summaryrefslogtreecommitdiff
path: root/src/lib/libssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Defer sigalgs selection until the certificate is known.jsing2019-03-259-48/+124
| | | | | | | | | | | | | Previously the signature algorithm was selected when the TLS extension was parsed (or the client received a certificate request), however the actual certificate to be used is not known at this stage. This leads to various problems, including the selection of a signature algorithm that cannot be used with the certificate key size (as found by jeremy@ via ruby regress). Instead, store the signature algorithms list and only select a signature algorithm when we're ready to do signature generation. Joint work with beck@.
* Rework ssl_ctx_use_certificate_chain_bio() to use the CERT_PKEY chain.jsing2019-03-251-46/+26
| | | | | | | | | | This means that any additional CA certificates end up on the per certificate chain, rather than the single/shared extra_certs. Also simplify this code and in particular, avoid setting the return value to indicate success until we've actually succeeded. ok beck@ tb@
* Remove ssl_get_server_send_cert() which is now unused.jsing2019-03-252-14/+2
| | | | ok beck@ tb@
* Rework ssl3_output_cert_chain() to take a CERT_PKEY and consider chains.jsing2019-03-254-40/+36
| | | | | | | | | | We will now include the certificates in the chain in the certificate list, or use the existing extra_certs if present. Failing that we fall back to the automatic chain building if not disabled. This also simplifies the code significantly. ok beck@ tb@
* Add a chain member to CERT_PKEY and provide functions for manipulating it.jsing2019-03-252-3/+74
| | | | | | | | | Note that this is not the full chain, as the leaf certificate currently remains in the x509 member of CERT_PKEY. Unfortunately we've got to contend with the fact that some OpenSSL *_chain_* APIs exclude the leaf certificate while others include it... ok beck@ tb@
* If ssl_cipher_apply_rule() is given a specific cipher suite, match on it.jsing2019-03-241-3/+4
| | | | | | | | | | Otherwise matching a specific cipher is performed by matching against its characteristics, which can result in multiple rather than a single match. Found by bluhm@'s regress tests. ok bluhm@ tb@
* do not call assert(), which has a tendency to leave traces of stuff inderaadt2019-03-241-2/+3
| | | | | | corefiles. Instead call OPENSSL_assert(), which has recently been trained to do this in a safer (if more awkward to debug) way. discussed with jsing and beck a while back
* Avoid an internal 2 byte overread in ssl_sigalgs().jsing2019-03-191-7/+2
| | | | | | Found by oss-fuzz, fixes issue #13797. ok beck@ tb@
* Revert TLS1_get{,_client}_version simplification because DTLS.jsing2019-03-194-14/+15
|
* * note that the handshake must be completed firstschwarze2019-03-181-4/+15
| | | | | | | * correct the description of "unknown" (the previous are both from OpenSSL 1.1.1, still under a free license) * add a comment saying that TLS1_get_version() and TLS1_get_client_version() are intentionally undocumented (reasons provided by jsing@)
* In ssl.h rev. 1.165, tb@ provided version agnostic DTLS methods.schwarze2019-03-181-3/+26
| | | | Document them.
* bump minors after symbol additiontb2019-03-171-1/+1
|
* Provide version agnostic DTLS methods.jsing2019-03-173-2/+27
| | | | ok tb@
* Correct return value handling in tls13_handshake_recv_action().jsing2019-03-171-2/+4
| | | | | | | | The recv action handler returns success/failure, rather than a TLS13_IO_* value, which is what tls13_handshake_recv_action() needs to return. Failure previously mapped to TLS13_IO_EOF, which is not ideal. ok tb@
* Partially clean up the TLS1_get_{,client}_version macros.jsing2019-03-174-15/+14
| | | | | | | | | LibreSSL only supports TLSv1.0 and above, hence the checks the macros are performing are useless. Simplify them to their effective code. Also place both under #ifndef LIBRESSL_INTERNAL and use the variables directly in our code, which improves readability. ok tb@
* Remove the alert level from the TLSv1.3 alert callback.jsing2019-03-173-7/+6
| | | | | | | | In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback. ok tb@
* Don't index a void pointer, fixes compilation with visual studio.millert2019-03-041-2/+3
| | | | | Gcc/clang will treat void * as char * but this is non-standard. OK deraadt@ jsing@ inoguchi@
* Implement non-SSL_MODE_ENABLE_PARTIAL_WRITE in tls13_legacy_write_bytes().jsing2019-02-281-3/+34
| | | | | | | In non-SSL_MODE_ENABLE_PARTIAL_WRITE mode we have to write out all the things and only return success once all of the data has been sent. ok inoguchi@ tb@
* Automatically complete the handshake from tls13_legacy_{read,write}_bytes()jsing2019-02-283-3/+17
| | | | | | | | | | | | | | If the TLS handshake has not been completed, automatically complete the handshake as part of the read/write call, implementing the current SSL_read()/SSL_write() behaviour. Once the TLS handshake is completed we push a WANT_POLLIN or WANT_POLLOUT back up to the caller, since some applications appear to incorrectly call SSL_read() or SSL_write(), rather than repeating the previous call. This can lead to attempts to read data that does not exist, since the WANT_POLLIN was actually triggered as part of the handshake. ok inoguchi@ tb@
* Set the SSL state as part of tls13_legacy_connect().jsing2019-02-281-2/+5
| | | | | | | | Set the SSL state to SSL_ST_CONNECT during the TLSv1.3 handshake and to SSL_ST_OK once the handshake completes, since some applications currently rely on this information to function correctly. ok inoguchi@ tb@
* Add appropriate length checks to tls13_legacy_{read,write}_bytes()jsing2019-02-281-3/+9
| | | | ok inoguchi@ tb@
* Remove unused record_type from TLSv1.3 handshake actions.jsing2019-02-281-16/+1
| | | | ok tb@
* Correct return values for non-fatal alerts.jsing2019-02-261-3/+3
| | | | | | | | | In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing. ok tb@
* Correctly propagate EOF from BIO in tls13_legacy_wire_read().jsing2019-02-261-1/+3
| | | | ok tb@
* Fix gcc3 compilation error by using a forward declaration instead of atb2019-02-251-3/+3
| | | | | | repeated typedef. Found the hard way by aoyama who also tested the fix. ok jsing
* revert "Move struct ssl_handshake_tls13_st definition", i.e., movetb2019-02-252-24/+26
| | | | | | SSL_HANDSHAKE_TLS13 back to ssl_locl.h. discussed with jsing and inoguchi
* Correctly handle oversize writes.jsing2019-02-251-2/+4
| | | | | | | | | | | | If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write. This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer. ok inoguchi@ tb@
* Add a handshake action sent handler and use it for client finished.jsing2019-02-253-11/+22
| | | | | | | | | | The write traffic key needs to be changed to the client application traffic key after the client finished message has been sent. The send handler generates the client finished message, however we cannot switch keys at this stage since the client finished message has not yet been protected by the record layer. ok tb@
* Correct a few error returns.jsing2019-02-251-4/+4
|
* Move struct ssl_handshake_tls13_st definitioninoguchi2019-02-252-26/+24
| | | | | | This solves build error on luna88k with gcc3. ok aoyama@ jca@ jsing@ tb@
* Remove temporary gotos.jsing2019-02-231-7/+3
| | | | | | | | | In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer. ok beck@ tb@
* Set BIO retry on TLS13_IO_WANT_POLLIN/TLS13_IO_WANT_POLLOUT.jsing2019-02-231-1/+3
| | | | | | | | | | | In most cases a TLS13_IO_WANT_POLLIN or TLS13_IO_WANT_POLLOUT will have bubbled up from the wire callbacks, in which case the BIO retry flag will already be set. However, if we return TLS13_IO_WANT_POLLIN or TLS13_IO_WANT_POLLOUT from a higher layer the BIO retry flag will not be set and that will cause SSL_get_error() to return SSL_ERROR_SYSCALL rather than the intended SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE. ok beck@ tb@
* Wire up alert handling for TLSv1.3.jsing2019-02-212-9/+78
| | | | | | | | | In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour. ok tb@
* Change the alert callback return type from int to void.jsing2019-02-212-9/+11
| | | | | | | | There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1. ok tb@
* Fix a few cases where int was used instead of ssize_t.jsing2019-02-211-3/+3
|
* Correct guards.jsing2019-02-141-3/+3
|
* Notify the record layer upon handshake completion.jsing2019-02-141-2/+4
| | | | ok tb@
* Switch to application traffic keys as appropriate.jsing2019-02-141-1/+17
| | | | | | | | | Switch the read traffic key to the server application traffic key once the server finished message has been processed. Switch the write traffic key to the client application traffic key after sending the client finished message. ok tb@
* Split tls13_record_layer_set_traffic_keys() into two separate functions.jsing2019-02-143-17/+23
| | | | | | | | | This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake. ok tb@
* Provide a TLS 1.3 capable client method.jsing2019-02-143-5/+50
| | | | ok tb@
* Clean up some pesky trailing whitespace.jsing2019-02-131-10/+10
|
* Handle finished messages in TLSv1.3 client.jsing2019-02-132-14/+131
| | | | | | | This adds support for processing of the server finished message and generation of the client finished message. ok tb@
* Implement handling of Certificate and CertificateVerify messages.jsing2019-02-112-31/+214
| | | | | | | This allows the TLS 1.3 client to process the certificates that the server has sent and verify that the server has possession of the private key. ok tb@
* "non-existant" is one of those words that don't exist, so use "non-existent"phessler2019-02-101-2/+2
| | | | | | | instead From Pamela Mosiejczuk, many thanks! OK phessler@ deraadt@
* Preserve the transcript hash at specific stages of the TLSv1.3 handshake.jsing2019-02-102-2/+16
| | | | | | | | | There are various points where we need the hash of all messages prior to the current message. Support this by having the handshake code preserve the transcript hash prior to recording the current message, which avoids the need to sprinkle this throughout multiple handlers. ok inoguchi@ tb@
* Rename the file that contains the transcript handling code.jsing2019-02-092-3/+3
| | | | ok inoguchi@ tb@
* Rename tls1_handshake_hash*() to tls1_transcript_hash*().jsing2019-02-097-29/+29
| | | | | | | | | While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches. ok inoguchi@ tb@
* Provide a reference from the TLSv1.3 context to the handshake state.jsing2019-02-092-19/+25
| | | | | | | This allows ctx->hs to be used throughout the TLSv1.3 code, rather than S3I(ctx->ssl)->hs_tls13. ok inoguchi@ tb@
* Implement processing of EncryptedExtensions in the TLS 1.3 client.jsing2019-02-072-8/+28
| | | | ok bcook@ tb@
* Implement parsing and processing of TLSv1.3 ServerHello messages.jsing2019-02-043-11/+187
| | | | ok tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-22 01:52:21 +0000