| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
ok bcook inoguchi jsing
|
|
ok bcook inoguchi jsing
|
|
ok bcook inoguchi jsing
|
|
ok bcook inoguchi jsing
|
|
ok bcook inoguchi jsing
|
|
|
|
ok tb@
|
|
When server side renegotiation is triggered, the TLSv1.2 state machine
sends a HelloRequest before going to ST_SW_FLUSH and ST_OK. In this case
we do not need the transcript and currently hit the sanity check in ST_OK
that ensures the transcript has been freed, breaking server initiated
renegotiation. We do however need the transcript in the DTLS case.
ok tb@
|
|
This moves the finish_md and peer_finish_md from the 'tmp' struct to the
handshake struct, renaming to finished and peer_finished in the process.
This also allows the remaining S3I(s) references to be removed from the
TLSv1.3 client and server.
ok inoguchi@ tb@
|
|
This adds checks (based on the TLSv1.3 implementation) to ensure that the
TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
|
This variable is used in the legacy stack to decide whether we are
a server or a client. That's what s->server is for...
The new TLSv1.3 stack failed to set s->internal->type, which resulted
in hilarious mishandling of previous_{client,server}_finished. Indeed,
both client and server would first store the client's verify_data in
previous_server_finished and later overwrite it with the server's
verify_data. Consequently, renegotiation has been completely broken
for more than a year. In fact, server side renegotiation was broken
during the 6.5 release cycle. Clearly, no-one uses this.
This commit fixes client side renegotiation and restores the previous
behavior of SSL_get_client_CA_list(). Server side renegotiation will
be fixed in a later commit.
ok jsing
|
|
This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
|
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
|
The CBC code path initializes rrec.padding_length in an indirect fashion
and later makes use of it for copying the MAC. This is confusing some
static analyzers as well as people investigating the whining. Avoid this
confusion and add a bit of robustness by clearing the stack variable up
front.
ok jsing
|
|
There are currently three different handshake structs that are in use -
the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct
(as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous
'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)).
This is the first step towards cleaning up the handshake structs so that
shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2
and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside
SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct
instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code
to access the shared handshake data without needing the SSL struct.
ok inoguchi@ tb@
|
|
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while
it is not currently necessary from a functionality perspective, it makes
for more readable and simpler code.
ok inoguchi@ tb@
|
|
A parent CBB retains a reference to a child CBB until CBB_flush() or
CBB_cleanup() is called. As such, the cert_exts CBB must be at function
scope.
Reported by Ilya Shipitsin.
ok tb@
|
|
|
|
|
|
This is the same as SSL_CTX_use_certificate_chain_file() but for an
SSL object instead of an SSL_CTX object. remi found this in a recent
librelp update, so we need to provide it. The function will be exposed
in an upcoming library bump.
ok inoguchi on an earlier version, input/ok jsing
|
|
|
|
This means that the DTLS_method() will now use DTLSv1.2 rather than DTLSv1.
Additional DTLSv1.2 related symbols and defines will be made publicly
visible in the near future.
ok inoguchi@ tb@
|
|
This teaches the version functions that handle protocol versions about
DTLSv1.2 and the SSL_OP_NO_DTLS* options. We effectively convert between
TLS and TLS protocol versions where necessary.
ok inoguchi@ tb@
|
|
Now that we store our maximum TLS version at the start of the handshake,
we can check against that directly.
ok inoguchi@ tb@
|
|
These are no longer used (and should not be used) internally.
|
|
Add handshake fields for our minimum TLS version, our maximum TLS version
and the TLS version negotiated during the handshake. Initialise our min/max
versions at the start of the handshake and leave these unchanged. The
negotiated TLS version is set in the client once we receive the ServerHello
and in the server at the point we select the highest shared version.
Provide an ssl_effective_version() function that returns the negotiated TLS
version if known, otherwise our maximum TLS version - this is effectively
what is stored in s->version currently.
Convert most of the internal code to use one of these three version fields,
which greatly simplifies code (especially in the TLS extension handling
code).
ok tb@
|
|
Requested by tb@
|
|
Noted by tb@
|
|
Also add explicit checks against EVP_CIPHER_iv_length() and
EVP_CIPHER_key_length().
Requested by tb@ during review.
ok tb@
|
|
This moves the check closer to where a leak could occur and checks all
pointers in the struct.
Suggested by tb@ during review.
ok tb@
|
|
|
|
ok tb@
|
|
This avoids the need to match specific DTLS version numbers.
|
|
DTLS protocol version numbers are the 1's compliment of human readable TLS
version numbers, which means that newer versions decrease in value and
there is no direct mapping between TLS protocol version numbers and DTLS
protocol version numbers.
Rather than having to deal with this internally, only use TLS versions
internally and map between DTLS and TLS protocol versions when necessary.
Rename functions and variables to use 'tls_version' when they contain a
TLS version (and never a DTLS version).
ok tb@
|
|
|
|
Ensure that the server announced TLSv1.3 (and nothing higher) in the
supported_versions extension. In that case, the legacy_version must
be TLSv1.2 according to RFC 8446, 4.1.3 and 4.2.1.
This commit also removes some unreachable code which is a remnant of
very early TLSv1.3 code from before the legacy fallback was introduced.
Simplify a few checks and adjust some comments nearby.
ok jsing
|
|
This consolidates the version handling code and will make upcoming changes
easier.
ok tb@
|
|
|
|
discussed with jsing
|
|
better and doesn't look odd if there's trailing data for exapmle.
Indent a few labels in the neighborhood while there.
ok jsing
|
|
OpenSSL's SSL{_CTX,}_get_{min,max}_proto_version() return a version of zero
if the minimum or maximum has been set to zero (which means the minimum or
maximum version supported by the method). Previously we returned the
minimum or maximum version supported by the method, instead of zero. Match
OpenSSL's behaviour by using shadow variables.
Discussed with tb@
|
|
These are currently guarded by LIBRESSL_HAS_DTLS1_2 and LIBRESSL_INTERNAL.
ok tb@
|
|
ok tb@
|
|
Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always contain
DTLSv1.0 - ensure this is the case on the server side, allow both DTLSv1.0
and DTLSv1.2 on the client.
ok tb@
|
|
ok tb@
|
|
These are currently guarded by LIBRESSL_HAS_DTLS1_2 and LIBRESSL_INTERNAL.
ok tb@
|
|
ok tb@
|
|
ECC and OCSP can be used with DTLS, so remove bogus checks that currently
prevent it. These are long lasting remnants from the original OpenSSL code.
ok tb@
|
tb
jsing