wireguard-openbsd - WireGuard implementation for the OpenBSD kernel

	Commit message (Collapse)	Author	Age	Files	Lines
*	Move the TLSv1.2 record number increment into the new record layer.	jsing	2021-03-29	1	-5/+42
\| \| \| \| \| \| \|	This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs. ok inoguchi@ tb@
*	Fully initialize rrec in tls12_record_layer_open_record_protected	tb	2021-03-21	1	-1/+2
\| \| \| \| \| \| \| \| \| \|	The CBC code path initializes rrec.padding_length in an indirect fashion and later makes use of it for copying the MAC. This is confusing some static analyzers as well as people investigating the whining. Avoid this confusion and add a bit of robustness by clearing the stack variable up front. ok jsing
*	Separate variable declaration and assignment.	jsing	2021-03-02	1	-2/+4
\| \| \| \|	Requested by tb@
*	Replace two handrolled tls12_record_protection_engaged().	jsing	2021-03-02	1	-3/+3
\| \| \| \|	Noted by tb@
*	Move key/IV length checks closer to usage sites.	jsing	2021-03-02	1	-5/+11
\| \| \| \| \| \| \| \| \|	Also add explicit checks against EVP_CIPHER_iv_length() and EVP_CIPHER_key_length(). Requested by tb@ during review. ok tb@
*	Add tls12_record_protection_unused() and call from CCS functions.	jsing	2021-03-02	1	-8/+17
\| \| \| \| \| \| \| \| \|	This moves the check closer to where a leak could occur and checks all pointers in the struct. Suggested by tb@ during review. ok tb@
*	Move handling of cipher/hash based cipher suites into the new record layer.	jsing	2021-02-27	1	-57/+110
\| \| \| \|	ok tb@
*	Identify DTLS based on the version major value.	jsing	2021-02-27	1	-2/+2
\| \| \| \|	This avoids the need to match specific DTLS version numbers.
*	Remove direct assignment of aead_ctx.	jsing	2021-01-28	1	-13/+7
\| \| \| \| \| \|	Now that AEAD is handled internally, we should no longer be assigning aead_ctx directly, as this will result in a leak. Missed during the previous change.
*	Move AEAD handling into the new TLSv1.2 record layer.	jsing	2021-01-28	1	-23/+93
\| \| \| \|	ok tb@
*	Move sequence numbers into the new TLSv1.2 record layer.	jsing	2021-01-26	1	-19/+28
\| \| \| \| \| \| \|	This allows for all of the DTLS sequence number save/restore code to be removed. ok inoguchi@ "whee!" tb@
*	Drop unneeded cast in seal_record_protected_cipher	tb	2021-01-20	1	-2/+2
\| \| \| \| \| \| \|	eiv_len was changed from an int to a size_t in r1.10, so casting it to a size_t is now a noop. ok jsing
*	Add code to handle change of cipher state in the new TLSv1.2 record layer.	jsing	2021-01-19	1	-5/+102
\| \| \| \| \| \| \| \| \| \|	This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state. ok inoguchi@ tb@
*	Provide functions to determine if TLSv1.2 record protection is engaged.	jsing	2021-01-19	1	-1/+19
\| \| \| \| \| \| \| \| \| \|	Call these functions from code that needs to know if we've changed cipher state and enabled record protection, rather than inconsistently checking various pointers from other places in the code base. This also fixes a minor bug where the wrong pointers are checked if we're operating with AEAD. ok inoguchi@ tb@
*	Provide record layer overhead for DTLS.	jsing	2021-01-19	1	-1/+28
\| \| \| \| \| \| \| \|	Rather than manually calculating the maximum record layer overhead in the DTLS code, have the record layer provide this information. This also makes it work correctly with AEAD ciphersuites. ok inoguchi@ tb@
*	Factor out code for explicit IV length, block size and MAC length.	jsing	2021-01-19	1	-21/+77
\| \| \| \| \| \| \| \|	Pull this code up into the record protection struct, which means we only need the length checks in one place. This code will soon be used for additional purposes. ok inoguchi@ tb@
*	Clean up sequence number handing in the new TLSv1.2 record layer.	jsing	2021-01-13	1	-64/+87
\| \| \| \| \| \| \| \| \| \| \| \|	Handle protocol specific (DTLS vs TLS) sequence number differences in the open/seal record functions and propagate the sequence number through to the called functions. This means that DTLS specific knowledge is limited to two functions and also avoids building sequence numbers multiple times over. As a result, the DTLS explicit sequence number is now extracted from the record header and passed through for processing, which makes the read epoch handling redundant. ok inoguchi@ tb@
*	Split the record protection from the TLSv1.2 record layer.	jsing	2021-01-12	1	-75/+101
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	When changing cipher state, DTLS requires that the previous write protection state remain available so that messages can be retransmitted. Currently, this is done by DTLS saving and restoring various pointers, along with special casing to not free the cipher and hash where it would normally be freed for TLS (and requiring DTLS to free things at the appropriate times). This can be handled in a much cleaner manner by splitting the record protection from the record layer. This allows for the previous write state to be retained and restored by swapping a single pointer. Additionally, it also results in more readable and manageable code. This diff simply splits the record protection from the record layer - future changes will add support for maintaining and switching between write states. ok inoguchi@ tb@
*	Make tls12_record_layer_free() NULL safe.	jsing	2021-01-07	1	-1/+5
\| \| \| \| \| \|	This is not an issue currently, but avoids future surprises. Noted by tb@
*	Move the read MAC key into the TLSv1.2 record layer.	jsing	2021-01-07	1	-5/+16
\| \| \| \|	ok inoguchi@ tb@
*	Reimplement the TLSv1.2 record handling for the read side.	jsing	2020-10-03	1	-5/+343
\| \| \| \| \| \| \| \| \| \| \| \|	This is the next step in replacing the TLSv1.2 record layer. The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained. ok beck@ inoguchi@ tb@
*	Group seal record functions together.	jsing	2020-09-16	1	-11/+11
\| \| \| \|	No functional change.
*	Split the tls12_record_layer_write_mac() function.	jsing	2020-09-15	1	-10/+19
\| \| \| \| \| \| \| \| \|	Split the existing tls12_record_layer_write_mac() function so that we can soon reuse part of it for the read side. No functional change. ok tb@
*	Correct a failure case in tls12_record_layer_seal_record_protected()	jsing	2020-09-15	1	-2/+2
\| \| \| \|	This should be a 'goto err' rather than returning.
*	Start replacing the existing TLSv1.2 record layer.	jsing	2020-08-30	1	-0/+533
	This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire. ok inoguchi@ tb@