| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
TLSv1 control word, and explain how TLSv1.3 cipher suites can be
configured in LibreSSL and in OpenSSL. While here, also mention
how users can inspect the DEFAULT list of cipher suites.
Stimulus, feedback and OK from jsing@.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL has always taken the approach of enabling almost everything by
default. As a result, if you wanted to run a secure TLS client/server
you had to specify your own "secure" cipher string, rather than being
able to trust the defaults as being sensible and secure. The problem
is that with the introduction of TLSv1.3, most of these "secure" cipher
strings result in the new TLSv1.3 cipher suites being excluded.
The "work around" for this issue in OpenSSL was to add a new TLSv1.3
API (SSL_CTX_set_ciphersuites(), SSL_set_ciphersuites()) and have separate
knobs for the pre-TLSv1.3 and TLSv1.3 cipher suites. This of course means
that every application now needs to call two APIs, but it does mean that
applications that only call SSL_CTX_set_cipher_list()/SSL_set_cipher_list()
cannot remove TLSv1.3 cipher suites and prevent TLSv1.3 from working.
We've taken a different approach and have allowed TLSv1.3 cipher suites
to be manipulated via the existing SSL_set_cipher_list() API. However,
in order to avoid problems with hardcoded cipher strings, change this
behaviour so that we always include TLSv1.3 cipher suites unless the
cipher string has a specific reference to the TLSv1.3 protocol or a
TLSv1.3 cipher suite.
This means that:
$ openssl ciphers -v TLSv1.2:!TLSv1.3
still gives TLSv1.2 only cipher suites and:
$ openssl ciphers -v AEAD-CHACHA20-POLY1305-SHA256
only lists a single TLSv1.3 cipher, however:
$ openssl ciphers -v ECDHE-RSA-AES256-GCM-SHA384
now includes both TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 and all TLSv1.3
cipher suites (which also matches OpenSSL's openssl(1) behaviour).
Issue encountered by kn@ with mumble.
ok tb@
|
| | |
|
| |
|
|
| |
explicitly comparing against a value.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Generate an unpredictable 32-byte legacy session ID during client
initialisation, rather than when the ClientHello message is being created.
Otherwise in the case of a HelloRetryRequest the legacy session ID values
will differ between the first and second ClientHello messages, which is
not permitted by the RFC.
Fixes an issue talking TLSv1.3 to smtp.mail.yahoo.com.
ok beck@
|
| |
|
|
|
|
|
|
|
| |
If the maximum version is less than TLSv1.3, send a zero-length session
identifier (matching the behaviour of the legacy TLS stack), rather than
a 32 byte random identifier. The 32 byte random identifier is only needed
for "compatibility" mode in TLSv1.3.
ok beck@
|
| |
|
|
| |
Patch from Martin Vahlensieck <academicsolutions dot ch>.
|
| |
|
|
| |
Patch from Martin Vahlensieck <academicsolutions dot ch>.
|
| |
|
|
|
|
|
|
|
| |
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
| |
We currently throw an error on overflow, but still wrap. Check up front
if we would need to wrap and only increment if that case is excluded.
This simplifies the increment loop and makes the returns in this function
less magic.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Like much of the original DTLS code, dtls1_enc() is effectively a renamed
copy of tls1_enc(). Since then tls1_enc() has been modified, however the
non-AEAD code remains largely the same. As such, remove dtls1_enc() and
instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS,
however this is a non-issue since we do not support AEAD cipher suites with
DTLS currently.
ok tb@
|
| |
|
|
| |
Fix proposed by tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
CBB uses recallocarray() to expand buffers, however was still using
malloc() for the initial buffer, which could result in memory being leaked
in incorrect use cases.
While here also use calloc() to allocate internal structs.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
This reduces the chance of accidently leaking stack memory.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Both session tickets and key updates are post-handshake handshake messages,
which were originally included in the handshake code.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
In the unlikely event that the return value from the read callback is
larger than the number of bytes we asked for, we can end up incrementing
buf->len beyond capacity. Check the return value from the read callback to
prevent this.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
The enc function pointers do not serve any purpose these days - remove
a layer of indirection and call dtls1_enc()/tls1_enc() directly.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
TLSv1.1 or below, it should check whether the server's random value
contains the magic downgrade protection cookie and in that case abort
the handshake with an illegal parameter alert.
ok inoguchi, jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
eight bytes of the server's random to a magic cookie (RFC 8446, 4.1.3).
The TLSv1.3 spec changes the TLSv1.2 spec in that it recommends that
TLSv1.2 servers that negotiate TLSv1.1 or below do the same. This gives
a limited additional protection against downgrade attacks beyond what is
already present in the Finished exchange.
The TLSv1.3 part was already implemented in Hobart and can be trivially
modified to do the TLSv1.2 bit as well.
ok inoguchi, jsing
|
| |
|
|
|
|
|
|
| |
Use a bad_record_mac alert instead.
Found with tlsfuzzer's ChaCha20 test.
ok beck inoguchi jsing
|
| |
|
|
|
|
|
| |
messages must terminate the connection with a decrypt_error alert, so
replace the use of the deprecated decryption_failed alert accordingly.
ok beck inoguchi jsing
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Also consolidate it into the one place, since there is no reason to write
the epoch and sequence out later.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
comments to their correct places.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When empty fragments were added as a countermeasure against chosen
plaintext attacks on CBC, it was done by adding a recursive call to
do_ssl3_write(). This makes the code more complex and difficult to change.
Split the record creation code into a separate ssl3_create_record()
function, which do_ssl3_write() calls. In the case where an empty fragment
is needed, ssl3_create_record() is simply called twice, removing the need
for recursion.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It is currently possible for key_share to be NULL when a TLS client
receives a keyshare extension. However, for this to occur the client has
to be doing TLS 1.2 or earlier, which means that it was invalid for the
server to send the extension. As such, check for NULL and treat it as an
invalid extension.
Found by oss-fuzz (#20741 and #20745).
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Changed to use local variable to hold malloc address rather than directly
set to S3I(s)->tmp.x25519, and set that private_key pointer to
S3I(s)->tmp.x25519 after all the "goto err;".
Also added freezero for S3I(s)->tmp.x25519 to ssl3_free() and ssl3_clear().
ok jsing@ tb@
|
| |
|
|
|
|
| |
separate file.
Discussed with beck@ and tb@
|
| | |
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
While we do not currently do session resumption, just return the
TLS_client_method() or TLS_server_method() when asked for a method that
does TLSv1.3.
ok tb@ (who also arrived at the same diff)
|
| |
|
|
|
|
|
|
|
| |
In the case of a hello retry request, we need to replace the client hello
with a synthetic handshake message, switch key share to that selected by
the server, build and send a new client hello, then process the resulting
server hello.
ok tb@
|
| |
|
|
|
|
|
|
| |
In a hello retry request the server will only send the selected group and
not actually provide a key exchange. In this case we need to store the
server selected group for further processing.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use flags to signal the need to switch to the legacy client and to identify
a hello retry request. This allows the caller to take appropriate action,
rather than trying to do this in the parsing/processing code.
Split the key deriviation and record protection engagement code into a
separate function, both for readability and reuse.
Change handshake states outside of the processing code.
ok tb@
|
| |
|
|
|
|
|
| |
This got added to the wrong functions (server side, not client) - swap the
now unimplemented send/recv functions between client and server.
ok tb@
|
| |
|
|
|
|
| |
mangling.
ok tb@
|
| |
|
|
|
|
| |
This is soon going to be used in the TLSv1.3 client code.
ok tb@
|
| |
|
|
|
|
| |
their own CBS as a preparation for upcoming HRR diffs.
ok jsing
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Unlike TLSv1.2 there is only a single hash in use, hence as soon as we
know what the hash is and have initialised the transcript hash, we can
free the transcript buffers.
ok inoguchi@ tb@
|
