| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
was removed in t1_lib.c r1.141.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to a type bug that has been present in DTLS since the code was first
committed in 2005, dtls1_get_bitmap() fails to handle next epoch correctly
when the epoch is currently 0xffff (and wraps to zero).
For various reasons unknown, the epoch field in the SSL3_RECORD_INTERNAL
(formerly SSL3_RECORD) was added as unsigned long (even though the value
is an unsigned 16 bit value on the wire, hence cannot exceed 0xffff),
however was added to other code as unsigned short.
Due to integer promotion, the r_epoch value is incremented by one to
become 0x10000, before being cast to an unsigned long and compared to
the value pulled from the DTLS record header (which is zero). Strangely
0x10000 != 0, meaning that we drop the DTLS record, instead of queueing
it for the next epoch.
Fix this issue by using more appropriate types and pulling up the
calculation of the next epoch value for improved readability.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
This allows for regress to test edge cases for epoch handling.
ok tb@
|
| |
|
|
|
|
|
|
| |
Currently these only get correctly initialised when
dtls1_process_buffered_records() is called - while this works it is more
accidental than intentional.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The original DTLS code had some strange alert handling code (basically one
type of alert included extra data) - a few years later this was "fixed",
however the rest of the code was left as is.
This means that rather than sending the alert data from send_alert
(like ssl3_dispatch_alert() does), we have a local buffer on the stack,
which we memset, copy the send_alert bytes into, then send from.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Pass the CBS for the sequence number through, which also allows us to do
more sensible length checks. Also, add a missing length check while here.
ok inoguchi@ tb@
|
| |
|
|
| |
With tls_server.c r1.47 this is no longer needed.
|
| | |
|
| |
|
|
|
|
|
| |
This is an alert that was added in TLSv1.3 - we already use it internally,
but did not provide the SSL_AD_* define previously.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Rather than having SSL_AD_* as defines that refer to SSL3_AD_* or
TLS1_AD_*, just give them actual values directly since it is more readable
and the indirection provides no value. Place SSL3_AD_* and TLS1_AD_* under
#ifndef LIBRESSL_INTERNAL to prevent further usage.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After running the preprocessor, this function becomes:
switch (code) {
case 0:
return (0);
case 10:
return (10);
case 20:
return (20);
...
}
Its intended purpose was to prevent SSLv3 alerts being sent from TLS code,
however now that we've removed "no_certificate" from LibreSSL's reach, it
no longer does anything useful.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
The "no_certificate" alert only existed in SSLv3, while the
"decryption_failed" and "export_restriction" alerts were removed in
TLSv1.1.
ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
RFC 5077. Note that session resumption via session tickets is
only for TLSv1.2 and earlier.
prompted by a question by/ok jmc
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Due to hysterical raisins there are three different types of defines for
alerts. SSL3_AD_* are from SSLv3, TLS1_AD_* are from TLSv1.0 onwards and
SSL_AD_* currently map to either an SSL3_AD_* or TLS1_AD_* define.
Currently, all three of these are used in various places - switch to using
just SSL_AD_* values internally, as a first step in cleaning this up.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
SRTP_AEAD_AES_128_GCM/SRTP_AEAD_AES_256_GCM can be used as DTLS-SRTP
protection profiles - seen with an update of telephony/baresip i'm
working on.
adapted from openssl commit 43e5faa2539ae8aae6ef55be2239b9b1a77fea45
ok tb@ jsing@
|
| |
|
|
|
|
| |
Use SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER instead.
ok tb@
|
| |
|
|
|
|
| |
This ensures that diff reports the correct function prototype.
Prompted by tb@
|
| |
|
|
|
|
|
| |
The default alert in the tlsext parsing code is a decode_error, so
there's no need for an error path that only sets that alert.
suggested by/ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
On receiving the first flight from the peer, we do not yet know if
we are using TLSv1.3. In particular, we might get an alert record
with record version 0x0300 from a pre-TLSv1.2 peer in response to
our client hello. Ignore the record version instead of sending a
protocol version alert in that situtation. This may also be hit
when talking to a LibreSSL 3.3 server with an illegal SNI.
Part of an issue reported by danj.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
As soon as we know that we're dealing with a TLSv1.3 client, set
the legacy version in the record layer to 0x0303 so that we send
alerts with the correct record version. Previously we would send
early alerts with a record version of 0x0300.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
According to RFC 8422, we must send an illegal_parameter alert on
receiving an ECPF extension that doesn't include the uncompressed
format, not a decode_error.
Reported via GitHub issue #675.
ok jsing
|
| |
|
|
|
|
|
|
| |
In libssl.pc, Libs: should not have '-lcrypto', and Requires.private:
should have it as 'libcrypto'.
openssl.pc does not need Libs: and Cflags:, but should have Requires:.
OK millert@
|
| |
|
|
|
|
|
|
| |
The information contained in SSL_AEAD_CTX really belongs in the
tls12_record_protection struct. Absorb SSL_AEAD_CTX, using more appropriate
types in the process.
ok tb@
|
| |
|
|
|
|
|
|
| |
In tls12_record_protection_clear(), rather than zeroing or NULLing
individual fields once a pointer has been freed, zero the entire struct once
the pointers have been dealt with.
ok tb@
|
| |
|
|
|
| |
While the implementation needs tls13_internal.h, consumers of
tls13_record.h should not.
|
| | |
|
| |
|
|
|
| |
Consistently include local headers in the same location, using the same
grouping/sorting across all files.
|
| |
|
|
|
|
|
|
| |
Now that the DTLS structs are opaque, add a dtls_locl.h header and move
internal-only structs from dtls1.h, along with prototypes from ssl_locl.h.
Only pull this header in where DTLS code actually exists.
ok inoguchi@ tb@
|
| | |
|
| | |
|
| |
|
|
|
| |
Forward declare struct sigalg in ssl_locl.h and avoid including
ssl_sigalgs.h. Explicitly include ssl_sigalgs.h where it is needed.
|
| |
|
|
|
| |
The bytestring APIs are self contained, hence including openssl headers
here is unnecessary.
|
| |
|
|
|
|
| |
Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Based on the OpenSSL 1.1.1 manual written by Rich Salz with a healthy
dose of improvements by schwarze.
ok schwarze
|
| | |
|
| | |
|
| |
|
|
|
|
| |
and a few other structs in libssl opaque.
from/ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For TLSv1.2 a single key block is generated, then partitioned into
individual secrets for use as IVs and keys. The previous implementation
splits this across two functions tls1_setup_key_block() and
tls1_change_cipher_state(), which means that the IV and key sizes have to
be known in multiple places.
This implementation generates and partitions the key block in a single
step, meaning that the secrets are then simply handed out when requested.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
After jsing's recent commits, SSL3_CC_{READ,WRITE,CLIENT,SERVER}
and the derived SSL3_CHANGE_CIPHER_{CLIENT,SERVER}_{READ,WRITE}
are no longer used by LibreSSL and should never be used again.
discussed with jsing
|
