serverbeck2020-01-231-1/+13
| | | | ok jsing@
* Build the encrypted extensions for the 1.3 serverbeck2020-01-231-2/+8
| | | | ok jsing@
* Add code to build and send a server hello for tls 1.3beck2020-01-231-3/+40
| | | | ok jsing@
* Pass a CBB to TLSv1.3 send handlers.jsing2020-01-231-13/+13
| | | | | | | This avoids the need for each send handler to call tls13_handshake_msg_start() and tls13_handshake_msg_finish(). ok beck@ tb@
* Wire up the TLSv1.3 server.jsing2020-01-221-2/+135
| | | | | | | | This currently only has enough code to handle fallback to the legacy TLS stack for TLSv1.2 or earlier, however allows for further development and testing. ok beck@
* Pass a handshake message content CBS to TLSv1.3 receive handlers.jsing2020-01-221-8/+8
| | | | | | | | | This avoids every receive handler from having to get the handshake message content itself. Additionally, pull the trailing data check up so that each receive handler does not have to implement it. This makes the code more readable and reduces duplication. ok beck@ tb@
* After the ClientHello has been sent or received and before the peer'stb2020-01-221-1/+5
| | | | | | | | Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it. ok jsing
* Add minimal support for hello retry request for RFC conformance.beck2020-01-221-8/+1
| | | | | | We currently don't support sending a modified clienthello ok jsing@ tb@
* indent with a tab instead of 8 spacestb2019-11-171-2/+2
|
* Move the TLSv1.3 server message handling stubs.jsing2019-11-171-1/+124
|
* Add the initial framework for the TLSv1.3 server.jsing2019-11-171-0/+79
ok beck@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 06:21:19 +0000