| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
with/ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
with/ok jsing
|
| |
|
|
|
|
| |
from public visibility.
with/ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported by Jeremy Harris, we inherited a strange behavior from
OpenSSL, in that we ignore the SSL_TLSEXT_ERR_FATAL return from the
ALPN callback. RFC 7301, 3.2 states: 'In the event that the server
supports no protocols that the client advertises, then the server
SHALL respond with a fatal "no_application_protocol" alert.'
Honor this requirement and succeed only on SSL_TLSEXT_ERR_{OK,NOACK}
which is the current behavior of OpenSSL. The documentation change
is taken from OpenSSL 1.1.1 as well.
As pointed out by jsing, there is more to be fixed here:
- ensure that the same protocol is selected on session resumption
- should the callback be called even if no ALPN extension was sent?
- ensure for TLSv1.2 and earlier that the SNI has already been processed
ok beck jsing
|
| |
|
|
| |
ok beck
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok bcook jsing
|
| |
|
|
|
|
| |
Needed for nginx-lua to build with opaque SSL.
ok inoguchi jsing
|
| |
|
|
|
|
|
| |
This is needed for telephony/coturn and telephony/resiprocate to compile
without opaque SSL.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently, the plaintext content from opened TLS records is handled via
the rbuf code in the TLSv1.3 record layer. Factor this out and provide a
separate struct tls_content, which knows how to track and manipulate the
content.
This makes the TLSv1.3 code cleaner, however it will also soon also be used
to untangle parts of the legacy record layer.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
in Openssl 1.1.1 for when to call the session callbacks. I believe it
to also generates a lot less eye bleed, confirmed by tb@
ok jsing@ tb@
|
| |
|
|
|
|
|
| |
Rather than manually checking multiple bytes, actually parse the DTLS
handshake message header, then check the values against what we parsed.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
The callers know the actual length and can initialise a CBS correctly.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Rather than pulling out the epoch and then six bytes of sequence number,
pull out SSL3_SEQUENCE_SIZE for the sequence number, then pull the epoch
off the start of the sequence number.
ok inoguchi@ tb@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
| |
Found by tlsfuzzer.
ok beck@
|
| |
|
|
|
|
| |
Found by tlsfuzzer.
ok beck@
|
| |
|
|
|
|
|
|
| |
The message_size variable is not actually the handshake message size,
rather the number of bytes contained within the handshake message, hence
we have to subtract the length of the handshake message header.
ok beck@
|
| |
|
|
|
|
| |
here or we break the handshake with BAD_MESSAGE
ok tb@
|
| |
|
|
|
|
| |
succeeding unconditionally. Makes muststaple work with tls1.3 in nc
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
message, even if it has received a "status_request" extension in the client
hello message and has sent a "status_request" extention in the server hello
message. Genua found a site that is this broken. This makes it work.
ok jsing@
|
| |
|
|
|
|
| |
leaving only the basic description in the RETURN VALUES section;
tb@ pointed out LibreSSL does not currently provide all those guarantees,
and he also OK'ed this diff
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In normal TLS, it is possible for record fragments to be sent that contain
one byte of alert or handshake message payload. In this case we have to
read and collate multiple message fragments before we can decide what to
do with the record.
However, in the case of DTLS, one record is effectively one packet and
while it is possible to send handshake messages across multiple
records/packets, the minimum payload is the DTLS handshake message header
(plus one byte of data if the handshake message has a payload) - without
this, there is insufficient information available to be able to reassemble
the handshake message. Likewise, splitting an alert across multiple DTLS
records simply does not work, as we have no way of knowing if we're
collating the same alert or two different alerts that we lost half of each
from (unfortunately, these details are not really specified in the DTLS
RFC).
This means that for DTLS we can expect to receive a full alert message
(a whole two bytes) or a handshake record with at least the handshake
message header (12 bytes). If we receive messages with less than these
lengths we discard them and carry on (which is what the DTLS code already
does).
Remove all of the pointless fragment handling code from DTLS, while also
fixing an issue where one case used rr->data instead of the handshake
fragment.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@ (as part of a larger diff)
|
| |
|
|
|
|
|
|
|
| |
The info and msg callbacks result in duplication - both for code that
refers to the function pointers and for the call sites. Avoid this by
providing typedefs for the function pointers and pulling the calling
sequences into their own functions.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
There is little to gain by mallocing and freeing the AEAD nonce for each
record - move to an AEAD nonce allocated for the record layer, which
matches what we do for TLSv1.3.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
in particular, this includes new text by Matt Caswell
from OpenSSL commit 721eb8f6 Nov 28 12:03:00 2019 +0000
and corrects a wrong argument type that i introduced into the SYNOPSIS;
requested by tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a servername callback returns SSL_TLSEXT_ERR_ALERT_WARNING, this
results in a fatal error in TLSv1.3 since alert levels are implicit
in the alert type and neither close_notify nor user_canceled make
sense in this context. OpenSSL chose to ignore this, so we need to
follow suit.
Found via a broken servername callback in p5-IO-Socket-SSL which
returns a Boolean instead of SSL_TLSEXT_ERR_*. This happened to
have worked before TLSv1.3 since warning alerts are often ignored.
This "fixes" sni.t and sni-verify.t in p5-IO-Socket-SSL.
ok beck jsing
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
Noted by tb@ during review of a larger change.
|
| | |
|
| |
|
|
|
|
|
|
| |
The code for dtls1_dispatch_alert() and ssl3_dispatch_alert() is largely
identical - with a bit of reshuffling we can use ssl3_dispatch_alert() for
both protocols and remove the ssl_dispatch_alert function pointer.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When DTLS handshake records are received from the next epoch, we will
potentially queue them on the unprocessed_rcds queue - this is usually
a Finished message that has been received without the ChangeCipherSuite
(CCS) message (which may have been dropped or reordered).
After the epoch increments (due to the CCS being received), the current
code processes all records on the unprocessed queue and immediate queues
them on the processed queue, which dtls1_get_record() then pulls from.
This form of processing only adds more complexity and another queue.
Instead, once the epoch increments, pull a single record from the
unprocessed queue and process it, allowing the contents to be consumed
by the caller. We repeat this process until the unprocessed queue is
empty, at which point we go back to consuming messages from the wire.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
Per RFC 6347 section 4.1.2.1, DTLS should silently discard invalid records,
including those that have a bad MAC. When converting to the new record
layer, we inadvertantly switched to standard TLS behaviour, where an
invalid record is fatal. This restores the previous behaviour.
Issue noted by inoguchi@
ok inoguchi@
|
| |
|
|
|
|
|
|
| |
All this code does is read one byte from memory with an unknown length,
potentially being a one byte overread... and then nothing is actually done
with the value.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
| |
The num_ciphers, get_cipher_by_char and put_cipher_by_char function
pointers use the same function for all methods - call ssl3_num_ciphers()
directly, absorb ssl3_get_cipher_by_char() into SSL_CIPHER_find() and
remove the unused ssl3_put_cipher_by_char() code.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Now that SSL_METHOD is opaque and in internal headers, we can remove
SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds functionality for SSL_get_signature_nid(),
SSL_get_peer_signature_nid(), SSL_get_signature_type_nid() and
SSL_get_peer_signature_type_nid().
This is not currently publicly visible and will be exposed at a later
date.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Move struct ssl_cipher_st, struct ssl_method_st, struct ssl_session_st and
struct ssl3_state_st from public to private headers. These are already
under #ifdef LIBRESSL_INTERNAL and are no longer publicly visible.
ok inoguchi@ tb@
|
| |
|
|
| |
This was inadvertently broken during sigalgs refactoring.
|
| |
|
|
|
|
|
|
| |
This means that we do sigalg selection for all cases, including those
where are are not sending sigalgs. This is needed in order to track our
signature type in legacy cases.
ok tb@
|
| |
|
|
| |
This is needed for upcoming API additions.
|
