| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
| |
Replace the grotty TLSv1.2 key exporter with a cleaner version that uses
CBB and CBS.
ok tb@
|
| |
|
|
|
|
|
| |
It makes more sense to have tls13_exporter() in tls13_key_schedule.c,
rather than tls13_lib.c
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
While ssl3_setup_read_buffer() success alone is enough to imply that
the read bufer is non-NULL, several static analyzers fail to recognize
that and throw fits about possible NULL accesses.
CID 331010
Fix from and ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TLSv1.3 introduces a New Session Ticket post-handshake handshake message
that allows a unique association between a ticket value and a pre-shared
key derived from the resumption master secret. Servers may send this
message arbitrarily often at any time after receiving the client's
Finished message.
Implement tls13_new_session_ticket_recv() which parses the contents of
the NewSessionTicket message into a fresh session derived from the
current session so as to avoid modifying sessions that are already in
the session cache.
This uses tls13_new_session_ticket_recv() in tls13_phh_received_cb().
We currently rely on the general rate limiting of 100 PHH messages per
connection and hour to avoid problems from connecting to a misbehaving
or malicious server.
ok jsing
|
| |
|
|
|
|
|
|
| |
TLSv1.3 servers must not indicate a lifetime longer than 7 days and
clients must not cache sessions for longer than 7 days. Encode this
in a macro internal to tls13_lib.c for now.
ok jsing
|
| |
|
|
|
|
|
|
| |
SSL_SESSION_dup() is a currently essentially unused public OpenSSL 1.1.1
API. Add a version that does not duplicate the secrets for internal use.
If the public API should be needed, we can easily make it a wrapper.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
| |
Add members necessary to store the "ticket_age_add" value and the
resumption master secret needed in the TLSv1.3 version of session
resumption.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
The session_id member of SSL_SESSION has 32 bytes for historical
reasons. This precisely accommodates a SHA-256 and is currently
computed using this hash. If the hash function is ever changed,
this will likely overflow. This should be fixed in code. Leave
it at an XXX comment for now.
Pointed out by jsing
|
| |
|
|
|
|
|
|
| |
Calling HKDF_expand() with a length of 0 happens to succeed due to a quirk
in the API inherited from BoringSSL. This hides caller-side errors during
development. Error out to catch such mistakes early on.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
| |
These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.
Prompted by tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, ssl_both.c contains several functions that are used by both the
legacy client and legacy server. This interwines the client and server,
making it harder to make progressive changes. While it does deduplicate
some code, it also ends up with code that is conditioned on s->server and
forces the caller to pass in SSL3_ST_* values.
Move these functions from ssl_both.c into ssl_clnt.c and ssl_srvr.c,
renaming as appropriate and removing the s->server conditionals. Also move
the client and server function prototypes from ssl_locl.h into the .c
files, making them static in the process.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While RFC 8446 is clear about what legacy session identifiers can be sent
by a TLSv1.3 client and how middlebox compatibility mode is requested, it
is delightfully vague about the circumstances under which a client is
permitted to send CCS messages. While it does not make sense for a client
to send CCS messages when they are not requesting middlebox compatibility
mode, it is not strictly forbidden by the RFC and at least one (unknown)
TLSv1.3 stack has been observed to do this in the wild.
Revert part of the previous change and allow clients to send CCS messages,
even if they are not requesting middlebox compatibility mode.
Found the hard way by florian@
ok tb@
|
| |
|
|
| |
OK tb
|
| |
|
|
| |
ok tb@
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
Only allow a TLSv1.3 client to request middlebox compatibility mode if
this is permitted. Ensure that the legacy session identifier is either
zero length or 32 bytes in length. Additionally, only allow CCS messages
on the server side if the client actually requested middlebox compatibility
mode.
ok tb@
|
| |
|
|
|
|
|
|
| |
Currently the TLSv1.3 client always permits the server to send CCS
messages. Be more strict and only permit this if the client is actually
requesitng middlebox compatibility mode.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
| |
Use this from the TLSv1.3 code.
ok tb@
|
| |
|
|
| |
ok ok miod@ ack ack jmc@
|
| |
|
|
|
| |
This is a safer fix for the bug where we might read outside rule_str
buffer and is how BoringSSL fixed it. OK tb@
|
| |
|
|
|
|
| |
If rule_str ended in a "-", "l" was incremented one byte past the
end of the buffer. This resulted in an out-of-bounds read when "l"
is dereferenced at the end of the loop. OK tb@
|
| |
|
|
|
|
|
|
|
|
| |
This simplifies memory management and makes it easier to see the leak
that were introduced in the previous commit. Sprinkle a few malloc
errors for consistency.
CID 278396
with/ok jsing
|
| |
|
|
|
|
| |
CID 24797
ok jsing
|
| |
|
|
|
|
|
|
| |
EVP_PKEY_copy_parameters() will unconditionally fail if the pkey's ameth
has no copy_params(). Obviously this is indistinguishable from actual
failure...
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Switch from X509_get_pubkey() to X509_get0_pubkey() to avoid an unnecessary
EVP_PKEY_free(). Check the return values of X509_get0_pubkey() and
EVP_PKEY_copy_parameters(). If the former returns NULL, the latter will
dereference NULL.
CID 25020
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
If rbio and wbio are the same, SSL_free() only frees one BIO, so the
BIO_up_ref() before SSL_set_bio() leads to a leak.
ok jsing
|
| |
|
|
|
|
|
| |
If SSL_do_handshake() is called before SSL_provide_quic_data() has been
called, the QUIC read buffer will not have been initialised. In this case
we want to return TLS13_IO_WANT_POLLIN so that the QUIC stack will provide
handshake data.
|
| |
|
|
|
|
|
| |
While more work is still required, this is sufficient to get ngtcp2 to
compile with QUIC and for curl to be able to make HTTP/3 requests.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This provides SSL_QUIC_METHOD (aka ssl_quic_method_st), which allows for
QUIC callback hooks to be passed to an SSL_CTX or SSL. This is largely
ported/adapted from BoringSSL.
It is worth noting that this struct is not opaque and the original
interface exposed by BoringSSL differs to the one they now use. The
original interface was copied by quictls and it appears that this API
will not be updated to match BoringSSL.
To make things even more challenging, at least one consumer does not use
named initialisers, making code completely dependent on the order in
which the function pointers are defined as struct members. In order to
try to support both variants, the set_read_secret/set_write_secret
functions are included, however they have to go at the end.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
LibreSSL will not return these values, however software is starting to
check for these as return values from SSL_get_error().
ok tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This implements SSL_get_shared_{curve,group}() in a bug-compatible
fashion with OpenSSL.
This is your average OpenSSL-style overloaded parameter API where n >= 0
means "return the n-th shared group's NID" (as if anyone possibly ever
cared about the case n > 0) and n == -1 means "return the number of
shared groups". There is also an undocumented case n == -2 for Suite B
profile support which falls back to n == 0 in case Suite B profile
support is disabled, so n == -2 is the same as n == 0 in LibreSSL.
The API also returns 0 for error, which is indistinguishable from a
count of 0 shared groups but coincides with NID_undef. Contrary to claims
in the documentation, the API doesn't actually return -1 for clients,
rather it returns 0.
Obviously this entire exercise is pretty useless, but since somebody
exposed it because they could and someone else used it because they could
we need to provide it.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This splits tls1_get_supported_group() into a few helper functions to
be able to count shared groups and to return the n-th shared group since
someone thought it is a great idea to expose that in a single API and
some others thought it is useful to add this info to log noise.
This is all made a bit more complicated thanks to the security level
having its tentacles everywhere and because a user-provided security
callback can influence the list of groups shared by the peers.
ok jsing
|
| |
|
|
|
|
|
|
| |
These are wrappers of SSL_ctrl() using the SSL_CTRL_GET_SHARED_GROUP
control. Do not provide SSL_CTRL_GET_SHARED_CURVE since that is only
mentioned in Net::SSLeay docs according to codesearch.debian.net.
ok jsing
|
| |
|
|
| |
ok jsing
|
