| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
This adds checks (based on the TLSv1.3 implementation) to ensure that the
TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The exporter depends on having a master secret. If the handshake is
not completed, it is neither guaranteed that a shared ciphersuite was
selected (in which case tls1_PRF() will currently NULL deref) or that
a master secret was set up (in which case the exporter will succeed
with a predictable value). Neither outcome is desirable, so error out
early instead of entering the sausage factory unprepared. This aligns
the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
This allows for all of the DTLS sequence number save/restore code to be
removed.
ok inoguchi@ "whee!" tb@
|
| |
|
|
|
|
|
|
|
|
| |
This provides the basic framework for handling change of cipher state in
the new TLSv1.2 record layer, creating new record protection. In the DTLS
case we retain the previous write record protection and can switch back to
it when retransmitting. This will allow the record layer to start owning
sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This allows us to remove a check and will make future changes simpler. Use
suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in
place, which is not ideal for various reasons, however it is retained
for now as other code depends on this behaviour. Additionally, CBC
requires special handling to avoid timing oracles - for now the
existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
This takes the same design/approach used in TLSv1.3 and provides an
opaque struct that is self contained and cannot reach back into other
layers. For now this just implements/replaces the writing of records
for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the
plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Like much of the original DTLS code, dtls1_enc() is effectively a renamed
copy of tls1_enc(). Since then tls1_enc() has been modified, however the
non-AEAD code remains largely the same. As such, remove dtls1_enc() and
instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS,
however this is a non-issue since we do not support AEAD cipher suites with
DTLS currently.
ok tb@
|
| |
|
|
|
|
|
|
| |
Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
Fixes COV-174858
ok tb@
|
| |
|
|
|
|
|
|
|
| |
While handshake hash is correct (in as far as it is a hash of handshake
messages), using tls1_transcript_hash*() aligns them with the naming of the
tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses
Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This provides a cleaner, simpler and more readable API, with code that uses
a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
| |
|
|
|
|
|
|
|
|
| |
In January 2017, we changed large amounts of libssl's data structures to
be non-visible/internal, however intentionally left things that the
software ecosystem was needing to use. The four or so applications that
reached into libssl for record layer related state now implement
alternative code. As such, make these data structures internal.
ok tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can
condition on that rather than having a separate redundant flag.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
EVP_MD_CTX_create -> EVP_MD_CTX_new
EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during
code reviews.
Raised by tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a renegotiation results in a change of cipher suite, the renegotation
would fail if it switched from AEAD to non-AEAD or vice versa. This is due
to the fact that the previous EVP_AEAD or EVP_CIPHER state remained,
resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it
into separate read/write components, then call these functions from the
appropriate places when a ChangeCipherSpec message is being processed.
Also, remove the separate ssl_clear_hash_ctx() calls and fold these into
the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
| | |
|
| |
|
|
| |
ok jsing@, gcc@, regress@
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument
names and change lengths to size_t.
ok inoguchi@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
matches the size of the output buffer. This is used in the case where
there are multiple hashes - tls_P_hash() is called with the temporary
buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring
the result into the output buffer. Overall this makes the code cleaner
and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
| |
|
|
|
|
|
| |
with the handshake hash. For now tls1_digest_cached_records() is retained
to release the handshake buffer.
ok beck@ inoguchi@
|
| |
|
|
|
|
|
| |
EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the
code slightly.
ok inoguchi@
|
| | |
|
| |
|
|
|
|
| |
and each hash processed separately.
Tested by tb@
|
| |
|
|
|
|
| |
single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
| |
|
|
|
|
|
|
|
|
| |
suite has been selected, and convert the final finish MAC to use this
handshake hash.
This is a first step towards cleaning up the current handshake
buffer/digest code.
ok beck@ inoguchi@
|
| |
|
|
|
|
|
|
|
| |
Make a table of "function codes" which maps the internal state of the SSL *
to something like a useful name so in a typical error in the connection you
know in what sort of place in the handshake things happened. (instead of
by arcane function name).
Add SSLerrorx() for when we don't have an SSL *
ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
| |
|
|
| |
line wraps that resulted
|
| |
|
|
|
|
|
| |
We leave a single funciton code (0xFFF) to say "SSL_internal" so the public
API will not break, and we replace all internal use of the two argument
SSL_err() with the internal only SSL_error() that only takes a reason code.
ok jsing@
|
| |
|
|
| |
set and cleared via existing functions.
|
| |
|
|
| |
Discussed with beck@
|
| |
|
|
| |
other perversions touches them sickly and unnaturally.
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
| |
known to be used by ports.
ok beck@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
| |
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
jsing
tb
bcook
beck