summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_server.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Use cipher suite values instead of IDs.jsing2024-07-221-2/+2
| | | | | | | | | | | | | | | | OpenSSL has had the concept of cipher IDs, which were a way of working around overlapping cipher suite values between SSLv2 and SSLv3. Given that we no longer have to deal with this issue, replace the use of IDs with cipher suite values. In particular, this means that we can stop mapping back and forth between the two, simplifying things considerably. While here, remove the 'valid' member of the SSL_CIPHER. The ssl3_ciphers[] table is no longer mutable, meaning that ciphers cannot be disabled at runtime (and we have `#if 0' if we want to do it at compile time). Clean up the comments and add/update RFC references for cipher suites. ok tb@
* Remove cipher from SSL_SESSION.jsing2024-07-201-2/+2
| | | | | | | | | | | | | | | | For a long time SSL_SESSION has had both a cipher ID and a pointer to an SSL_CIPHER (and not both are guaranteed to be populated). There is also a pointer to an SSL_CIPHER in the SSL_HANDSHAKE that denotes the cipher being used for this connection. Some code has been using the cipher from SSL_SESSION and some code has been using the cipher from SSL_HANDSHAKE. Remove cipher from SSL_SESSION and use the version in SSL_HANDSHAKE everywhere. If resuming from a session then we need to use the SSL_SESSION cipher ID to set the SSL_HANDSHAKE cipher. And we still need to ensure that we update the cipher ID in the SSL_SESSION whenever the SSL_HANDSHAKE cipher changes (this only occurs in a few places). ok tb@
* Move client ciphers from SSL_SESSION to SSL_HANDSHAKE.jsing2024-07-191-3/+3
| | | | | | | | SSL_SESSION has a 'ciphers' member which contains a list of ciphers that were advertised by the client. Move this from SSL_SESSION to SSL_HANDSHAKE and rename it to match reality. ok tb@
* Convert EVP_Digest{Sign,Verify}* to one-shot for TLSv1.3tb2023-06-101-11/+5
| | | | | | | Using one-shot EVP_DigestSign() and EVP_DigestVerify() is slightly shorter and is needed for Ed25519 support. ok jsing
* Make internal header file names consistenttb2022-11-261-2/+2
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.jsing2022-10-021-3/+3
| | | | | | | | These are no longer necessary due to SSL_CTX and SSL now being fully opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back into SSL. Prompted by tb@
* Allow TLSv1.3 clients to send CCS without middlebox compatibility mode.jsing2022-09-171-4/+2
| | | | | | | | | | | | | | | | | While RFC 8446 is clear about what legacy session identifiers can be sent by a TLSv1.3 client and how middlebox compatibility mode is requested, it is delightfully vague about the circumstances under which a client is permitted to send CCS messages. While it does not make sense for a client to send CCS messages when they are not requesting middlebox compatibility mode, it is not strictly forbidden by the RFC and at least one (unknown) TLSv1.3 stack has been observed to do this in the wild. Revert part of the previous change and allow clients to send CCS messages, even if they are not requesting middlebox compatibility mode. Found the hard way by florian@ ok tb@
* Be stricter with middlebox compatibility mode in the TLSv1.3 server.jsing2022-09-111-5/+21
| | | | | | | | | | Only allow a TLSv1.3 client to request middlebox compatibility mode if this is permitted. Ensure that the legacy session identifier is either zero length or 32 bytes in length. Additionally, only allow CCS messages on the server side if the client actually requested middlebox compatibility mode. ok tb@
* Deduplicate peer certificate chain processing code.jsing2022-08-171-25/+3
| | | | | | | | | | | | | | Rather than reimplement this in each TLS client and server, deduplicate it into a single function. Furthermore, rather than dealing with the API hazard that is SSL_get_peer_cert_chain() in this code, simply produce two chains - one that has the leaf and one that does not. SSL_get_peer_cert_chain() can then return the appropriate one. This also moves the peer cert chain from the SSL_SESSION to the SSL_HANDSHAKE, which makes more sense since it is not available on resumption. ok tb@
* Provide QUIC encryption levels.jsing2022-07-241-5/+5
| | | | | | | | | | | | QUIC wants to know what "encryption level" handshake messages should be sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that defines these (of course quictls decided to make this an OSSL_ENCRYPTION_LEVEL typedef, so provide that as well). Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so that they can be used in upcoming commits. ok tb@
* Rename uses 'curve' to 'group' and rework tls1 group API.tb2022-07-021-3/+3
| | | | | | | | | | This reworks various tls1_ curve APIs to indicate success via a boolean return value and move the output to an out parameter. This makes the caller code easier and more consistent. Based on a suggestion by jsing ok jsing
* Tweak a comment using review feedback from jsingtb2022-06-041-4/+4
|
* Ensure that a client who sent a PSK extension has also sent a PSKtb2022-06-031-4/+9
| | | | | | key exchange mode extension, as required by RFC 8446, 4.2.9. ok jsing
* Cleanup/simplify ssl_cert_type()jsing2022-02-031-2/+2
| | | | | | | | Remove the X509 argument as it is unused - this was passed so that ssl_cert_type() can get the public key from the X509 object if the EVP_PKEY argument is NULL, however this is never the case. ok tb@
* Remove peer_pkeys from SSL_SESSION.jsing2022-01-111-12/+8
| | | | | | | | | | peer_pkeys comes from some world where peers can send multiple certificates - in fact, one of each known type. Since we do not live in such a world, get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2 and TLSv1.3, both clients and servers can only send a single leaf (aka end-entity) certificate). ok inoguchi@ tb@
* Rename 'peer' to 'peer_cert' in SSL_SESSION.jsing2022-01-111-4/+4
| | | | | | | The 'peer' member of SSL_SESSION is the leaf/end-entity certificate provided by our peer. Rename it since 'peer' on its own is unhelpful. ok inoguchi@ tb@
* Merge SESS_CERT into SSL_SESSION.jsing2022-01-081-10/+8
| | | | | | | There is no reason for SESS_CERT to exist - remove it and merge its members into SSL_SESSION for the time being. More clean up to follow. ok inoguchi@ tb@
* Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY.jsing2022-01-081-6/+6
| | | | | | | Nearly all structs in libssl start with an SSL_ suffix, rename CERT and CERT_PKEY for consistency. ok inoguchi@ tb@
* Convert legacy server to tls_key_share.jsing2022-01-071-3/+3
| | | | | | | | | | | This requires a few more additions to the DHE key share code - we need to be able to either set the DHE parameters or specify the number of key bits for use with auto DHE parameters. Additionally, we need to be able to serialise the DHE parameters to send to the client. This removes the infamous 'tmp' struct from ssl3_state_internal_st. ok inoguchi@ tb@
* Rename tls13_key_share to tls_key_share.jsing2022-01-051-6/+6
| | | | | | | | | In preparation to use the key share code in both the TLSv1.3 and legacy stacks, rename tls13_key_share to tls_key_share, moving it into the shared handshake struct. Further changes will then allow the legacy stack to make use of the same code for ephemeral key exchange. ok inoguchi@ tb@
* Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack.jsing2021-12-261-3/+6
| | | | | | | | | Due to a wonderful API inconsistency, a client includes the peer's leaf certificate in the stored certificate chain, while a server does not. Found due to a haproxy test failure reported by Ilya Shipitsin. ok tb@
* libssl: stop reaching into the X509 struct and simplify some code bytb2021-10-311-6/+2
| | | | | | using X509_get_key_usage(). ok beck jsing
* Fold SSL_SESSION_INTERNAL back into SSL_SESSION.jsing2021-10-251-6/+6
| | | | ok beck@ tb@
* Provide a way to determine our maximum legacy version.jsing2021-10-231-1/+2
| | | | | | | | | | | | | | With the introduction of TLSv1.3, we need the ability to determine our maximum legacy version and to track our peer's maximum legacy version. This is needed for both the TLS record layer when using TLSv1.3, plus it is needed for RSA key exhange in TLS prior to TLSv1.3, where the maximum legacy version is incorporated in the pre-master secret to avoid downgrade attacks. This unbreaks RSA KEX for the TLS client when the non-version specific method is used with TLSv1.0 or TLSv1.1 (clearly no one does this). ok tb@
* Use X509_STORE_CTX_get0_chain() instead of grabbing the chain directlytb2021-10-231-2/+2
| | | | | | out of the X509_STORE_CTX. ok jsing
* Merge SSL_METHOD_INTERNAL into SSL_METHOD.jsing2021-07-011-3/+3
| | | | | | | Now that SSL_METHOD is opaque and in internal headers, we can remove SSL_METHOD_INTERNAL by merging it back into SSL_METHOD. ok tb@
* Provide a ssl_sigalg_for_peer() function and use in the TLSv1.3 code.jsing2021-06-291-6/+3
| | | | | | | | | | | | Provide an ssl_sigalg_for_peer() function that knows how to figure out which signature algorithm should be used for a peer provided signature, performing appropriate validation to ensure that the peer provided value is suitable for the protocol version and key in use. In the TLSv1.3 code, this replaces the need for separate calls to lookup the sigalg from the peer provided value, then perform validation. ok inoguchi@ tb@
* Move the RSA-PSS check for TLSv1.3 to ssl_sigalg_pkey_ok().jsing2021-06-291-2/+2
| | | | | | | | Also, rather than passing in a check_curve flag, pass in the SSL * and handle version checks internally to ssl_sigalg_pkey_ok(), simplifying the callers. ok inoguchi@ tb@
* Track the sigalgs used by ourselves and our peer.jsing2021-06-271-3/+4
| | | | | | | | | | | Move the sigalg pointer from SSL_HANDSHAKE_TLS13 to SSL_HANDSHAKE, naming it our_sigalg, adding an equivalent peer_sigalg. Adjust the TLSv1.3 code that records our signature algorithm. Add code to record the signature algorithm used by our peer. Needed for upcoming API additions. ok tb@
* Change ssl_sigalgs_from_value() to perform sigalg list selection.jsing2021-06-271-3/+3
| | | | | | | | | Rather that passing in a sigalg list at every call site, pass in the appropriate TLS version and have ssl_sigalgs_from_value() perform the sigalg list selection itself. This allows the sigalg lists to be made internal to the sigalgs code. ok tb@
* Rename ssl_sigalg() to ssl_sigalg_from_value().jsing2021-06-271-3/+3
| | | | | | | This makes the code more self-documenting and avoids the ambiguity between ssl_sigalg the struct and ssl_sigalg the function. ok tb@
* Indent all labels with a single space.jsing2021-06-111-2/+2
| | | | | | This ensures that diff reports the correct function prototype. Prompted by tb@
* TLSv1.3 server: avoid sending alerts in legacy recordstb2021-06-081-3/+4
| | | | | | | | | As soon as we know that we're dealing with a TLSv1.3 client, set the legacy version in the record layer to 0x0303 so that we send alerts with the correct record version. Previously we would send early alerts with a record version of 0x0300. ok jsing
* Make local header inclusion consistent.jsing2021-05-161-2/+1
| | | | | Consistently include local headers in the same location, using the same grouping/sorting across all files.
* Avoid pulling ssl_sigalgs.h in via ssl_locl.h.jsing2021-05-161-1/+2
| | | | | Forward declare struct sigalg in ssl_locl.h and avoid including ssl_sigalgs.h. Explicitly include ssl_sigalgs.h where it is needed.
* Move finished and peer finished to the handshake struct.jsing2021-03-291-8/+6
| | | | | | | | | This moves the finish_md and peer_finish_md from the 'tmp' struct to the handshake struct, renaming to finished and peer_finished in the process. This also allows the remaining S3I(s) references to be removed from the TLSv1.3 client and server. ok inoguchi@ tb@
* Rename new_cipher to cipher.jsing2021-03-241-6/+6
| | | | | | | | This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data. ok inoguchi@ tb@
* Move the TLSv1.3 handshake struct inside the shared handshake struct.jsing2021-03-211-46/+46
| | | | | | | | | | | | | | | | There are currently three different handshake structs that are in use - the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct (as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous 'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)). This is the first step towards cleaning up the handshake structs so that shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2 and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code to access the shared handshake data without needing the SSL struct. ok inoguchi@ tb@
* Improve internal version handling.jsing2021-03-101-4/+5
| | | | | | | | | | | | | | | | | | Add handshake fields for our minimum TLS version, our maximum TLS version and the TLS version negotiated during the handshake. Initialise our min/max versions at the start of the handshake and leave these unchanged. The negotiated TLS version is set in the client once we receive the ServerHello and in the server at the point we select the highest shared version. Provide an ssl_effective_version() function that returns the negotiated TLS version if known, otherwise our maximum TLS version - this is effectively what is stored in s->version currently. Convert most of the internal code to use one of these three version fields, which greatly simplifies code (especially in the TLS extension handling code). ok tb@
* Only use TLS versions internally (rather than both TLS and DTLS versions).jsing2021-02-251-2/+2
| | | | | | | | | | | | | | DTLS protocol version numbers are the 1's compliment of human readable TLS version numbers, which means that newer versions decrease in value and there is no direct mapping between TLS protocol version numbers and DTLS protocol version numbers. Rather than having to deal with this internally, only use TLS versions internally and map between DTLS and TLS protocol versions when necessary. Rename functions and variables to use 'tls_version' when they contain a TLS version (and never a DTLS version). ok tb@
* Add support for SSL_get_shared_ciphers() in TLSv1.3tb2021-01-091-1/+5
| | | | | | | | | As reported by Steffen Ullrich and bluhm, since enabling TLSv1.3 server some tests fail in t/local/07_sslecho.c of security/p5-Net-SSLeay due to missing support for SSL_get_shared_ciphers(). This fixes the parts related to shared ciphers. ok beck inoguchi jsing
* Rename two local variables ssl to s for consistencytb2021-01-071-7/+7
| | | | | | | | | | | | | In our tls13_* files, we use SSL *s for local variables and SSL *ssl for function arguments. This is odd, but probably the result of finger memory. We intended to use ssl everywhere. Be that as it may, all local variables except in two functions ended up being called s, so align the two outliers with that. As noted by jsing, this is not ideal either as in tls13_legacy_servername_process() the ssl_ctx is now inconsistent. Renaming all s to ssl is a substantial amount of unnecessary churn at a moment that isn't ideal, so we have to live with that. ok bcook inoguchi jsing
* Use tls13_secret_{init,cleanup}() for the finished_keytb2021-01-061-5/+5
| | | | | | | | This trades an array on the stack for a dynamically allocated secret in tls13_{client,server}_finished_send() but has the benefit of wiping out an intermediate secret on function exit. ok jsing
* Use consistent names in tls13_{client,server}_finished_{recv,send}().jsing2021-01-051-6/+6
| | | | | | | | | In tls13_{client,server}_finished_recv() we use verify_data_len, which makes more sense than hmac_len. Use the same name in tls13_{client,server}_finished_send(), keeping things consistent between functions. ok tb@
* Use legacy verifier when building auto chains.jsing2021-01-051-1/+3
| | | | | | | | | | | | | | | | | | The new verifier builds all chains, starting with the shortest possible path. It also does not currently return partial chains. Both of these things conflict with auto chain, where we want to build the longest possible chain (to include all intermediates, and probably the root unnecessarily), as well as using an incomplete chain when a trusted chain is not known. Depending on software configuration, we can end up building a chain consisting only of a leaf certificate, rather than a longer chain. This results in auto chain not including intermediates, which is undesireable. For now, switch auto chain building to use the legacy verifier. This should resolve the issues encountered by ajacoutot@ with sendmail. ok tb@
* Fix SSL_get{,_peer}_finished() with TLSv1.3tb2020-12-141-1/+14
| | | | | | | | | | As reported by Steffen Ullrich and bluhm, the Finished tests in p5-Net-SSLeay's t/local/43_misc_functions.t broke with with TLSv1.3. The reason for this is that we don't copy the MDs over to the SSL, so the API functions can't retrieve them. This commit fixes this part of the test (one unrelated test still fails). ok inoguchi jsing
* typo & punctuation in commenttb2020-11-171-3/+3
|
* Implement auto chain for the TLSv1.3 server.jsing2020-11-111-1/+23
| | | | | | | | | Apparently OpenLDAP relies on this craziness to provide intermediates, rather than specifying the chain directly like a normal TLS server would. Issue noted by sthen@ and Bernard Spil, who both also tested this diff. ok tb@
* Improve argument order for the internal tlsext APItb2020-07-031-5/+5
| | | | | | | | Move is_server and msg_type right after the SSL object so that CBS and CBB and alert come last. This brings these functions more in line with other internal functions and separates state from data. requested by jsing
* Switch the order of the two tests in tls13_client_hello_required_extensionstb2020-06-251-9/+9
| | | | to match the order they are listed in the RFC. No functional change.