| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
There is little to gain by mallocing and freeing the AEAD nonce for each
record - move to an AEAD nonce allocated for the record layer, which
matches what we do for TLSv1.3.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
in particular, this includes new text by Matt Caswell
from OpenSSL commit 721eb8f6 Nov 28 12:03:00 2019 +0000
and corrects a wrong argument type that i introduced into the SYNOPSIS;
requested by tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a servername callback returns SSL_TLSEXT_ERR_ALERT_WARNING, this
results in a fatal error in TLSv1.3 since alert levels are implicit
in the alert type and neither close_notify nor user_canceled make
sense in this context. OpenSSL chose to ignore this, so we need to
follow suit.
Found via a broken servername callback in p5-IO-Socket-SSL which
returns a Boolean instead of SSL_TLSEXT_ERR_*. This happened to
have worked before TLSv1.3 since warning alerts are often ignored.
This "fixes" sni.t and sni-verify.t in p5-IO-Socket-SSL.
ok beck jsing
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
Noted by tb@ during review of a larger change.
|
| | |
|
| |
|
|
|
|
|
|
| |
The code for dtls1_dispatch_alert() and ssl3_dispatch_alert() is largely
identical - with a bit of reshuffling we can use ssl3_dispatch_alert() for
both protocols and remove the ssl_dispatch_alert function pointer.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When DTLS handshake records are received from the next epoch, we will
potentially queue them on the unprocessed_rcds queue - this is usually
a Finished message that has been received without the ChangeCipherSuite
(CCS) message (which may have been dropped or reordered).
After the epoch increments (due to the CCS being received), the current
code processes all records on the unprocessed queue and immediate queues
them on the processed queue, which dtls1_get_record() then pulls from.
This form of processing only adds more complexity and another queue.
Instead, once the epoch increments, pull a single record from the
unprocessed queue and process it, allowing the contents to be consumed
by the caller. We repeat this process until the unprocessed queue is
empty, at which point we go back to consuming messages from the wire.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
Per RFC 6347 section 4.1.2.1, DTLS should silently discard invalid records,
including those that have a bad MAC. When converting to the new record
layer, we inadvertantly switched to standard TLS behaviour, where an
invalid record is fatal. This restores the previous behaviour.
Issue noted by inoguchi@
ok inoguchi@
|
| |
|
|
|
|
|
|
| |
All this code does is read one byte from memory with an unknown length,
potentially being a one byte overread... and then nothing is actually done
with the value.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
| |
The num_ciphers, get_cipher_by_char and put_cipher_by_char function
pointers use the same function for all methods - call ssl3_num_ciphers()
directly, absorb ssl3_get_cipher_by_char() into SSL_CIPHER_find() and
remove the unused ssl3_put_cipher_by_char() code.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Now that SSL_METHOD is opaque and in internal headers, we can remove
SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds functionality for SSL_get_signature_nid(),
SSL_get_peer_signature_nid(), SSL_get_signature_type_nid() and
SSL_get_peer_signature_type_nid().
This is not currently publicly visible and will be exposed at a later
date.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Move struct ssl_cipher_st, struct ssl_method_st, struct ssl_session_st and
struct ssl3_state_st from public to private headers. These are already
under #ifdef LIBRESSL_INTERNAL and are no longer publicly visible.
ok inoguchi@ tb@
|
| |
|
|
| |
This was inadvertently broken during sigalgs refactoring.
|
| |
|
|
|
|
|
|
| |
This means that we do sigalg selection for all cases, including those
where are are not sending sigalgs. This is needed in order to track our
signature type in legacy cases.
ok tb@
|
| |
|
|
| |
This is needed for upcoming API additions.
|
| |
|
|
| |
Suggested by tb@
|
| |
|
|
| |
Wording provided by tb@
|
| |
|
|
|
|
|
|
| |
Only use the minimum TLS version to when building a signature algorithms
extension for a ClientHello - in all other cases we should be using the
negotiated TLS version.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This simplifies callers, as only the negotiated TLS version needs to be
used here.
Requested by tb@
|
| | |
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Provide an ssl_sigalg_for_peer() function that knows how to figure out
which signature algorithm should be used for a peer provided signature,
performing appropriate validation to ensure that the peer provided value
is suitable for the protocol version and key in use.
In the TLSv1.3 code, this replaces the need for separate calls to lookup
the sigalg from the peer provided value, then perform validation.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Also, rather than passing in a check_curve flag, pass in the SSL * and
handle version checks internally to ssl_sigalg_pkey_ok(), simplifying
the callers.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
In the case of TLSv1.0 and TLSv1.1 there is no signature algorithms
extension and default signature algorithms are used - similar applies to
TLSv1.2 when the signature algorithms extension has been omitted.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
RFC 8446 section 4.1.4 requires that the client ensure the cipher suite
in the TLSv1.3 HelloRetryRequest and subsequent ServerHello is the same.
Reported via GitHub issue #675.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
Per RFC 5246 section 6.2.1, zero-length fragments are only permitted for
application data - reject all others.
Reported via GitHub issue #675.
ok inoguchi@ tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
so it is no longer necessary in to do this by hand in various
places of the code interfacing with the legacy stack.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
During the TLSv1.3 handshake, update the legacy state and call the
info callback at the appropriate moment. This is done by mapping
the TLSv1.3 states to the states in the old state machine whenever
that is possible. The callbacks are called at the beginning and end
of the handshake, and just before the state machine advances.
This should fix a periodic warning in logs of tor relays about a
variable that wasn't set although it should have been.
input/ok jsing, ok inoguchi (early version)
|
| |
|
|
|
|
|
|
|
|
|
| |
Move the sigalg pointer from SSL_HANDSHAKE_TLS13 to SSL_HANDSHAKE, naming
it our_sigalg, adding an equivalent peer_sigalg. Adjust the TLSv1.3 code
that records our signature algorithm. Add code to record the signature
algorithm used by our peer.
Needed for upcoming API additions.
ok tb@
|
| |
|
|
|
|
| |
ssl3_send_client_verify() already has a pointer to the EVP_PKEY for the
certificate - pass this as an argument to the functions that it calls,
rather than duplicating code/variable declarations.
|
| |
|
|
|
|
|
|
|
| |
Rather that passing in a sigalg list at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_from_value() perform the
sigalg list selection itself. This allows the sigalg lists to be made
internal to the sigalgs code.
ok tb@
|
| |
|
|
|
|
|
| |
This makes the code more self-documenting and avoids the ambiguity between
ssl_sigalg the struct and ssl_sigalg the function.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Rather that doing sigalg list selection at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_build() perform the sigalg
list selection itself. This reduces code duplication, simplifies the
calling code and is the first step towards internalising the sigalg lists.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
| |
This matches the order that sigalgs are specified in.
ok tb@
|
| |
|
|
|
|
| |
When converting to TLS flags, we need to also include SSL_OP_NO_TLSv1,
otherwise the TLS equivalent of SSL_OP_NO_DTLSv1 is TLSv1.0 only, which
does not work so well when we try to switch back to DTLS versions.
|
| | |
|
| |
|
|
| |
was removed in t1_lib.c r1.141.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to a type bug that has been present in DTLS since the code was first
committed in 2005, dtls1_get_bitmap() fails to handle next epoch correctly
when the epoch is currently 0xffff (and wraps to zero).
For various reasons unknown, the epoch field in the SSL3_RECORD_INTERNAL
(formerly SSL3_RECORD) was added as unsigned long (even though the value
is an unsigned 16 bit value on the wire, hence cannot exceed 0xffff),
however was added to other code as unsigned short.
Due to integer promotion, the r_epoch value is incremented by one to
become 0x10000, before being cast to an unsigned long and compared to
the value pulled from the DTLS record header (which is zero). Strangely
0x10000 != 0, meaning that we drop the DTLS record, instead of queueing
it for the next epoch.
Fix this issue by using more appropriate types and pulling up the
calculation of the next epoch value for improved readability.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
This allows for regress to test edge cases for epoch handling.
ok tb@
|
| |
|
|
|
|
|
|
| |
Currently these only get correctly initialised when
dtls1_process_buffered_records() is called - while this works it is more
accidental than intentional.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The original DTLS code had some strange alert handling code (basically one
type of alert included extra data) - a few years later this was "fixed",
however the rest of the code was left as is.
This means that rather than sending the alert data from send_alert
(like ssl3_dispatch_alert() does), we have a local buffer on the stack,
which we memset, copy the send_alert bytes into, then send from.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Pass the CBS for the sequence number through, which also allows us to do
more sensible length checks. Also, add a missing length check while here.
ok inoguchi@ tb@
|
