| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
sending back illegal parameter if our phh key share request type
is not 0 or 1.
ok jsing@ tb@
|
| |
|
|
| |
ok tb@ jsing@
|
| |
|
|
| |
conflict against a potential define min() from some other scope.
|
| |
|
|
|
|
|
| |
According to RFC 8446 section 4.4.2.4, a client receiving an empty
certificate list must abort the handshake with a decode error alert.
ok beck@ inoguchi@ tb@ ('it rarely is the alert you'd expect it to be...')
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
After post-handshake handshake messages have been processed, we need to
return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter
will cause us to try to read another TLS record, when there may not be
any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The RFC requires that a server always provide a certificate for
authentication. Ensure that this is the case, rather than proceeding and
attempting validation. In the case where validation was disabled and the
server returned an empty certificate list, this would have previously
resulted in a NULL pointer deference.
Issue reported by otto@
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
This was missed in previous tls13_server.c commit.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
A TLSv1.3 server must always send a certificate - return an error and abort
the handshake if none is available.
ok inoguchi@ tb@
|
| |
|
|
| |
OK beck@, who was amused by the "darkly comic value of reading" it
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This allows a server configured to only support TLSv1.2 and earlier, to
correctly handle connections from a TLSv1.3 capable client.
Issue reported by pvk@
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Switch the legacy version when processing the server hello, rather than
when the client hello has been sent. This ensures that we accept a
response from the server that has a record version other than
TLS1_2_VERSION, as is the case where the server is negotiating TLSv1.0
or TLSv1.1.
Issue spotted by inoguchi@
ok inoguchi@ tb@
|
| | |
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
When legacy version is below TLSv1.2 ensure that the record version is
SSL3/TLS, however when the legacy version is set to TLSv1.2 require this
specifically.
ok beck@ tb@
|
| |
|
|
|
|
| |
This will be used to handle record version checks.
ok tb@
|
| |
|
|
|
|
|
|
| |
Use this to push an error on to the SSL error stack so that we report the
details of the alert that we sent, rather than failing with an unknown
error.
ok tb@
|
| |
|
|
|
|
|
|
| |
This makes the code more readable, requires less code churn when adding
a new callback and is likely to avoid bugs due to function argument
ordering.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
This correctly handles session being non-NULL and sets up a few more
things, including ssl_version. Also stop setting the ssl_version to the
server_version, as this is only used on the client side.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the client has requested middle box compatibility mode by sending
a non-empty legacy_session_id, the server must send a dummy CCS right
after its first handshake message. This means right after ServerHello
or HelloRetryRequest.
Two important improvements over the backed-out diffr: make sure that
First: client and server can send their dummy CCS at the correct moment
(right before the next flight or right after the current flight).
Second: as jsing noted, we also need to deal with the corner case that
tls13_send_dummy_ccs() can return TLS13_IO_WANT_POLLOUT.
with/ok jsing
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
|
|
| |
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_*
defines, provide our own TLS13_ALERT_* defines and use those. This also
provides the alerts that are new to TLSv1.3.
ok beck@
|
| |
|
|
|
|
| |
This makes it easier to debug TLSv1.3 handshake failures.
"Yes please!" tb@, ok beck@
|
| |
|
|
|
|
|
|
|
| |
The OCSP response length is currently an integer, which is overloaded with
-1 meaning "unset". Use a size_t for the OCSP response length and infer
unset from the OCSP response being NULL. This makes code more readable,
simpler and less error prone.
ok beck@
|
| |
|
|
|
|
|
|
| |
With TLSv1.3 we end up parsing extensions from more than just these two
messages. This can result in variables (like the selected alpn) being
freed when things still need them.
ok tb@
|
| |
|
|
|
|
|
| |
This variable is currently overloaded - a value of -1 means that it is
"unset" and any other value is a length.
ok tb@
|
| |
|
|
|
|
|
|
| |
with TLSv1.2 servers, since it makes clients send their dummy CCS too
early... There's an obvious but dirty bandaid which I can't bring myself
to applying - this business is already disgusting enough.
Issue found the hard way by sthen
|
| |
|
|
|
|
|
| |
This prevents us from incorrectly choosing a PKCS1 based signature
if the client advertises support for them but also prefers them to
PSS such as appears to be the case with gnuTLS.
ok jsing@
|
| |
|
|
|
|
|
|
|
| |
If the client has requested middle box compatibility mode by sending
a non-empty legacy_session_id, the server must send a dummy CCS right
after its first handshake message. This means right after ServerHello
or HelloRetryRequest.
ok jsing
|
| |
|
|
|
|
|
|
| |
When operating in middlebox compatibility mode, the TLSv1.3 client needs
to send a dummy ChangeCipherSpec message immediately before its second
flight of handshake messages (when early data is not offered).
ok tb@
|
| | |
|
| |
|
|
| |
ok tb@
|
| | |
|
| |
|
|
| |
version to 3.2.0
|
| |
|
|
| |
ok jsing@, tb@, inoguchi@
|
| |
|
|
|
|
|
|
| |
stricter. Previously, we would accept any vector if it advertised the
"null" compression method. RFC 8446 4.1.2 specifies that the only legal
vector has length one and contains a zero byte for the null method.
ok jsing
|
| |
|
|
|
|
|
| |
and if the two lengths differed, the later CBS_write_bytes() would
correctly fail anyway.
Discussed with jsing
|
| |
|
|
|
|
| |
alert. Found with tlsfuzzer.
ok jsing
|
| |
|
|
| |
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This fixes the case where a send function signals that an alert should be
sent, then returns failure. Previously the failure would be propagated
up, without the alert being sent.
Issued noted by tb@
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Split the record protection engagement code into a separate
tls13_server_engage_record_protection() function and call this from
tls13_server_hello_sent(). Also move some functions around to keep the
logical ordering/grouping.
ok inoguchi@ tb@ (as part of a larger diff)
|
| |
|
|
|
|
|
|
|
| |
terminate the connection with an unexpected_message alert.
See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
| |
|
|
| |
ok bcook inoguchi deraadt
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message
immediately after its first handshake message. This is normally after the
ServerHello message, but it can be after the HelloRetryRequest message.
As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz
TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message
and the ServerHello message. This is unexpected and as far as I'm aware,
no other TLSv1.3 implementation does this. Unfortunately the RFC is rather
ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a
TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR
is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
It is possible to do this by abusing the EVP_CTRL_INIT API.
Pointed out by jsing.
ok inoguchi jsing (as part of a larger diff)
|
| |
|
|
|
|
|
| |
We might remove static again for further regress around record layer
in the future.
ok jsing@ tb@
|
