| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
Provide functionality for determining AEADs and hashes for TLS 1.3 ciphers.
Also provide wire read/write callbacks that interface with BIO and
functions that interface between SSL_read/SSL_write and the TLS 1.3 record
layer API.
ok tb@
|
| |
|
|
|
|
|
|
| |
While here, rename struct handshake to struct handshake_stage to avoid
potential ambiguity/conflict with the handshake data struct. Also add
forward and back pointers between SSL and struct tls13_ctx.
ok tb@
|
| |
|
|
|
|
|
|
| |
There is no guarantee that ssl3_clear() is called before ssl3_free(), so
free things here. Also move the chunk in ssl3_clear() up so that it is with
the "free" code rather than the "reinit" code.
ok beck@ tb@
|
| | |
|
| |
|
|
|
|
| |
While here correct an int vs size_t mismatch.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
It receives handshake messages by reading and parsing data from the record
layer. It also provides support for building and sending handshake
messages.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
This is entirely self-contained and knows nothing about SSL or BIO. The
bottom of the stack is provided by wire read and write callbacks, with the
API to the record layer primarily being via
tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
| |
|
|
|
|
| |
Also check record size limits when reading records and setting data.
ok tb@
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
| |
Fix the tls13_handshake_advance_state_machine() return value, which
inadvertantly got flipped in an earlier commit. Also move this function
to a more suitable location.
ok tb@
|
| |
|
|
|
|
| |
A couple of cleanup/style tweaks while here.
ok tb@
|
| |
|
|
|
|
| |
of overloading/abusing action->sender.
ok jsing
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Check that the handshake message type received matches that required by the
state machine.
However, thanks to poor state design in the TLSv1.3 RFC, there is no way to
know if you're going to receive a certificate request message or not, hence
we have to special case it and teach the receive handler how to handle this
situation.
Discussed at length with beck@ and tb@ during the hackathon.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The I/O paths are from the tls13_handshake_send_action() and
tls13_handshake_recv_action() functions - both of these need to propagate
I/O conditions (EOF, failure, want poll in, want poll out) up the stack,
so we need to capture and return values <= 0. Use an I/O condition to
indicate successful handshake completion.
Also, the various send/recv functions are currently unimplemented, so
return 0 (failure) rather than 1 (success).
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
This is a self-contained struct and set of functions that knows how to
decode and read a TLS record from data supplied via a read callback, and
send itself via a write callback.
This will soon be used to build the TLSv1.3 record layer handling code.
ok beck@ tb@
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
| |
Update the handshake state tables and flag names according to the
design decisions and naming conventions in the hackroom. Garbage collect
some things that turn out not to belong here.
ok jsing
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
| |
appear with which messages.
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the TLS extension code was rewritten, TLS extensions could only exist
in ClientHello and ServerHello messages - as such, they were named in pairs
of *_clienthello_{needs,build} which would be called by the client and
*_clienthello_parse. Likewise for *_serverhello_{needs,build} which would
be called by a server and *_serverhello_parse, which would be called by a
client.
Enter TLSv1.3 - TLS extensions can now exist in one of seven messages,
with only certain types being allowed to appear in each, meaning the naming
scheme no longer works. Instead, rename them to indicate the caller rather
than the message type - this effectively means:
clienthello_needs -> client_needs
clienthello_build -> client_build
clienthello_parse -> server_parse
serverhello_needs -> server_needs
serverhello_build -> server_build
serverhello_parse -> client_parse
ok beck@ tb@
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The read callback returns a TLS13_IO_* value on EOF, failure, want pollin
or want pollout, or a positive value indicating the number of bytes read.
This will be used by upcoming TLSv1.3 handshake message and record
processing code, both of which need the ability to read a fixed size
header, before extending the buffer to the number of bytes specified in the
header.
ok beck@ tb@
|
| |
|
|
|
|
| |
as per RFC8446 section 4.2. Recognized extensions that appear in an
incorrect message must abort the handshake.
ok jsing@
|
| |
|
|
|
|
| |
At the moment this is mechanical, with the functions renamed. This will be
refactored for tls13.
ok jsing@
|
| |
|
|
|
|
|
|
|
|
| |
around broken GOST implementations. It looks like client certificates with
GOST have been completely broken since reimport of the GOST code, so no-one
is using LibreSSL this way. The client side was fixed only last week for
TLSv1.0 and TLSv1.1. This workaround is now in the way of much needed
simplifcation and cleanup, so it is time for it to go.
suggested by and ok jsing
|
| |
|
|
|
|
|
| |
invalid change cipher spec. Found due to dead assignment warnings
by the Clang static analyzer.
ok inoguchi (previous version), jsing
|
| |
|
|
|
|
|
|
|
|
| |
type, sigalgs/rsa/ec/gost. Move a few special dances for GOST where they
belong now. This prompted a fix for a long-standing bug with GOST client
certificate authentication where tls1_transcript_data() fails since the
transcript was already freed before. Add a bit of missing error checking
and leave some further cleanup for later.
idea, guidance & ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If DTLS sees a HelloVerifyRequest the transcript is reset - the previous
tls1_init_finished_mac() function could be called multiple times and would
discard any existing state. The replacement tls1_transcript_init() is more
strict and fails if a transcript already exists.
Provide an explicit tls1_transcript_reset() function and call it from the
appropriate places. This also lets us make DTLS less of a special snowflake
and call tls1_transcript_init() in the same place as used for TLS.
ok beck@ tb@
|
| |
|
|
| |
Discussed with beck@
|
| |
|
|
|
|
|
| |
In TLSv1.2, if the client does not send a signature algorithms extension
then for RSA key exchange a signature algorithm of {sha1,rsa} is implied.
The MD5+SHA1 hash only applies to older versions of TLS, which do not
support sigalgs.
|
| | |
|
| | |
|
| |
|
|
| |
joel's line of thinking about it
|
| |
|
|
|
| |
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@
|
| |
|
|
|
|
|
|
|
|
| |
instead of 'uint16_t'
Found with llvm's static analyzer, noticed that it was also already reported in
Coverity CID 155890 and to ensure this was correct also inspected OpenSSL's
equivalent code.
OK tb@ and jsing@
|
| |
|
|
| |
Makes connections to outlook.office365.com work
|
| | |
|
| |
|
|
| |
Spotted by maestre@, ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
| |
Include check for appropriate RSA key size when used with PSS.
ok tb@
|
| |
|
|
| |
ok beck@
|
| | |
|
| |
|
|
|
|
|
| |
Used by unbound's DNS over TLS implementation to do server name
verification.
ok jsing
|
| | |
|
