| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
When legacy version is below TLSv1.2 ensure that the record version is
SSL3/TLS, however when the legacy version is set to TLSv1.2 require this
specifically.
ok beck@ tb@
|
| |
|
|
|
|
| |
This will be used to handle record version checks.
ok tb@
|
| |
|
|
|
|
|
|
| |
Use this to push an error on to the SSL error stack so that we report the
details of the alert that we sent, rather than failing with an unknown
error.
ok tb@
|
| |
|
|
|
|
|
|
| |
This makes the code more readable, requires less code churn when adding
a new callback and is likely to avoid bugs due to function argument
ordering.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
This correctly handles session being non-NULL and sets up a few more
things, including ssl_version. Also stop setting the ssl_version to the
server_version, as this is only used on the client side.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the client has requested middle box compatibility mode by sending
a non-empty legacy_session_id, the server must send a dummy CCS right
after its first handshake message. This means right after ServerHello
or HelloRetryRequest.
Two important improvements over the backed-out diffr: make sure that
First: client and server can send their dummy CCS at the correct moment
(right before the next flight or right after the current flight).
Second: as jsing noted, we also need to deal with the corner case that
tls13_send_dummy_ccs() can return TLS13_IO_WANT_POLLOUT.
with/ok jsing
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
|
|
| |
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_*
defines, provide our own TLS13_ALERT_* defines and use those. This also
provides the alerts that are new to TLSv1.3.
ok beck@
|
| |
|
|
|
|
| |
This makes it easier to debug TLSv1.3 handshake failures.
"Yes please!" tb@, ok beck@
|
| |
|
|
|
|
|
|
|
| |
The OCSP response length is currently an integer, which is overloaded with
-1 meaning "unset". Use a size_t for the OCSP response length and infer
unset from the OCSP response being NULL. This makes code more readable,
simpler and less error prone.
ok beck@
|
| |
|
|
|
|
|
|
| |
With TLSv1.3 we end up parsing extensions from more than just these two
messages. This can result in variables (like the selected alpn) being
freed when things still need them.
ok tb@
|
| |
|
|
|
|
|
| |
This variable is currently overloaded - a value of -1 means that it is
"unset" and any other value is a length.
ok tb@
|
| |
|
|
|
|
|
|
| |
with TLSv1.2 servers, since it makes clients send their dummy CCS too
early... There's an obvious but dirty bandaid which I can't bring myself
to applying - this business is already disgusting enough.
Issue found the hard way by sthen
|
| |
|
|
|
|
|
| |
This prevents us from incorrectly choosing a PKCS1 based signature
if the client advertises support for them but also prefers them to
PSS such as appears to be the case with gnuTLS.
ok jsing@
|
| |
|
|
|
|
|
|
|
| |
If the client has requested middle box compatibility mode by sending
a non-empty legacy_session_id, the server must send a dummy CCS right
after its first handshake message. This means right after ServerHello
or HelloRetryRequest.
ok jsing
|
| |
|
|
|
|
|
|
| |
When operating in middlebox compatibility mode, the TLSv1.3 client needs
to send a dummy ChangeCipherSpec message immediately before its second
flight of handshake messages (when early data is not offered).
ok tb@
|
| | |
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok jsing@, tb@, inoguchi@
|
| |
|
|
|
|
|
|
| |
stricter. Previously, we would accept any vector if it advertised the
"null" compression method. RFC 8446 4.1.2 specifies that the only legal
vector has length one and contains a zero byte for the null method.
ok jsing
|
| |
|
|
|
|
|
| |
and if the two lengths differed, the later CBS_write_bytes() would
correctly fail anyway.
Discussed with jsing
|
| |
|
|
|
|
| |
alert. Found with tlsfuzzer.
ok jsing
|
| |
|
|
| |
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This fixes the case where a send function signals that an alert should be
sent, then returns failure. Previously the failure would be propagated
up, without the alert being sent.
Issued noted by tb@
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Split the record protection engagement code into a separate
tls13_server_engage_record_protection() function and call this from
tls13_server_hello_sent(). Also move some functions around to keep the
logical ordering/grouping.
ok inoguchi@ tb@ (as part of a larger diff)
|
| |
|
|
|
|
|
|
|
| |
terminate the connection with an unexpected_message alert.
See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message
immediately after its first handshake message. This is normally after the
ServerHello message, but it can be after the HelloRetryRequest message.
As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz
TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message
and the ServerHello message. This is unexpected and as far as I'm aware,
no other TLSv1.3 implementation does this. Unfortunately the RFC is rather
ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a
TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR
is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
We might remove static again for further regress around record layer
in the future.
ok jsing@ tb@
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
|
|
| |
No functional change.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
The server-side will need to use the same function.
No functional change.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Move functions so that they are in the order that the TLSv1.3 messages are
processed. While here, also move tls13_client_end_of_early_data_send() from
tls13_client.c to tls13_server.c.
No functional change.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
This ensures that we remain in a valid handshake state in the TLSv1.3
server. Ideally we would not switch to NEGOTIATED until after record
protection has been enabled, but we'll revisit this later.
Issue noted by inoguchi@
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
the main list of words to make it more readable, even though it
remains long.
Avoid using deprecated aliases in explanations what other words mean.
Stop documenting aDSS because it is *both* a deprecated alias *and*
no longer matches anything at all.
General direction discussed with jsing@ some time ago.
|
| |
|
|
|
| |
the TLSv1.3 cipher suites are made available, too;
related to ssl_ciph.c rev. 1.115
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The state machine currently handles the HelloRetryRequest case by using
WITH_HRR - in other words, we're explicitly indicating when we transition
to the alternate path. The problem here is that we do not know if we're
going to receive a ServerHello or a HelloRetryRequest until we process
the message. This means that the ServerHello processing code has to handle
both types of messages.
The state machine and associated processing code becomes cleaner if we flip
this around so that we assume we are going to receive a HelloRetryRequest
and upon discovering that it is not, trigger WITHOUT_HRR and hand off to
the ServerHello processing function. In particular, this makes the logic
much more straight forward on the server side, when adding support for HRR.
With feedback from tb@
ok tb@
|
| |
|
|
|
|
|
|
| |
Previously we would only select an X25519 key share from the client,
ignoring any others. Change this so that we will select the first of the
key shares that matches one of our supported groups.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Move all of the TLSv1.3 constants to the top of tls13_lib.c. Also mark
these all as const so that they end up in .rodata rather than .data.
ok tb@
|
| |
|
|
| |
ok beck@ inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
SSL_get_server_tmp_key() provides the peer ephemeral public key used
for key exchange. In the case of TLSv1.3 this is essentially the peer
public key from the key share used for TLSv1.3 key exchange, hence make it
availaable via SSL_get_server_tmp_key().
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Use a boolean value rather than using a counter, as suggested by tb@
during the previous review.
ok tb@
|
| |
|
|
|
|
|
|
| |
The key share code previously only allowed for key shares to be generated
using one of the groups in our default list (X25519, secp256r1, secp384r1).
Relax this and allow key shares using any of the groups in our NID list.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Revise the previous so that we only include TLSv1.3 cipher suites if the
cipher rule string resulted in at least one active cipher suite. This more
closely matches OpenSSL behaviour.
Noted and fix tested by schwarze@
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
Generate a client key share using our preferred group, rather than always
using X25519. This means that the key share group can be controlled via
SSL{_CTX,}_set1_groups() and SSL{_CTX,}_set1_groups_list().
ok beck@
|
| |
|
|
|
|
|
|
| |
* mention TLSv1.3
* remove DSS, DES(56), RC4(64), and IDEA(128), which are no longer supported
* remove ChaCha20-Poly1305-Old and STREEBOG512 which don't exist in LibreSSL
* correct the instruction for printing the complete list
OK jsing@
|
| |
|
|
|
| |
cipher suites" to the DES entry and use the same wording for DSS;
OK jsing@
|
| |
|
|
|
|
|
|
|
| |
in LOW, MEDIUM, and HIGH. That's going to change repeatedly and
the extra maintenance effort for keeping it up to date is a waste
because people can trivially run "openssl ciphers -v LOW" to look
it up. Besides, updating it will usually be forgotten; the LOW
entry was already wrong.
Suggested by jsing@.
|
