summaryrefslogtreecommitdiff
path: root/src/lib/libssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Move the TLSv1.3 handshake struct inside the shared handshake struct.jsing2021-03-219-226/+227
| | | | | | | | | | | | | | | | There are currently three different handshake structs that are in use - the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct (as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous 'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)). This is the first step towards cleaning up the handshake structs so that shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2 and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code to access the shared handshake data without needing the SSL struct. ok inoguchi@ tb@
* Split TLSv1.3 record protection from record layer.jsing2021-03-211-46/+72
| | | | | | | | This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code. ok inoguchi@ tb@
* Avoid a use-after-scope in tls13_cert_add().jsing2021-03-211-4/+3
| | | | | | | | | | A parent CBB retains a reference to a child CBB until CBB_flush() or CBB_cleanup() is called. As such, the cert_exts CBB must be at function scope. Reported by Ilya Shipitsin. ok tb@
* Prepare documenting SSL_use_certificate_chain_filetb2021-03-191-2/+19
|
* Undo previous. As pointed out by jsing I clearly wasn't fully awake...tb2021-03-191-2/+2
|
* Prepare to provide SSL_use_certificate_chain_file()tb2021-03-192-15/+40
| | | | | | | | | This is the same as SSL_CTX_use_certificate_chain_file() but for an SSL object instead of an SSL_CTX object. remi found this in a recent librelp update, so we need to provide it. The function will be exposed in an upcoming library bump. ok inoguchi on an earlier version, input/ok jsing
* fix whitespace nit in previoustb2021-03-171-2/+2
|
* Enable DTLSv1.2.jsing2021-03-171-1/+5
| | | | | | | | This means that the DTLS_method() will now use DTLSv1.2 rather than DTLSv1. Additional DTLSv1.2 related symbols and defines will be made publicly visible in the near future. ok inoguchi@ tb@
* Add support for DTLSv1.2 version handling.jsing2021-03-171-45/+117
| | | | | | | | This teaches the version functions that handle protocol versions about DTLSv1.2 and the SSL_OP_NO_DTLS* options. We effectively convert between TLS and TLS protocol versions where necessary. ok inoguchi@ tb@
* Remove ssl_downgrade_max_version().jsing2021-03-115-54/+15
| | | | | | | Now that we store our maximum TLS version at the start of the handshake, we can check against that directly. ok inoguchi@ tb@
* Guard TLS1_get_{client_,}version() macros with #ifndef LIBRESSL_INTERNAL.jsing2021-03-101-1/+3
| | | | These are no longer used (and should not be used) internally.
* Improve internal version handling.jsing2021-03-109-108/+145
| | | | | | | | | | | | | | | | | | Add handshake fields for our minimum TLS version, our maximum TLS version and the TLS version negotiated during the handshake. Initialise our min/max versions at the start of the handshake and leave these unchanged. The negotiated TLS version is set in the client once we receive the ServerHello and in the server at the point we select the highest shared version. Provide an ssl_effective_version() function that returns the negotiated TLS version if known, otherwise our maximum TLS version - this is effectively what is stored in s->version currently. Convert most of the internal code to use one of these three version fields, which greatly simplifies code (especially in the TLS extension handling code). ok tb@
* Separate variable declaration and assignment.jsing2021-03-021-2/+4
| | | | Requested by tb@
* Replace two handrolled tls12_record_protection_engaged().jsing2021-03-021-3/+3
| | | | Noted by tb@
* Move key/IV length checks closer to usage sites.jsing2021-03-021-5/+11
| | | | | | | | | Also add explicit checks against EVP_CIPHER_iv_length() and EVP_CIPHER_key_length(). Requested by tb@ during review. ok tb@
* Add tls12_record_protection_unused() and call from CCS functions.jsing2021-03-021-8/+17
| | | | | | | | | This moves the check closer to where a leak could occur and checks all pointers in the struct. Suggested by tb@ during review. ok tb@
* Fix misleading indentation in SSL_get_error()tb2021-03-021-2/+2
|
* Move handling of cipher/hash based cipher suites into the new record layer.jsing2021-02-275-200/+141
| | | | ok tb@
* Identify DTLS based on the version major value.jsing2021-02-271-2/+2
| | | | This avoids the need to match specific DTLS version numbers.
* Only use TLS versions internally (rather than both TLS and DTLS versions).jsing2021-02-259-128/+132
| | | | | | | | | | | | | | DTLS protocol version numbers are the 1's compliment of human readable TLS version numbers, which means that newer versions decrease in value and there is no direct mapping between TLS protocol version numbers and DTLS protocol version numbers. Rather than having to deal with this internally, only use TLS versions internally and map between DTLS and TLS protocol versions when necessary. Rename functions and variables to use 'tls_version' when they contain a TLS version (and never a DTLS version). ok tb@
* Fix bizarre punctuation and capitalization in a comment.tb2021-02-221-2/+2
|
* Simplify version checks in the TLSv1.3 clienttb2021-02-221-22/+10
| | | | | | | | | | | | Ensure that the server announced TLSv1.3 (and nothing higher) in the supported_versions extension. In that case, the legacy_version must be TLSv1.2 according to RFC 8446, 4.1.3 and 4.2.1. This commit also removes some unreachable code which is a remnant of very early TLSv1.3 code from before the legacy fallback was introduced. Simplify a few checks and adjust some comments nearby. ok jsing
* Factor out/change some of the legacy client version handling code.jsing2021-02-223-12/+36
| | | | | | | This consolidates the version handling code and will make upcoming changes easier. ok tb@
* ugly whitespacetb2021-02-202-14/+14
|
* Rename f_err into fatal_err.tb2021-02-207-183/+183
| | | | discussed with jsing
* Rename the truncated label into decode_err. This describes its purposetb2021-02-202-73/+73
| | | | | | | better and doesn't look odd if there's trailing data for exapmle. Indent a few labels in the neighborhood while there. ok jsing
* Return a min/max version of zero if set to zero.jsing2021-02-203-17/+41
| | | | | | | | | | OpenSSL's SSL{_CTX,}_get_{min,max}_proto_version() return a version of zero if the minimum or maximum has been set to zero (which means the minimum or maximum version supported by the method). Previously we returned the minimum or maximum version supported by the method, instead of zero. Match OpenSSL's behaviour by using shadow variables. Discussed with tb@
* Add DTLSv1.2 methods.jsing2021-02-202-3/+159
| | | | | | These are currently guarded by LIBRESSL_HAS_DTLS1_2 and LIBRESSL_INTERNAL. ok tb@
* Handle DTLS1_2_VERSION in various places.jsing2021-02-203-6/+9
| | | | ok tb@
* Revise HelloVerifyRequest handling for DTLSv1.2.jsing2021-02-202-4/+14
| | | | | | | | Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always contain DTLSv1.0 - ensure this is the case on the server side, allow both DTLSv1.0 and DTLSv1.2 on the client. ok tb@
* Group HelloVerifyRequest decoding and add missing check for trailing data.jsing2021-02-201-4/+5
| | | | ok tb@
* Add various public DTLS related defines.jsing2021-02-202-2/+14
| | | | | | These are currently guarded by LIBRESSL_HAS_DTLS1_2 and LIBRESSL_INTERNAL. ok tb@
* Clean up/simplify dtls1_get_cipher().jsing2021-02-201-7/+8
| | | | ok tb@
* Remove bogus DTLS checks to disable ECC and OCSP.jsing2021-02-082-10/+3
| | | | | | | ECC and OCSP can be used with DTLS, so remove bogus checks that currently prevent it. These are long lasting remnants from the original OpenSSL code. ok tb@
* Enforce read ahead with DTLS.jsing2021-02-081-5/+5
| | | | | | | DTLS is largely broken/useless without read ahead being enabled, so enforce it for DTLS. This behaviour matches both our documentation and OpenSSL. ok tb@
* Use dtls1_retrieve_buffered_record() to load buffered application data.jsing2021-02-081-11/+3
| | | | | | | Replace the current copy of dtls1_retrieve_buffered_record() with a call to it instead. ok tb@
* Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().jsing2021-02-074-22/+19
| | | | | | | | The mess that is ssl_get_algorithm2() only exists to upgrade the handshake MAC of a pre-TLSv1.2 cipher suite to SHA256 when used with TLSv1.2. We can readily do this in ssl_get_handshake_evp_md(), which is far more readable. ok tb@
* Correct handshake MAC/PRF for various TLSv1.2 cipher suites.jsing2021-02-071-8/+8
| | | | | | | | For some reason various TLSv1.2 cipher suites were added with the default handshake MAC and PRF, rather than the SHA256 handshake MAC and PRF. This gets patched up in ssl3_get_algorithm2(), hence goes unnoticed. ok tb@
* Factor out the legacy stack version checks.jsing2021-02-074-28/+24
| | | | | | | Also check for explicit version numbers, rather than just the major version value. ok tb@
* Fail early in legacy exporter if master secret is not availabletb2021-02-031-1/+6
| | | | | | | | | | | | The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard. with/ok jsing
* missing word in commenttb2021-01-301-3/+3
|
* Remove direct assignment of aead_ctx.jsing2021-01-281-13/+7
| | | | | | Now that AEAD is handled internally, we should no longer be assigning aead_ctx directly, as this will result in a leak. Missed during the previous change.
* Move AEAD handling into the new TLSv1.2 record layer.jsing2021-01-284-134/+102
| | | | ok tb@
* Link SSL_get_finished.3 to build.tb2021-01-271-1/+2
|
* Write SSL_get_finished() documentation from scratch.tb2021-01-271-0/+77
| | | | ok beck
* Merge SSL_set_hostflags documentation from OpenSSL 1.1.1i andtb2021-01-271-3/+20
| | | | | | add HISTORY section. This is currently ignored input next to SSL_get0_peername() and will be unignored once the symbols are made publicly visible in libssl.
* Rewrap a comment line to fit into 80 columns.tb2021-01-261-3/+3
|
* zap a tabtb2021-01-261-2/+2
|
* Prepare to provide SSL_set_hostflags()tb2021-01-262-2/+9
| | | | | | | | Yet another one of these X509_VERIFY_PARAM reacharounds into libcrypto. Recently found in imapfilter, also used elsewhere. Will be made publicly visible with the next minor bump. ok jsing
* Move sequence numbers into the new TLSv1.2 record layer.jsing2021-01-267-84/+38
| | | | | | | This allows for all of the DTLS sequence number save/restore code to be removed. ok inoguchi@ "whee!" tb@