summaryrefslogtreecommitdiff
path: root/src/lib/libssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove a commented-out sk_push that has been hanging around for > 20 yearstb2022-08-301-4/+1
|
* Plug leak of BIO in tls13_quic_init()tb2022-08-301-2/+1
| | | | | | | If rbio and wbio are the same, SSL_free() only frees one BIO, so the BIO_up_ref() before SSL_set_bio() leads to a leak. ok jsing
* Handle SSL_do_handshake() being called before SSL_provide_quic_data().jsing2022-08-271-1/+4
| | | | | | | If SSL_do_handshake() is called before SSL_provide_quic_data() has been called, the QUIC read buffer will not have been initialised. In this case we want to return TLS13_IO_WANT_POLLIN so that the QUIC stack will provide handshake data.
* Provide the remaining QUIC API.jsing2022-08-212-2/+149
| | | | | | | While more work is still required, this is sufficient to get ngtcp2 to compile with QUIC and for curl to be able to make HTTP/3 requests. ok tb@
* Wire up SSL_QUIC_METHOD callbacks to the record layer callbacks for QUIC.jsing2022-08-213-19/+59
| | | | ok tb@
* Provide SSL_QUIC_METHOD.jsing2022-08-213-9/+172
| | | | | | | | | | | | | | | | | | | This provides SSL_QUIC_METHOD (aka ssl_quic_method_st), which allows for QUIC callback hooks to be passed to an SSL_CTX or SSL. This is largely ported/adapted from BoringSSL. It is worth noting that this struct is not opaque and the original interface exposed by BoringSSL differs to the one they now use. The original interface was copied by quictls and it appears that this API will not be updated to match BoringSSL. To make things even more challenging, at least one consumer does not use named initialisers, making code completely dependent on the order in which the function pointers are defined as struct members. In order to try to support both variants, the set_read_secret/set_write_secret functions are included, however they have to go at the end. ok tb@
* Provide and use QUIC specific error reasons.jsing2022-08-213-5/+9
| | | | ok tb@
* Ensure that SSL_{peek,read,write}() are not called if QUIC is in use.jsing2022-08-211-1/+16
| | | | ok tb@
* Prepare to provide SSL_ERROR_WANT_{ASYNC,ASYNC_JOB,CLIENT_HELLO_CB}jsing2022-08-211-10/+15
| | | | | | | LibreSSL will not return these values, however software is starting to check for these as return values from SSL_get_error(). ok tb@
* zap a tabtb2022-08-201-2/+2
|
* Tweak prototype to match function definition (n -> index)tb2022-08-181-2/+2
|
* Implement the SSL_CTRL_GET_SHARED_GROUP controltb2022-08-171-1/+37
| | | | | | | | | | | | | | | | | | | | | | | This implements SSL_get_shared_{curve,group}() in a bug-compatible fashion with OpenSSL. This is your average OpenSSL-style overloaded parameter API where n >= 0 means "return the n-th shared group's NID" (as if anyone possibly ever cared about the case n > 0) and n == -1 means "return the number of shared groups". There is also an undocumented case n == -2 for Suite B profile support which falls back to n == 0 in case Suite B profile support is disabled, so n == -2 is the same as n == 0 in LibreSSL. The API also returns 0 for error, which is indistinguishable from a count of 0 shared groups but coincides with NID_undef. Contrary to claims in the documentation, the API doesn't actually return -1 for clients, rather it returns 0. Obviously this entire exercise is pretty useless, but since somebody exposed it because they could and someone else used it because they could we need to provide it. ok jsing
* Refactor tls1_get_supported_group()tb2022-08-172-30/+99
| | | | | | | | | | | | | This splits tls1_get_supported_group() into a few helper functions to be able to count shared groups and to return the n-th shared group since someone thought it is a great idea to expose that in a single API and some others thought it is useful to add this info to log noise. This is all made a bit more complicated thanks to the security level having its tentacles everywhere and because a user-provided security callback can influence the list of groups shared by the peers. ok jsing
* Add SSL_get_shared_{curve,group}()tb2022-08-171-2/+10
| | | | | | | | These are wrappers of SSL_ctrl() using the SSL_CTRL_GET_SHARED_GROUP control. Do not provide SSL_CTRL_GET_SHARED_CURVE since that is only mentioned in Net::SSLeay docs according to codesearch.debian.net. ok jsing
* Make tls1_get_{format,group_}list() take a const SSLtb2022-08-172-8/+8
| | | | ok jsing
* Provide ssl_security_shared_group()tb2022-08-172-5/+18
| | | | | | | | | Refactor ssl_security_supported_group() into a wrapper of a new internal ssl_security_group() which takes a secop as an argument. This allows adding ssl_security_shared_group() which will be needed in upcoming commits. ok jsing
* Deduplicate peer certificate chain processing code.jsing2022-08-1710-109/+121
| | | | | | | | | | | | | | Rather than reimplement this in each TLS client and server, deduplicate it into a single function. Furthermore, rather than dealing with the API hazard that is SSL_get_peer_cert_chain() in this code, simply produce two chains - one that has the leaf and one that does not. SSL_get_peer_cert_chain() can then return the appropriate one. This also moves the peer cert chain from the SSL_SESSION to the SSL_HANDSHAKE, which makes more sense since it is not available on resumption. ok tb@
* Avoid shadowing the cbs function parameter in tlsext_alpn_server_parse()tb2022-08-151-6/+4
| | | | ok jsing
* Remove redeclaration of rettb2022-08-151-2/+1
| | | | | | | When ret was introduced in an outer scope in r1.113, this declaration wasn't garbage collected. ok jsing
* Make tlsext_*_{build,needs,parse}() functions statictb2022-08-042-217/+94
| | | | | | | | | None of these functions are used outside of ssl_tlsext.c. The only reason they are prototyped in the header is for the use of tlsexttest.c. Rather than having a big pile of useless copy-paste in the header, we can adapt the test to avoid using these functions directly. ok jsing
* update copyright yearstb2022-07-301-2/+2
|
* Move cipher_id bsearch functions back to the bottom of the file.jsing2022-07-241-16/+16
|
* Set NULL BIOs for QUIC.jsing2022-07-241-1/+14
| | | | | | | | When used with QUIC, the SSL BIOs are effectively unused, however we still currently expect them to exist for status (such as SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE). Set up NULL BIOs if QUIC is in use. ok tb@
* Provide record layer callbacks for QUIC.jsing2022-07-247-16/+217
| | | | | | | | | | | | QUIC uses TLS to complete the handshake, however unlike normal TLS it does not use the TLS record layer, rather it provides its own transport. This means that we need to intercept all communication between the TLS handshake and the record layer. This allows TLS handshake message writes to be directed to QUIC, likewise for TLS handshake message reads. Alerts also need to be sent via QUIC, plus it needs to be provided with the traffic keys that are derived by TLS. ok tb@
* Move tls13_phh_done_cb() after tl13_phh_received_cb().jsing2022-07-241-12/+12
| | | | This is the order that they're called/run in.
* Provide QUIC encryption levels.jsing2022-07-246-20/+33
| | | | | | | | | | | | QUIC wants to know what "encryption level" handshake messages should be sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that defines these (of course quictls decided to make this an OSSL_ENCRYPTION_LEVEL typedef, so provide that as well). Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so that they can be used in upcoming commits. ok tb@
* Rely on tlsext_parse() to set a decode_error alerttb2022-07-241-79/+47
| | | | | | | | Instead of setting the alert manually in various parse handlers, we can make use of the fact that tlsext_parse() sets the alert to decode_error by default. This simplifies the code quite a bit. ok jsing
* Convert TLS transcript from BUF_MEM to tls_buffer.jsing2022-07-222-29/+16
| | | | ok beck@ tb@
* Add read and write support to tls_buffer.jsing2022-07-224-13/+139
| | | | | | | | tls_buffer was original created for a specific use case, namely reading in length prefixed messages. This adds read and write support, along with a capacity limit, allowing it to be used in additional use cases. ok beck@ tb@
* Simplify tls13_server_encrypted_extensions_recvtb2022-07-221-8/+2
| | | | | | | We can rely on tlsext_client_parse() to set the alert, so no need to do this in the error path. ok jsing
* Remove redundant length checks in parse functionstb2022-07-221-21/+1
| | | | | | | | | | | The main parsing function already checks that the entire extension data was consumed, so the length checks inside some of the parse handlers are redundant. They were also not done everywhere, so this makes the parse handlers more consistent. Similar diff was sent by jsing a long while back ok jsing
* Simplify tlsext_supported_groups_server_parsetb2022-07-201-45/+31
| | | | | | | | | Add an early return in the s->internal->hit case so that we can unindent a lot of this code. In the HRR case, we do not need to check that the list of supported groups is unmodified from the first CH. The CH extension hashing already does that for us. ok jsing
* Drop some unnecessary parentheses.tb2022-07-201-3/+2
| | | | ok jsing
* Copy alpn_selected using CBStb2022-07-201-6/+7
| | | | ok jsing
* Copy alpn_client_proto_list using CBS in SSL_new()tb2022-07-201-12/+7
| | | | | | | This makes the code both shorter and safer since freeing, allocation, and copying are handled by CBS_stow() internally. ok jsing
* Validate protocols in SSL{_CTX,}_set_alpn_protos()tb2022-07-201-1/+12
| | | | | | | | | | | This wonderful API requires users to pass the protocol list in wire format. This list is then sent as part of the ClientHello. Validate it to be of the correct form. This reuses tlsext_alpn_check_format() that was split out of tlsext_alpn_server_parse(). Similar checks were introduced in OpenSSL 86a90dc7 ok jsing
* Rewrite SSL{_CTX,}_set_alpn_protos() using CBStb2022-07-201-23/+15
| | | | | | | | | This simplifies the freeing, assigning and copying of the passed protocols by replacing all that code with a pair of CBS_init() and CBS_stow(). In addition, this aligns the behavior with OpenSSL, which no longer errors on NULL proto or 0 proto_len since 86a90dc7. ok jsing
* Change various ALPN related internal struct memberstb2022-07-201-6/+6
| | | | | | | | Change alpn_client_proto_list and alpn_selected from unsigned char * to uint8_t and change alpn_client_proto_list_len to be a size_t instead of an unsigned int. ok jsing
* Factor out ALPN extension format checktb2022-07-202-14/+27
| | | | | | | | The ALPN extension must contain a non-empty list of protocol names. Split a check of this out of tlsext_alpn_server_parse() so that it can be reused elsewhere in the library. ok jsing
* Remove tls_buffer_set_data() and remove/revise callers.jsing2022-07-206-34/+14
| | | | | | | | | | | | | There is no way that tls_buffer_set_data() can currently work in conjunction with tls_buffer_expand(). This fact is currently hidden by the way that PHH works, which reads the same data from the record layer (which it needs to do anyway, since we may not have all of the handshake message in a single record). Since this is broken, mop it up and change the PHH callback to not provide the record data. ok beck@ tb@
* Correct server-side handling of TLSv1.3 key updates.jsing2022-07-201-20/+30
| | | | | | | | The existing code updates the correct secret, however then sets it for the wrong direction. Fix this, while untangling the code and consistenly using 'read' and 'write' rather than 'local' and 'peer'. ok beck@ tb@
* Disallow MD5 and SHA-1 HMACs depending on the security leveltb2022-07-191-2/+11
| | | | | | | | Ciphers using an MD5 HMAC are not allowed on security levels >= 1 and using a SHA-1 HMAC is disallowed on security levels >= 4. This disables RC4-MD5 by default. ok jsing
* Disable TLSv1.3 middlebox compatibility mode for QUIC connections.jsing2022-07-171-2/+3
| | | | | | This is required by RFC 9001. ok tb@
* Pass SSL pointer to tls13_ctx_new().jsing2022-07-173-15/+11
| | | | | | | | struct tls13_ctx already knows about SSL's and this way tls13_ctx_new() can set up various pointers, rather than duplicating this in tls13_legacy_accept() and tls13_legacy_connect(). ok tb@
* Correct handling of QUIC transport parameters extension.jsing2022-07-171-48/+16
| | | | | | | | | | | Remove duplicate U16 length prefix, since tlsext_build() already adds this for us. Condition on SSL_is_quic() rather than TLS version - RFC 9001 is clear that this extension is only permitted on QUIC transport and an fatal unsupported extension alert is required if used elsewhere. Additionally, at the point where extensions are parsed, we do not necessarily know what TLS version has been negotiated. ok beck@ tb@
* Provide SSL_is_quic()jsing2022-07-173-5/+14
| | | | | | | | This function will allow code to know if the SSL connection is configured for use with QUIC or not. Also move existing SSL_.*quic.* functions under LIBRESSL_HAS_QUIC to prevent exposing them prematurely. ok beck@ tb@
* Correct TLSEXT_TYPE_quic_transport_parameters message types.jsing2022-07-171-2/+2
| | | | | | | Per RFC 9001, TLSEXT_TYPE_quic_transport_parameters may only appear in ClientHello and EncryptedExtensions (not ServerHello). ok beck@ tb@
* Correct value for TLSEXT_TYPE_quic_transport_parametersjsing2022-07-171-4/+6
| | | | | | | | Use the correct value for TLSEXT_TYPE_quic_transport_parameters according to RFC 9001 section 8.2. Also move the define under LIBRESSL_HAS_QUIC to avoid things finding it prematurely. ok beck@ tb@
* AESCGM -> AESGCMjsg2022-07-171-4/+4
|
* add .Xr links to SSL_CTX_set_security_level(3)schwarze2022-07-135-15/+20
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 05:07:25 +0000