| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
| |
Separate the malloc() check and EVP_DecryptUpdate() - the malloc() failure
is fatal while a EVP_DecryptUpdate() is a decryption failure.
Also ensure that we clear the error stack in all cases where we are
indicating a failure to decrypt or decode the ticket - otherwise
SSL_error() while later return failure when it should not.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Rather than returning from multiple places and trying to clean up as we go,
move to a single exit point and clean/free in one place. Also invert the
logic that handles NULL sessions - fail early, rather than having an
indented if test for success.
ok tb@
|
| |
|
|
|
|
|
|
| |
In the case that X509_NAME_dup() succeeds, but sk_X509_NAME_push()
fails, name is leaked. The entire function is trying to be clever
and therefore hard to follow. Let's do it the stupid but safe way.
ok jsing
|
| |
|
|
|
|
|
| |
SSL_CTX_add_extra_chain_cert(3).
From Dr. Stephen Henson <steve at openssl dot org>
via OpenSSL commit a4339ea3 Jan 3 22:38:03 2014 +0000
which is still under a free license.
|
| |
|
|
|
|
|
| |
From Kurt Roeckx <kurt at roeckx dot be>
via OpenSSL commit 57fd5170 May 13 11:24:11 2018 +0200
which is still under a free license.
While here, polish awkward wording and reduce duplication.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
the spec. To avoid the obvious loop in the RFC's state machine, we added
a CLIENT_HELLO_RETRY state which is a second ClientHello with special
rules. There is, however, no state to react to this second client hello.
This adds a matching SERVER_HELLO_RETRY state to the handshakes table.
This means in particular that the WITH_HRR state cannot be set in
tls13_server_hello_recv(), so remove this now dead check.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
under a free license, omitting functions we don't have and tweaked by me;
the functions were provided by jsing@ in ssl.h rev. 1.166.
While here, also document SSL_CTX_get_extra_chain_certs(3) because
it is closely related to companion functions are already documented
and the API is kind of incomplete without it.
|
| |
|
|
|
|
| |
record_type member of the tls13_handshake_action struct.
ok jsing
|
| |
|
|
|
|
|
| |
If the Server Hello received indicates that the server did not negotiate
TLS 1.3, fallback to the original TLS client implementation.
ok bcook@, tb@
|
| |
|
|
|
|
|
|
|
|
| |
The original implementation allows for libcrypto to be compiled without a
given algorithm and libssl then detects that ciphers or digests are
unavailable so that it can disable the associated cipher suites.
This is unnecessary since we do not compile out algorithms.
ok beck@, tb@ (a while back)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
These allow for chains to be managed on a per-certificate basis rather than
as a single "extra certificates" list. Note that "chain" in this context
does not actually include the leaf certificate however, unlike
SSL_CTX_use_certificate_chain_{file,mem}().
Thanks to sthen@ for running this through a bulk ports build.
ok beck@ tb@
|
| | |
|
| | |
|
| |
|
|
|
| |
checking the curve.
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
- Be consistent with _len naming.
- Use size_t where possible/appropriate.
- Group the CBB code.
- Use EVP_MAX_MD_SIZE consistently, instead of "magic" values.
- Switch GOST to EVP_DigestSign*, making it similar to sigalgs.
ok tb@ a while back.
|
| |
|
|
|
|
| |
These are no longer used now that we defer signature algorithm selection.
ok beck@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).
Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.
Joint work with beck@.
|
| |
|
|
|
|
|
|
|
|
| |
This means that any additional CA certificates end up on the per
certificate chain, rather than the single/shared extra_certs.
Also simplify this code and in particular, avoid setting the return value
to indicate success until we've actually succeeded.
ok beck@ tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
We will now include the certificates in the chain in the certificate list,
or use the existing extra_certs if present. Failing that we fall back to
the automatic chain building if not disabled.
This also simplifies the code significantly.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
Note that this is not the full chain, as the leaf certificate currently
remains in the x509 member of CERT_PKEY. Unfortunately we've got to
contend with the fact that some OpenSSL *_chain_* APIs exclude the leaf
certificate while others include it...
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Otherwise matching a specific cipher is performed by matching against
its characteristics, which can result in multiple rather than a single
match.
Found by bluhm@'s regress tests.
ok bluhm@ tb@
|
| |
|
|
|
|
| |
corefiles. Instead call OPENSSL_assert(), which has recently been trained
to do this in a safer (if more awkward to debug) way.
discussed with jsing and beck a while back
|
| |
|
|
|
|
| |
Found by oss-fuzz, fixes issue #13797.
ok beck@ tb@
|
| | |
|
| |
|
|
|
|
|
| |
* correct the description of "unknown"
(the previous are both from OpenSSL 1.1.1, still under a free license)
* add a comment saying that TLS1_get_version() and TLS1_get_client_version()
are intentionally undocumented (reasons provided by jsing@)
|
| |
|
|
| |
Document them.
|
| | |
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
The recv action handler returns success/failure, rather than a TLS13_IO_*
value, which is what tls13_handshake_recv_action() needs to return.
Failure previously mapped to TLS13_IO_EOF, which is not ideal.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
LibreSSL only supports TLSv1.0 and above, hence the checks the macros are
performing are useless. Simplify them to their effective code. Also place
both under #ifndef LIBRESSL_INTERNAL and use the variables directly in our
code, which improves readability.
ok tb@
|
| |
|
|
|
|
|
|
| |
In TLSv1.3 the alert level is effectively meaningless and the record layer
has already checked that it is appropriate. As such, drop it from the alert
callback.
ok tb@
|
| |
|
|
|
| |
Gcc/clang will treat void * as char * but this is non-standard.
OK deraadt@ jsing@ inoguchi@
|
| |
|
|
|
|
|
| |
In non-SSL_MODE_ENABLE_PARTIAL_WRITE mode we have to write out all the
things and only return success once all of the data has been sent.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the TLS handshake has not been completed, automatically complete the
handshake as part of the read/write call, implementing the current
SSL_read()/SSL_write() behaviour.
Once the TLS handshake is completed we push a WANT_POLLIN or WANT_POLLOUT
back up to the caller, since some applications appear to incorrectly call
SSL_read() or SSL_write(), rather than repeating the previous call. This
can lead to attempts to read data that does not exist, since the
WANT_POLLIN was actually triggered as part of the handshake.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Set the SSL state to SSL_ST_CONNECT during the TLSv1.3 handshake and to
SSL_ST_OK once the handshake completes, since some applications currently
rely on this information to function correctly.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
| |
In the close notify case we need to signal EOF and in the user cancelled
case we need to return WANT_POLLIN. Returning success results in
tls13_record_layer_read_record() thinking that we have record data when
we do not, which then results in the content type check later failing.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
| |
repeated typedef. Found the hard way by aoyama who also tested the fix.
ok jsing
|
| |
|
|
|
|
| |
SSL_HANDSHAKE_TLS13 back to ssl_locl.h.
discussed with jsing and inoguchi
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the record layer is asked to write more than fits in a plaintext record,
cap the amount at that limit. This means that we will effectively write out
a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE
enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled
at a higher layer.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
The write traffic key needs to be changed to the client application traffic
key after the client finished message has been sent. The send handler
generates the client finished message, however we cannot switch keys at
this stage since the client finished message has not yet been protected
by the record layer.
ok tb@
|
| | |
|
| |
|
|
|
|
| |
This solves build error on luna88k with gcc3.
ok aoyama@ jca@ jsing@ tb@
|
| |
|
|
|
|
|
|
|
| |
In the case of a dummy CCS or post-handshake handshake message, return
TLS13_WANT_POLLIN rather than using a goto internally. This allows the
caller to retry at an appropriate time and reduces the complexity within
the record layer.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
In most cases a TLS13_IO_WANT_POLLIN or TLS13_IO_WANT_POLLOUT will have
bubbled up from the wire callbacks, in which case the BIO retry flag will
already be set. However, if we return TLS13_IO_WANT_POLLIN or
TLS13_IO_WANT_POLLOUT from a higher layer the BIO retry flag will not be
set and that will cause SSL_get_error() to return SSL_ERROR_SYSCALL rather
than the intended SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE.
ok beck@ tb@
|
