summaryrefslogtreecommitdiff
path: root/src/lib/libssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
* mention DTLS1_2_VERSIONtb2021-04-151-3/+4
|
* Mention DTLS1_2_VERSION here, tootb2021-04-151-6/+8
|
* Document SSL_OP_NO_DTLSv1{,_2}tb2021-04-151-2/+15
|
* Document DTLSv1_2_{,client_,server_}method(3)tb2021-04-151-4/+36
|
* Merge documentation for SSL_is_dtls() from OpenSSLtb2021-04-151-5/+21
|
* Update a stale comment and fix a typo.tb2021-04-111-3/+3
|
* Avoid clobbering the error code when sending an alerttb2021-04-071-2/+3
| | | | | | | | | | | | In order to fail gracefully on encountering a self-signed cert, curl looks at the top-most error on the stack and needs specific SSL_R_ error codes. This mechanism was broken when the tls13_alert_sent_cb() was added after people complained about unhelpful unknown errors. Fix this by only setting the error code from a fatal alert if no error has been set previously. Issue reported by Christopher Reid ok jsing
* Update for DTLSv1.2 support.tb2021-03-311-2/+4
|
* Bump minors after symbol additiontb2021-03-311-1/+1
|
* Expose various DTLSv1.2 specific functions and definestb2021-03-314-27/+7
| | | | ok bcook inoguchi jsing
* Document SSL_set_hostflags(3) and SSL_get0_peername(3)tb2021-03-311-18/+4
| | | | ok bcook inoguchi jsing
* Expose SSL_set_hostflags(3) and SSL_get0_peername(3)tb2021-03-312-3/+3
| | | | ok bcook inoguchi jsing
* Document SSL_use_certificate_chain_file(3)tb2021-03-311-11/+3
| | | | ok bcook inoguchi jsing
* Expose SSL_use_certificate_chain_file(3)tb2021-03-312-3/+2
| | | | ok bcook inoguchi jsing
* whitespace nitstb2021-03-291-4/+4
|
* Remove pointless assignment in SSL_get0_alpn_selected().jsing2021-03-291-4/+1
| | | | ok tb@
* Avoid transcript initialisation when sending a TLS HelloRequest.jsing2021-03-291-4/+6
| | | | | | | | | | When server side renegotiation is triggered, the TLSv1.2 state machine sends a HelloRequest before going to ST_SW_FLUSH and ST_OK. In this case we do not need the transcript and currently hit the sanity check in ST_OK that ensures the transcript has been freed, breaking server initiated renegotiation. We do however need the transcript in the DTLS case. ok tb@
* Move finished and peer finished to the handshake struct.jsing2021-03-297-44/+44
| | | | | | | | | This moves the finish_md and peer_finish_md from the 'tmp' struct to the handshake struct, renaming to finished and peer_finished in the process. This also allows the remaining S3I(s) references to be removed from the TLSv1.3 client and server. ok inoguchi@ tb@
* Move the TLSv1.2 record number increment into the new record layer.jsing2021-03-293-19/+44
| | | | | | | This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs. ok inoguchi@ tb@
* Garbage collect s->internal->typetb2021-03-276-18/+9
| | | | | | | | | | | | | | | | | | | This variable is used in the legacy stack to decide whether we are a server or a client. That's what s->server is for... The new TLSv1.3 stack failed to set s->internal->type, which resulted in hilarious mishandling of previous_{client,server}_finished. Indeed, both client and server would first store the client's verify_data in previous_server_finished and later overwrite it with the server's verify_data. Consequently, renegotiation has been completely broken for more than a year. In fact, server side renegotiation was broken during the 6.5 release cycle. Clearly, no-one uses this. This commit fixes client side renegotiation and restores the previous behavior of SSL_get_client_CA_list(). Server side renegotiation will be fixed in a later commit. ok jsing
* Rename new_cipher to cipher.jsing2021-03-2411-64/+64
| | | | | | | | This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data. ok inoguchi@ tb@
* Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.jsing2021-03-245-40/+48
| | | | | | Move TLSv1.2 specific components over from SSL_HANDSHAKE. ok inoguchi@ tb@
* Fully initialize rrec in tls12_record_layer_open_record_protectedtb2021-03-211-1/+2
| | | | | | | | | | The CBC code path initializes rrec.padding_length in an indirect fashion and later makes use of it for copying the MAC. This is confusing some static analyzers as well as people investigating the whining. Avoid this confusion and add a bit of robustness by clearing the stack variable up front. ok jsing
* Move the TLSv1.3 handshake struct inside the shared handshake struct.jsing2021-03-219-226/+227
| | | | | | | | | | | | | | | | There are currently three different handshake structs that are in use - the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct (as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous 'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)). This is the first step towards cleaning up the handshake structs so that shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2 and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code to access the shared handshake data without needing the SSL struct. ok inoguchi@ tb@
* Split TLSv1.3 record protection from record layer.jsing2021-03-211-46/+72
| | | | | | | | This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code. ok inoguchi@ tb@
* Avoid a use-after-scope in tls13_cert_add().jsing2021-03-211-4/+3
| | | | | | | | | | A parent CBB retains a reference to a child CBB until CBB_flush() or CBB_cleanup() is called. As such, the cert_exts CBB must be at function scope. Reported by Ilya Shipitsin. ok tb@
* Prepare documenting SSL_use_certificate_chain_filetb2021-03-191-2/+19
|
* Undo previous. As pointed out by jsing I clearly wasn't fully awake...tb2021-03-191-2/+2
|
* Prepare to provide SSL_use_certificate_chain_file()tb2021-03-192-15/+40
| | | | | | | | | This is the same as SSL_CTX_use_certificate_chain_file() but for an SSL object instead of an SSL_CTX object. remi found this in a recent librelp update, so we need to provide it. The function will be exposed in an upcoming library bump. ok inoguchi on an earlier version, input/ok jsing
* fix whitespace nit in previoustb2021-03-171-2/+2
|
* Enable DTLSv1.2.jsing2021-03-171-1/+5
| | | | | | | | This means that the DTLS_method() will now use DTLSv1.2 rather than DTLSv1. Additional DTLSv1.2 related symbols and defines will be made publicly visible in the near future. ok inoguchi@ tb@
* Add support for DTLSv1.2 version handling.jsing2021-03-171-45/+117
| | | | | | | | This teaches the version functions that handle protocol versions about DTLSv1.2 and the SSL_OP_NO_DTLS* options. We effectively convert between TLS and TLS protocol versions where necessary. ok inoguchi@ tb@
* Remove ssl_downgrade_max_version().jsing2021-03-115-54/+15
| | | | | | | Now that we store our maximum TLS version at the start of the handshake, we can check against that directly. ok inoguchi@ tb@
* Guard TLS1_get_{client_,}version() macros with #ifndef LIBRESSL_INTERNAL.jsing2021-03-101-1/+3
| | | | These are no longer used (and should not be used) internally.
* Improve internal version handling.jsing2021-03-109-108/+145
| | | | | | | | | | | | | | | | | | Add handshake fields for our minimum TLS version, our maximum TLS version and the TLS version negotiated during the handshake. Initialise our min/max versions at the start of the handshake and leave these unchanged. The negotiated TLS version is set in the client once we receive the ServerHello and in the server at the point we select the highest shared version. Provide an ssl_effective_version() function that returns the negotiated TLS version if known, otherwise our maximum TLS version - this is effectively what is stored in s->version currently. Convert most of the internal code to use one of these three version fields, which greatly simplifies code (especially in the TLS extension handling code). ok tb@
* Separate variable declaration and assignment.jsing2021-03-021-2/+4
| | | | Requested by tb@
* Replace two handrolled tls12_record_protection_engaged().jsing2021-03-021-3/+3
| | | | Noted by tb@
* Move key/IV length checks closer to usage sites.jsing2021-03-021-5/+11
| | | | | | | | | Also add explicit checks against EVP_CIPHER_iv_length() and EVP_CIPHER_key_length(). Requested by tb@ during review. ok tb@
* Add tls12_record_protection_unused() and call from CCS functions.jsing2021-03-021-8/+17
| | | | | | | | | This moves the check closer to where a leak could occur and checks all pointers in the struct. Suggested by tb@ during review. ok tb@
* Fix misleading indentation in SSL_get_error()tb2021-03-021-2/+2
|
* Move handling of cipher/hash based cipher suites into the new record layer.jsing2021-02-275-200/+141
| | | | ok tb@
* Identify DTLS based on the version major value.jsing2021-02-271-2/+2
| | | | This avoids the need to match specific DTLS version numbers.
* Only use TLS versions internally (rather than both TLS and DTLS versions).jsing2021-02-259-128/+132
| | | | | | | | | | | | | | DTLS protocol version numbers are the 1's compliment of human readable TLS version numbers, which means that newer versions decrease in value and there is no direct mapping between TLS protocol version numbers and DTLS protocol version numbers. Rather than having to deal with this internally, only use TLS versions internally and map between DTLS and TLS protocol versions when necessary. Rename functions and variables to use 'tls_version' when they contain a TLS version (and never a DTLS version). ok tb@
* Fix bizarre punctuation and capitalization in a comment.tb2021-02-221-2/+2
|
* Simplify version checks in the TLSv1.3 clienttb2021-02-221-22/+10
| | | | | | | | | | | | Ensure that the server announced TLSv1.3 (and nothing higher) in the supported_versions extension. In that case, the legacy_version must be TLSv1.2 according to RFC 8446, 4.1.3 and 4.2.1. This commit also removes some unreachable code which is a remnant of very early TLSv1.3 code from before the legacy fallback was introduced. Simplify a few checks and adjust some comments nearby. ok jsing
* Factor out/change some of the legacy client version handling code.jsing2021-02-223-12/+36
| | | | | | | This consolidates the version handling code and will make upcoming changes easier. ok tb@
* ugly whitespacetb2021-02-202-14/+14
|
* Rename f_err into fatal_err.tb2021-02-207-183/+183
| | | | discussed with jsing
* Rename the truncated label into decode_err. This describes its purposetb2021-02-202-73/+73
| | | | | | | better and doesn't look odd if there's trailing data for exapmle. Indent a few labels in the neighborhood while there. ok jsing
* Return a min/max version of zero if set to zero.jsing2021-02-203-17/+41
| | | | | | | | | | OpenSSL's SSL{_CTX,}_get_{min,max}_proto_version() return a version of zero if the minimum or maximum has been set to zero (which means the minimum or maximum version supported by the method). Previously we returned the minimum or maximum version supported by the method, instead of zero. Match OpenSSL's behaviour by using shadow variables. Discussed with tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-17 18:12:39 +0000