| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When switching to the legacy TLS stack we previously copied any remaining
handshake messages into the receive buffer, but do not include any TLS
record header (largely due to the fact that we've already processed part
of the TLS record that we actually received - that part is placed into the
init_buf). This worked fine with the old record layer implementation,
however the new record layer expects to find the TLS record header.
This means that if we switch from the new stack to the legacy stack (i.e.
the remote side does not support TLSv1.3) and there is more than one
handshake message in the TLS plaintext record (which Microsoft's TLS
stack is known to do), we now read a TLS record of zero bytes instead of
getting the correct length.
Fix this by generating a pseudo-TLS record header when switching from the
new TLS stack to the legacy stack.
Found the hard way by guenther@.
Thanks to tb@ for coming up with a reproducible test case and doing much
of the debugging.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
The d1_{clnt,srvr}.c contain a single function each - merge these into the
ssl_{clnt,srvr}.c, renaming them with an ssl3_ prefix for consistency.
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
DTLSv1 is TLSv1.1 over datagrams - there is no need for a separate
SSL3_ENC_METHOD struct, just use TLSv1_1_enc_data and remove
DTLSv1_enc_data entirely.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in
place, which is not ideal for various reasons, however it is retained
for now as other code depends on this behaviour. Additionally, CBC
requires special handling to avoid timing oracles - for now the
existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This avoids naming confusion with an upcoming TLSv1.2 record layer change
and is more descriptive of this function.
Requested by tb@
|
| |
|
|
|
|
| |
This removes the need for extra variables and casts.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This improves readability - while here also add a missing return value
check (although it cannot currently fail).
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Currently dtls1_drain_fragments() has a incomplete handrolled version of
dtls1_hm_fragment_free(), which has the potential to leak memory. Replace
the handrolled free with a call to dtls1_hm_fragment_free().
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Allocate into the appropriate structures and call dtls1_free() on failure,
rather than allocating into local variables and then remembering to free
various things on failure.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
Rather than using local variables and having to remember which things need
to be freed upon a failure at a certain point, simply allocate into the
hm_fragment struct and call dtls1_hm_fragment_free() on failure.
Also use calloc() to ensure memory is appropriately zeroed/initialised.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
An upcoming cleanup diff by jsing needs dtls1_clear_queues() to be
able to handle NULL pqueues. While one can easily add a NULL check
to pqueue_pop(), this does not really fit in with the rest of the
code. There are two kinds of while loops in dtls1_clear_queues that
drain pqueues, so add two helper functions with a NULL check each.
ok jsing
|
| |
|
|
| |
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
Provide a ssl3_release_buffer() function that correctly frees a buffer
and call it from the appropriate locations. While here also change
ssl3_release_{read,write}_buffer() to void since they cannot fail and
no callers check the return value currently.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
| |
because tb@ decided to not enable it before the release.
OK tb@
|
| |
|
|
| |
issue noticed by and patch OK by jsing@
|
| |
|
|
|
| |
because that is both shorter and more precise;
wording suggested by jsing@
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Write documentation from scratch explaining why we don't support 0-RTT
but how we stub it out instead.
Tweaks and OK tb@.
... and beck@ pointed out that this OpenSSL API is akin to adding a
laser sighting system to a giant blackpowder cannon that one keeps
blowing one's own feet to mangled scraps with ...
|
| |
|
|
|
|
|
| |
which is undocumented in OpenSSL but mentioned in passing in one
OpenSSL manual page, and which was recently mentioned by jsing@ when
working on SSL_set_ciphersuites(3).
With corrections from and OK inoguchi@.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This is a convenience reacharound to libcrypto that trivially wraps
X509_VERIFY_PARAM_get0_peername(). It is used by unbound 1.11.0 for
better logging. As it's part of the API that landed with OpenSSL's
DANE, more recent postfix snapshots use it as well.
ok beck inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
We do not support this feature but need to provide OpenSSL's API since
software assumes it's available whenever TLS1_3_VERSION is available.
These are minimal stubs that should have a decent chance to interact
reasonably with software expecting the tricky upstream semantics, but
this will have to be sorted out with runtime testing, so will likely
have to be refined and revisited.
ok beck jsing
|
| |
|
|
|
|
|
| |
Similar to the SSL_SESSION versions, these are noops that are expected
to be available by some configure tests.
ok beck jsing
|
| |
|
|
|
|
|
| |
Since we do not support 0-RTT, these are noops. Some software expects
this API to be available if TLS1_3_VERSION is defined.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rather than silently leaving a NULL pointer in ssl->cert.
Kurt Roeckx fixed the same bug similarly in OpenSSL in 2015.
While here,
(1) make the code easier to read and more robust by returning right
away when ssl still uses the context it was created from and the ctx
argument is NULL, rather than doing a lot of work that changes
nothing unless data is already corrupt, and
(2) use the shorter and more inituitive SSL_CTX_up_ref(3) rather
than manually calling CRYPTO_add(3), which means no functional
change and is also in the OpenSSL 1.1 branch.
OK tb@
|
| |
|
|
| |
and update merge notice
|
| |
|
|
|
|
|
|
| |
OpenSSL effectively renamed SSL_get_server_tmp_key() to
SSL_get_peer_tmp_key() and removed the client-side restriction. Prepare
for a matching rename.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
There are three places where we call tls1_get_{client,server}_method() and
if that returns NULL, call dtls1_get_{client,server}_method(). Simplify
this by combining the lookup into a single function. While here also use
uint16_t for version types.
ok inoguchi@ millert@
|
| |
|
|
|
|
|
| |
and add two other .Xrs that might help readers find their way.
Update the merge notices of all files touched and
merge a few trivial changes from the OpenSSL 1.1.1 branch.
OK tb@
|
| |
|
|
|
|
|
| |
and for SSL_get0_peername(3), which tb@ will soon make available,
from the OpenSSL 1.1.1 branch, which is still under a free license,
deleting parts that do not apply to OpenBSD, and tweaked by me.
Several improvements and OK by tb@.
|
| |
|
|
| |
No functional change.
|
| |
|
|
|
|
|
| |
for compatibility with OpenSSL
and for consistency with neighbouring functions;
suggested by jsing@ after i documented the crash;
OK jsing@.
|
| |
|
|
|
|
| |
is already a comment above it in ssl_lib.c in both OpenSSL and LibreSSL:
/* The old interface to get the same thing as SSL_get_ciphers(). */
Suggested by and OK jsing@.
|
| |
|
|
|
|
|
|
|
| |
CBB_add_bytes() calls CBB_add_space(), which now explicitly zeros memory
to avoid information leaks. However CBB_add_bytes() calls memcpy() for the
same memory region, so the memset() is unnecessary. Avoid this by inlining
part of CBB_add_space() rather than calling it directly.
ok beck@ tb@
|
| |
|
|
|
|
| |
context used by an SSL object, so do not talk about the SSL_CTX
that "an SSL object was created from";
fixing an inaccuracy pointed out by jsing@.
|
| |
|
|
|
|
|
|
|
| |
Split the existing tls12_record_layer_write_mac() function so that we can
soon reuse part of it for the read side.
No functional change.
ok tb@
|
| |
|
|
|
|
|
| |
fails, to match the behaviour of ssl_create_cipher_list(). This also
agrees with the behaviour of SSL_set_ciphersuites(3) in OpenSSL.
Issue found while writing documentation.
OK jsing@
|
| |
|
|
| |
This should be a 'goto err' rather than returning.
|
| |
|
|
|
|
|
|
| |
content there. Clarify when the returned pointers become invalid,
which is far from obvious but sets surprising traps for the user.
For three of the functions, correct statements about when they fail.
Also improve a number of wordings while here.
OK beck@
|
| |
|
|
|
|
|
| |
In particular, figure what the handshake_func should be early on, so we
can just assign later.
ok beck@
|
| |
|
|
|
|
|
| |
Now that get_ssl_method is no longer used, we can garbage collect the
function pointer and some associated machinery.
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we use the default method (now TLSv1.3) and end up talking to a TLSv1.2
server that gives us a session ticket, then try to resume that session,
we end up trying to talk TLS without doing a handshake.
This is caused by the state (S3I(s)->hs.state) getting cleared, which
results in SSL_do_handshake() and others thinking they do not need to do
anything (as SSL_in_init() and SSL_in_before() are not true).
The reason this occurs is due to SSL_set_ssl_method() calling ssl_free()
and ssl_new() when switching methods. The end result is that the S3I(s)
has been freed and reallocated, losing the state in the process.
Since the state is part of the S3I(s) structure, move its initialisation
into ssl3_clear() - this ensures it gets correctly reinitialised across a
SSL_set_ssl_method() call.
Issue noticed by sthen@ with nginx and unifi.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
SSL_set_ssl_method() checks to see if the method is already the same, so
we do not need to do this check in three different places. Switch to
dtls1_get_client_method()/tls1_get_client_method() to find the method -
this is a slight change in behaviour, however there is not much point
trying to resume a session on something other than a client.
ok beck@
|
| |
|
|
|
|
|
|
| |
Move assignment to the correct place so that the run continuation condition
actually checks what it is supposed to. Found by getting lucky when running
regress.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
| |
OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide
this API, while retaining the current behaviour of being able to configure
TLSv1.3 via the existing interface.
Note that this is not currently exposed in the headers/exported symbols.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When BIO returns a failure, it does not always add an error to the error
stack. In the case of the legacy stack, this was generally handled by the
guesswork performed by SSL_get_error(). However, in the case of the new
stack we push an 'unknown' error onto the stack.
Improve this situation by specifically checking errno in the case of a
BIO_read() or BIO_write() failure. If the error stack is empty then push
a SYSerror() with the errno which is preferable to the 'unknown' error
later.
Noted by bluhm@ via syslogd regress.
ok beck@ tb@
|
| |
|
|
|
|
| |
The curve_id is a uint16, not an int.
ok beck jsing
|
| |
|
|
|
|
|
| |
Use more descriptive variable names, explain why NID_undef is fine
and simplify the logic.
ok beck jsing
|
