| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
Refactor ssl_security_supported_group() into a wrapper of a new internal
ssl_security_group() which takes a secop as an argument. This allows
adding ssl_security_shared_group() which will be needed in upcoming
commits.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.
This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.
ok tb@
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
When ret was introduced in an outer scope in r1.113, this declaration
wasn't garbage collected.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
None of these functions are used outside of ssl_tlsext.c. The only reason
they are prototyped in the header is for the use of tlsexttest.c. Rather
than having a big pile of useless copy-paste in the header, we can adapt
the test to avoid using these functions directly.
ok jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
When used with QUIC, the SSL BIOs are effectively unused, however we still
currently expect them to exist for status (such as SSL_ERROR_WANT_READ and
SSL_ERROR_WANT_WRITE). Set up NULL BIOs if QUIC is in use.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
QUIC uses TLS to complete the handshake, however unlike normal TLS it does
not use the TLS record layer, rather it provides its own transport. This
means that we need to intercept all communication between the TLS handshake
and the record layer. This allows TLS handshake message writes to be
directed to QUIC, likewise for TLS handshake message reads. Alerts also
need to be sent via QUIC, plus it needs to be provided with the traffic
keys that are derived by TLS.
ok tb@
|
| |
|
|
| |
This is the order that they're called/run in.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
QUIC wants to know what "encryption level" handshake messages should be
sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that
defines these (of course quictls decided to make this an
OSSL_ENCRYPTION_LEVEL typedef, so provide that as well).
Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so
that they can be used in upcoming commits.
ok tb@
|
| |
|
|
|
|
|
|
| |
Instead of setting the alert manually in various parse handlers, we can
make use of the fact that tlsext_parse() sets the alert to decode_error
by default. This simplifies the code quite a bit.
ok jsing
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
tls_buffer was original created for a specific use case, namely reading in
length prefixed messages. This adds read and write support, along with a
capacity limit, allowing it to be used in additional use cases.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
We can rely on tlsext_client_parse() to set the alert, so no need to
do this in the error path.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
The main parsing function already checks that the entire extension data
was consumed, so the length checks inside some of the parse handlers are
redundant. They were also not done everywhere, so this makes the parse
handlers more consistent.
Similar diff was sent by jsing a long while back
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Add an early return in the s->internal->hit case so that we can unindent
a lot of this code. In the HRR case, we do not need to check that the list
of supported groups is unmodified from the first CH. The CH extension
hashing already does that for us.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
This makes the code both shorter and safer since freeing, allocation,
and copying are handled by CBS_stow() internally.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
This wonderful API requires users to pass the protocol list in wire
format. This list is then sent as part of the ClientHello. Validate
it to be of the correct form. This reuses tlsext_alpn_check_format()
that was split out of tlsext_alpn_server_parse().
Similar checks were introduced in OpenSSL 86a90dc7
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This simplifies the freeing, assigning and copying of the passed
protocols by replacing all that code with a pair of CBS_init() and
CBS_stow(). In addition, this aligns the behavior with OpenSSL,
which no longer errors on NULL proto or 0 proto_len since 86a90dc7.
ok jsing
|
| |
|
|
|
|
|
|
| |
Change alpn_client_proto_list and alpn_selected from unsigned char *
to uint8_t and change alpn_client_proto_list_len to be a size_t instead
of an unsigned int.
ok jsing
|
| |
|
|
|
|
|
|
| |
The ALPN extension must contain a non-empty list of protocol names.
Split a check of this out of tlsext_alpn_server_parse() so that it
can be reused elsewhere in the library.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There is no way that tls_buffer_set_data() can currently work in
conjunction with tls_buffer_expand(). This fact is currently hidden by the
way that PHH works, which reads the same data from the record layer (which
it needs to do anyway, since we may not have all of the handshake message
in a single record).
Since this is broken, mop it up and change the PHH callback to not provide
the record data.
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
The existing code updates the correct secret, however then sets it for the
wrong direction. Fix this, while untangling the code and consistenly using
'read' and 'write' rather than 'local' and 'peer'.
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
Ciphers using an MD5 HMAC are not allowed on security levels >= 1 and
using a SHA-1 HMAC is disallowed on security levels >= 4. This disables
RC4-MD5 by default.
ok jsing
|
| |
|
|
|
|
| |
This is required by RFC 9001.
ok tb@
|
| |
|
|
|
|
|
|
| |
struct tls13_ctx already knows about SSL's and this way tls13_ctx_new() can
set up various pointers, rather than duplicating this in
tls13_legacy_accept() and tls13_legacy_connect().
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove duplicate U16 length prefix, since tlsext_build() already adds this
for us. Condition on SSL_is_quic() rather than TLS version - RFC 9001 is
clear that this extension is only permitted on QUIC transport and an
fatal unsupported extension alert is required if used elsewhere.
Additionally, at the point where extensions are parsed, we do not
necessarily know what TLS version has been negotiated.
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
This function will allow code to know if the SSL connection is configured
for use with QUIC or not. Also move existing SSL_.*quic.* functions under
LIBRESSL_HAS_QUIC to prevent exposing them prematurely.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
Per RFC 9001, TLSEXT_TYPE_quic_transport_parameters may only appear in
ClientHello and EncryptedExtensions (not ServerHello).
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
Use the correct value for TLSEXT_TYPE_quic_transport_parameters according
to RFC 9001 section 8.2. Also move the define under LIBRESSL_HAS_QUIC to
avoid things finding it prematurely.
ok beck@ tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Or should we call it a centipede?
Feedback and OK on a previous version from jsing@
and from our chief myriapodologist, tb@.
|
| |
|
|
|
|
|
|
| |
We do not intend to make this a compile-time option.
Reminded by schwarze who asked about it
ok jsing
|
| |
|
|
|
|
|
| |
This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
| |
|
|
| |
not exposed in the public API.
|
| | |
|
| |
|
|
|
|
|
| |
Contrary to CBS_stow(), CBB_finish() will leak, so ensure we fail if
*out_data is populated.
Discussed with & ok jsing
|
| |
|
|
|
|
| |
Needed for an upcoming diff adding a NULL check to CBB_finish().
ok jsing
|
| |
|
|
|
|
| |
calls.
ok jsing
|
| |
|
|
|
|
|
| |
that are no longer needed now that libcrypto exposes the necessary
security-bits API.
ok jsing
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
| | |
|
| | |
|
