![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / lib / libssl
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.77 / (download) - annotate - [select for diffs], Sat Jan 27 14:23:51 2024 UTC (4 months, 1 week ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.76: +39 -3 lines
Diff to previous 1.76 (colored)
Add message callbacks for alerts in the TLSv1.3 stack. This will make it easier to regress test shutdown behaviour in the TLSv1.3 stack. Additionally, `openssl -msg` now shows alerts for TLSv1.3 connections. ok tb@
Revision 1.76 / (download) - annotate - [select for diffs], Sat Nov 26 16:08:56 2022 UTC (18 months, 2 weeks ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.75: +2 -2 lines
Diff to previous 1.75 (colored)
Make internal header file names consistent Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
Revision 1.75 / (download) - annotate - [select for diffs], Mon Nov 7 11:53:39 2022 UTC (19 months ago) by jsing
Branch: MAIN
Changes since 1.74: +1 -71 lines
Diff to previous 1.74 (colored)
Move tls13_exporter() code. It makes more sense to have tls13_exporter() in tls13_key_schedule.c, rather than tls13_lib.c ok tb@
Revision 1.74 / (download) - annotate - [select for diffs], Thu Oct 20 15:26:25 2022 UTC (19 months, 3 weeks ago) by tb
Branch: MAIN
Changes since 1.73: +103 -2 lines
Diff to previous 1.73 (colored)
Initial parsing of the NewSessionTicket message TLSv1.3 introduces a New Session Ticket post-handshake handshake message that allows a unique association between a ticket value and a pre-shared key derived from the resumption master secret. Servers may send this message arbitrarily often at any time after receiving the client's Finished message. Implement tls13_new_session_ticket_recv() which parses the contents of the NewSessionTicket message into a fresh session derived from the current session so as to avoid modifying sessions that are already in the session cache. This uses tls13_new_session_ticket_recv() in tls13_phh_received_cb(). We currently rely on the general rate limiting of 100 PHH messages per connection and hour to avoid problems from connecting to a misbehaving or malicious server. ok jsing
Revision 1.73 / (download) - annotate - [select for diffs], Thu Oct 20 15:23:43 2022 UTC (19 months, 3 weeks ago) by tb
Branch: MAIN
Changes since 1.72: +8 -1 lines
Diff to previous 1.72 (colored)
Provide TLS13_MAX_TICKET_LIFETIME #define TLSv1.3 servers must not indicate a lifetime longer than 7 days and clients must not cache sessions for longer than 7 days. Encode this in a macro internal to tls13_lib.c for now. ok jsing
Revision 1.72 / (download) - annotate - [select for diffs], Sun Oct 2 16:36:42 2022 UTC (20 months, 1 week ago) by jsing
Branch: MAIN
Changes since 1.71: +8 -8 lines
Diff to previous 1.71 (colored)
Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL. These are no longer necessary due to SSL_CTX and SSL now being fully opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back into SSL. Prompted by tb@
Revision 1.71 / (download) - annotate - [select for diffs], Sat Sep 10 15:29:33 2022 UTC (21 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.70: +3 -3 lines
Diff to previous 1.70 (colored)
Provide a version of ssl_msg_callback() that takes a CBS. Use this from the TLSv1.3 code. ok tb@
Revision 1.70 / (download) - annotate - [select for diffs], Sun Jul 24 14:28:16 2022 UTC (22 months, 2 weeks ago) by jsing
Branch: MAIN
Changes since 1.69: +14 -9 lines
Diff to previous 1.69 (colored)
Provide record layer callbacks for QUIC. QUIC uses TLS to complete the handshake, however unlike normal TLS it does not use the TLS record layer, rather it provides its own transport. This means that we need to intercept all communication between the TLS handshake and the record layer. This allows TLS handshake message writes to be directed to QUIC, likewise for TLS handshake message reads. Alerts also need to be sent via QUIC, plus it needs to be provided with the traffic keys that are derived by TLS. ok tb@
Revision 1.69 / (download) - annotate - [select for diffs], Sun Jul 24 14:19:45 2022 UTC (22 months, 2 weeks ago) by jsing
Branch: MAIN
Changes since 1.68: +12 -12 lines
Diff to previous 1.68 (colored)
Move tls13_phh_done_cb() after tl13_phh_received_cb(). This is the order that they're called/run in.
Revision 1.68 / (download) - annotate - [select for diffs], Sun Jul 24 14:16:29 2022 UTC (22 months, 2 weeks ago) by jsing
Branch: MAIN
Changes since 1.67: +5 -3 lines
Diff to previous 1.67 (colored)
Provide QUIC encryption levels.
QUIC wants to know what "encryption level" handshake messages should be
sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that
defines these (of course quictls decided to make this an
OSSL_ENCRYPTION_LEVEL typedef, so provide that as well).
Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so
that they can be used in upcoming commits.
ok tb@
Revision 1.67 / (download) - annotate - [select for diffs], Wed Jul 20 06:32:24 2022 UTC (22 months, 3 weeks ago) by jsing
Branch: MAIN
Changes since 1.66: +7 -10 lines
Diff to previous 1.66 (colored)
Remove tls_buffer_set_data() and remove/revise callers. There is no way that tls_buffer_set_data() can currently work in conjunction with tls_buffer_expand(). This fact is currently hidden by the way that PHH works, which reads the same data from the record layer (which it needs to do anyway, since we may not have all of the handshake message in a single record). Since this is broken, mop it up and change the PHH callback to not provide the record data. ok beck@ tb@
Revision 1.66 / (download) - annotate - [select for diffs], Wed Jul 20 06:20:44 2022 UTC (22 months, 3 weeks ago) by jsing
Branch: MAIN
Changes since 1.65: +30 -20 lines
Diff to previous 1.65 (colored)
Correct server-side handling of TLSv1.3 key updates. The existing code updates the correct secret, however then sets it for the wrong direction. Fix this, while untangling the code and consistenly using 'read' and 'write' rather than 'local' and 'peer'. ok beck@ tb@
Revision 1.65 / (download) - annotate - [select for diffs], Sun Jul 17 15:51:06 2022 UTC (22 months, 3 weeks ago) by jsing
Branch: MAIN
Changes since 1.64: +2 -1 lines
Diff to previous 1.64 (colored)
Disable TLSv1.3 middlebox compatibility mode for QUIC connections. This is required by RFC 9001. ok tb@
Revision 1.64 / (download) - annotate - [select for diffs], Sun Jul 17 15:49:20 2022 UTC (22 months, 3 weeks ago) by jsing
Branch: MAIN
Changes since 1.63: +6 -2 lines
Diff to previous 1.63 (colored)
Pass SSL pointer to tls13_ctx_new(). struct tls13_ctx already knows about SSL's and this way tls13_ctx_new() can set up various pointers, rather than duplicating this in tls13_legacy_accept() and tls13_legacy_connect(). ok tb@
Revision 1.63 / (download) - annotate - [select for diffs], Sat Feb 5 14:54:10 2022 UTC (2 years, 4 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.62: +3 -3 lines
Diff to previous 1.62 (colored)
Bye bye S3I. S3I has served us well, however now that libssl is fully opaque it is time to say goodbye. Aside from removing the calloc/free/memset, the rest is mechanical sed. ok inoguchi@ tb@
Revision 1.62 / (download) - annotate - [select for diffs], Thu Sep 16 19:25:30 2021 UTC (2 years, 8 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.61: +2 -1 lines
Diff to previous 1.61 (colored)
Implement flushing for TLSv1.3 handshakes. When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio. Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent. Joint work with tb@ ok tb@
Revision 1.61 / (download) - annotate - [select for diffs], Thu Sep 2 11:58:30 2021 UTC (2 years, 9 months ago) by beck
Branch: MAIN
Changes since 1.60: +2 -3 lines
Diff to previous 1.60 (colored)
Call the ocsp callback if present and we get no response, instead of succeeding unconditionally. Makes muststaple work with tls1.3 in nc ok tb@
Revision 1.60 / (download) - annotate - [select for diffs], Mon Aug 30 19:25:43 2021 UTC (2 years, 9 months ago) by jsing
Branch: MAIN
Changes since 1.59: +4 -10 lines
Diff to previous 1.59 (colored)
Clean up and simplify info and msg callbacks. The info and msg callbacks result in duplication - both for code that refers to the function pointers and for the call sites. Avoid this by providing typedefs for the function pointers and pulling the calling sequences into their own functions. ok inoguchi@ tb@
Revision 1.59 / (download) - annotate - [select for diffs], Wed Apr 7 21:48:23 2021 UTC (3 years, 2 months ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.58: +3 -2 lines
Diff to previous 1.58 (colored)
Avoid clobbering the error code when sending an alert In order to fail gracefully on encountering a self-signed cert, curl looks at the top-most error on the stack and needs specific SSL_R_ error codes. This mechanism was broken when the tls13_alert_sent_cb() was added after people complained about unhelpful unknown errors. Fix this by only setting the error code from a fatal alert if no error has been set previously. Issue reported by Christopher Reid ok jsing
Revision 1.58 / (download) - annotate - [select for diffs], Sun Mar 21 18:36:34 2021 UTC (3 years, 2 months ago) by jsing
Branch: MAIN
Changes since 1.57: +22 -22 lines
Diff to previous 1.57 (colored)
Move the TLSv1.3 handshake struct inside the shared handshake struct. There are currently three different handshake structs that are in use - the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct (as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous 'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)). This is the first step towards cleaning up the handshake structs so that shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2 and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code to access the shared handshake data without needing the SSL struct. ok inoguchi@ tb@
Revision 1.57 / (download) - annotate - [select for diffs], Sun Mar 21 16:56:42 2021 UTC (3 years, 2 months ago) by jsing
Branch: MAIN
Changes since 1.56: +3 -4 lines
Diff to previous 1.56 (colored)
Avoid a use-after-scope in tls13_cert_add(). A parent CBB retains a reference to a child CBB until CBB_flush() or CBB_cleanup() is called. As such, the cert_exts CBB must be at function scope. Reported by Ilya Shipitsin. ok tb@
Revision 1.54.4.1 / (download) - annotate - [select for diffs], Wed Feb 3 07:06:14 2021 UTC (3 years, 4 months ago) by tb
Branch: OPENBSD_6_8
Changes since 1.54: +73 -1 lines
Diff to previous 1.54 (colored) next main 1.55 (colored)
This is errata/6.8/013_libressl.patch.sig Various interoperability issues and memory leaks were discovered in libcrypto and libssl. The new verifier is not bug compatible with the old verifier and caused many issues by failing to propagate errors correctly, returning different error codes than some software was trained to expect and otherwise failing when it shouldn't. While much of this is fixed in -current, it's still not perfect, so switching back to the legacy verifier is preferable at this point. Other included fixes: * Unbreak DTLS retransmissions for flights that include a CCS * Only check BIO_should_read() on read and BIO_should_write() on write * Implement autochain for the TLSv1.3 server * Use the legacy verifier for AUTO_CHAIN * Implement exporter for TLSv1.3 * Free alert_data and phh_data in tls13_record_layer_free() * Plug leak in x509_verify_chain_dup() * Free the policy tree in x509_vfy_check_policy() Original commits by jsing and tb ok inoguchi jsing
Revision 1.56 / (download) - annotate - [select for diffs], Tue Jan 5 17:47:35 2021 UTC (3 years, 5 months ago) by tb
Branch: MAIN
Changes since 1.55: +5 -8 lines
Diff to previous 1.55 (colored)
Convert tls13_exporter() to tls13_secret_{init,cleanup}()
ok jsing
Revision 1.55 / (download) - annotate - [select for diffs], Mon Nov 16 18:55:15 2020 UTC (3 years, 6 months ago) by jsing
Branch: MAIN
Changes since 1.54: +73 -1 lines
Diff to previous 1.54 (colored)
Implement exporter for TLSv1.3. This implements the key material exporter for TLSv1.3, as defined in RFC8446 section 7.5. Issue reported by nmathewson on github. ok inoguchi@ tb@
Revision 1.54 / (download) - annotate - [select for diffs], Fri Sep 11 15:03:36 2020 UTC (3 years, 8 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE
Branch point for: OPENBSD_6_8
Changes since 1.53: +3 -3 lines
Diff to previous 1.53 (colored)
Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines. ok beck@ tb@
Revision 1.36.4.1 / (download) - annotate - [select for diffs], Mon Aug 10 18:59:47 2020 UTC (3 years, 10 months ago) by tb
Branch: OPENBSD_6_7
Changes since 1.36: +4 -3 lines
Diff to previous 1.36 (colored) next main 1.37 (colored)
LibreSSL 3.1.4 - Interoperability and bug fixes for the TLSv1.3 client: * Improve client certificate selection to allow EC certificates instead of only RSA certificates. * Do not error out if a TLSv1.3 server requests an OCSP response as part of a certificate request. * Fix SSL_shutdown behavior to match the legacy stack. The previous behaviour could cause a hang. * Fix a memory leak and add a missing error check in the handling of the key update message. * Fix a memory leak in tls13_record_layer_set_traffic_key. * Avoid calling freezero with a negative size if a server sends a malformed plaintext of all zeroes. * Ensure that only PSS may be used with RSA in TLSv1.3 in order to avoid using PKCS1-based signatures. * Add the P-521 curve to the list of curves supported by default in the client. This is errata/6.7/019_libssl.patch.sig
Revision 1.53 / (download) - annotate - [select for diffs], Thu Jul 30 16:23:17 2020 UTC (3 years, 10 months ago) by tb
Branch: MAIN
Changes since 1.52: +15 -1 lines
Diff to previous 1.52 (colored)
Add minimal info callback support for TLSv1.3 As abieber@ found the hard way, some python frameworks (twisted, synapse) thought it a great idea to use the info callback mechanism (designed to get state information about SSL objects) to modify state information such as setting and verifying the SNI. The switch of TLS_method() to default to TLSv1.3 broke these contraptions. Further bits of the info callback mechanism will likely metastasize throughout the TLSv1.3 stack if we need them, so we only do what's really necessary now. Lots of debugging, crucial hint and testing by abieber input & ok jsing
Revision 1.52 / (download) - annotate - [select for diffs], Fri Jul 3 04:12:51 2020 UTC (3 years, 11 months ago) by tb
Branch: MAIN
Changes since 1.51: +3 -3 lines
Diff to previous 1.51 (colored)
Improve argument order for the internal tlsext API Move is_server and msg_type right after the SSL object so that CBS and CBB and alert come last. This brings these functions more in line with other internal functions and separates state from data. requested by jsing
Revision 1.51 / (download) - annotate - [select for diffs], Sat Jun 6 01:40:09 2020 UTC (4 years ago) by beck
Branch: MAIN
Changes since 1.50: +80 -1 lines
Diff to previous 1.50 (colored)
Implement a rolling hash of the ClientHello message, Enforce RFC 8446 section 4.1.2 to ensure subsequent ClientHello messages after a HelloRetryRequest messages must be unchanged from the initial ClientHello. ok tb@ jsing@
Revision 1.50 / (download) - annotate - [select for diffs], Fri May 22 02:37:27 2020 UTC (4 years ago) by beck
Branch: MAIN
Changes since 1.49: +9 -3 lines
Diff to previous 1.49 (colored)
Ensure we only attach an ocsp staple to a leaf certificate, because for the moment that is all we support. fixes an issue where gnuTLS cares that mistmatching staples come back on the certs in the chain. This should be fixed correctly later by associating the staple to the individual certs rather than the ssl, so this is temporary. running on www@. ok tb@, "got that's oopy but an interim ok" jsing@
Revision 1.49 / (download) - annotate - [select for diffs], Thu May 21 19:43:40 2020 UTC (4 years ago) by tb
Branch: MAIN
Changes since 1.48: +19 -19 lines
Diff to previous 1.48 (colored)
Simplify: transform a dangling else into an early return and unindent a bunch of code. Suggested by jsing
Revision 1.48 / (download) - annotate - [select for diffs], Thu May 21 19:27:22 2020 UTC (4 years ago) by tb
Branch: MAIN
Changes since 1.47: +7 -8 lines
Diff to previous 1.47 (colored)
Avoid a shadowing issue by renaming cbs and cbb to cbb_hs and cbb_hs, respectively. Discussed with jsing
Revision 1.47 / (download) - annotate - [select for diffs], Thu May 21 19:15:54 2020 UTC (4 years ago) by tb
Branch: MAIN
Changes since 1.46: +15 -11 lines
Diff to previous 1.46 (colored)
A failure of tls13_handshake_msg_new() could lead to a NULL deref in the following tls13_handshake_msg_start() call. Add a check. Stop clobbering the ctx's hs_msg variable, use a local variable instead. ok beck jsing
Revision 1.46 / (download) - annotate - [select for diffs], Tue May 19 01:30:34 2020 UTC (4 years ago) by beck
Branch: MAIN
Changes since 1.45: +6 -6 lines
Diff to previous 1.45 (colored)
Add support for TLS 1.3 server to send certificate status messages with oscp staples. ok jsing@ tb@
Revision 1.45 / (download) - annotate - [select for diffs], Sun May 17 19:07:15 2020 UTC (4 years ago) by beck
Branch: MAIN
Changes since 1.44: +19 -8 lines
Diff to previous 1.44 (colored)
Send alerts back correctly when handling key shares, including sending back illegal parameter if our phh key share request type is not 0 or 1. ok jsing@ tb@
Revision 1.44 / (download) - annotate - [select for diffs], Sun May 17 18:22:30 2020 UTC (4 years ago) by beck
Branch: MAIN
Changes since 1.43: +2 -2 lines
Diff to previous 1.43 (colored)
Free handshake message correctly, noticed by tb@ ok tb@ jsing@
Revision 1.43 / (download) - annotate - [select for diffs], Mon May 11 17:46:46 2020 UTC (4 years, 1 month ago) by jsing
Branch: MAIN
Changes since 1.42: +21 -3 lines
Diff to previous 1.42 (colored)
Provide an alert sent record layer callback. Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error. ok tb@
Revision 1.42 / (download) - annotate - [select for diffs], Mon May 11 17:28:33 2020 UTC (4 years, 1 month ago) by jsing
Branch: MAIN
Changes since 1.41: +10 -4 lines
Diff to previous 1.41 (colored)
Move the record layer callbacks into a struct. This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering. ok beck@ inoguchi@ tb@
Revision 1.41 / (download) - annotate - [select for diffs], Sun May 10 16:56:11 2020 UTC (4 years, 1 month ago) by jsing
Branch: MAIN
Changes since 1.40: +6 -6 lines
Diff to previous 1.40 (colored)
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code. Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3. ok beck@
Revision 1.40 / (download) - annotate - [select for diffs], Sun May 10 14:17:48 2020 UTC (4 years, 1 month ago) by jsing
Branch: MAIN
Changes since 1.39: +2 -2 lines
Diff to previous 1.39 (colored)
Use size_t for OCSP response length. The OCSP response length is currently an integer, which is overloaded with -1 meaning "unset". Use a size_t for the OCSP response length and infer unset from the OCSP response being NULL. This makes code more readable, simpler and less error prone. ok beck@
Revision 1.39 / (download) - annotate - [select for diffs], Sun May 10 14:03:14 2020 UTC (4 years, 1 month ago) by jsing
Branch: MAIN
Changes since 1.38: +2 -2 lines
Diff to previous 1.38 (colored)
Correct tlsext_ocsp_resplen check. This variable is currently overloaded - a value of -1 means that it is "unset" and any other value is a length. ok tb@
Revision 1.38 / (download) - annotate - [select for diffs], Sat May 9 15:30:21 2020 UTC (4 years, 1 month ago) by jsing
Branch: MAIN
Changes since 1.37: +3 -1 lines
Diff to previous 1.37 (colored)
Add a middlebox_compat flag and condition session ID randomisation on it. ok tb@
Revision 1.37 / (download) - annotate - [select for diffs], Sat May 9 15:05:50 2020 UTC (4 years, 1 month ago) by beck
Branch: MAIN
Changes since 1.36: +29 -1 lines
Diff to previous 1.36 (colored)
Add support for certificate status requests in TLS 1.3 client ok jsing@, tb@, inoguchi@
Revision 1.36 / (download) - annotate - [select for diffs], Tue Apr 28 20:30:41 2020 UTC (4 years, 1 month ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE
Branch point for: OPENBSD_6_7
Changes since 1.35: +44 -1 lines
Diff to previous 1.35 (colored)
Rename tls13_client_synthetic_handshake_message() and move to tls13_lib.c. The server-side will need to use the same function. No functional change. ok inoguchi@ tb@
Revision 1.35 / (download) - annotate - [select for diffs], Tue Apr 21 16:55:17 2020 UTC (4 years, 1 month ago) by jsing
Branch: MAIN
Changes since 1.34: +39 -23 lines
Diff to previous 1.34 (colored)
Consolidate TLSv1.3 constants. Move all of the TLSv1.3 constants to the top of tls13_lib.c. Also mark these all as const so that they end up in .rodata rather than .data. ok tb@
Revision 1.34 / (download) - annotate - [select for diffs], Sat Feb 15 14:40:38 2020 UTC (4 years, 3 months ago) by jsing
Branch: MAIN
Changes since 1.33: +1 -308 lines
Diff to previous 1.33 (colored)
Move the TLSv1.3 code that interfaces with the legacy APIs/stack into a separate file. Discussed with beck@ and tb@
Revision 1.33 / (download) - annotate - [select for diffs], Wed Feb 5 06:12:43 2020 UTC (4 years, 4 months ago) by tb
Branch: MAIN
Changes since 1.32: +17 -11 lines
Diff to previous 1.32 (colored)
Rework tls13_legacy_handshake_message_{recv,sent}_cb() to use
their own CBS as a preparation for upcoming HRR diffs.
ok jsing
Revision 1.32 / (download) - annotate - [select for diffs], Wed Jan 29 17:03:58 2020 UTC (4 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.31: +5 -1 lines
Diff to previous 1.31 (colored)
If the TLSv1.3 code has not recorded an error and something already exists on the error stack, refrain from pushing an 'unknown' error on the stack. This should allow libcrypto errors (including bio) to be visible, where we have nothing better to offer. ok tb@
Revision 1.31 / (download) - annotate - [select for diffs], Sun Jan 26 02:45:27 2020 UTC (4 years, 4 months ago) by beck
Branch: MAIN
Changes since 1.30: +44 -1 lines
Diff to previous 1.30 (colored)
Move pad and verify context into tls13_lib.c ok jsing@
Revision 1.30 / (download) - annotate - [select for diffs], Sat Jan 25 13:11:20 2020 UTC (4 years, 4 months ago) by tb
Branch: MAIN
Changes since 1.29: +28 -1 lines
Diff to previous 1.29 (colored)
Support legacy message callbacks. First step for SSL_set_msg_callback(3) support. Makes openssl s_client -msg work for handshake messages. ok beck jsing
Revision 1.29 / (download) - annotate - [select for diffs], Fri Jan 24 05:11:34 2020 UTC (4 years, 4 months ago) by beck
Branch: MAIN
Changes since 1.28: +2 -2 lines
Diff to previous 1.28 (colored)
Permit 0 length writes, because openssl s_client is special ok jsing@
Revision 1.28 / (download) - annotate - [select for diffs], Fri Jan 24 04:39:44 2020 UTC (4 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored)
Enable SSL_ENC_FLAG_SIGALGS on TLSv1_3_enc_data. This means that we actually try to process and use signature algorithms. ok beck@ tb@
Revision 1.27 / (download) - annotate - [select for diffs], Fri Jan 24 04:36:29 2020 UTC (4 years, 4 months ago) by beck
Branch: MAIN
Changes since 1.26: +5 -1 lines
Diff to previous 1.26 (colored)
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations. ok jsing@ tb@
Revision 1.26 / (download) - annotate - [select for diffs], Thu Jan 23 11:57:20 2020 UTC (4 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.25: +4 -1 lines
Diff to previous 1.25 (colored)
Implement client hello processing in the TLSv1.3 server. ok beck@
Revision 1.25 / (download) - annotate - [select for diffs], Thu Jan 23 10:40:59 2020 UTC (4 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.24: +6 -1 lines
Diff to previous 1.24 (colored)
Correctly handle TLSv1.3 ciphers suites in ssl3_choose_cipher(). Currently, TLSv1.3 cipher suites are filtered out by the fact that they have authentication and key exchange algorithms that are not being set in ssl_set_cert_masks(). Fix this so that ssl3_choose_cipher() works for TLSv1.3, however we also now need to ensure that we filter out TLSv1.3 for non-TLSv1.3 and only select TLSv1.3 for TLSv1.3. ok beck@ tb@
Revision 1.24 / (download) - annotate - [select for diffs], Thu Jan 23 07:30:55 2020 UTC (4 years, 4 months ago) by beck
Branch: MAIN
Changes since 1.23: +9 -1 lines
Diff to previous 1.23 (colored)
Add checking int the client to check the magic values which are set by a 1.3 server when it downgrades to tls 1.2 or 1.1 as per RFC 8446 section 4.1.3 ok jsing@
Revision 1.23 / (download) - annotate - [select for diffs], Thu Jan 23 05:08:30 2020 UTC (4 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.22: +17 -1 lines
Diff to previous 1.22 (colored)
Implement pending for TLSv1.3. Makes `openssl s_client -peekaboo` work with TLSv1.3. ok beck@ tb@
Revision 1.22 / (download) - annotate - [select for diffs], Thu Jan 23 02:49:38 2020 UTC (4 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.21: +10 -3 lines
Diff to previous 1.21 (colored)
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert. Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure). ok beck@ tb@
Revision 1.21 / (download) - annotate - [select for diffs], Wed Jan 22 13:10:51 2020 UTC (4 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.20: +4 -1 lines
Diff to previous 1.20 (colored)
Pass a handshake message content CBS to TLSv1.3 receive handlers. This avoids every receive handler from having to get the handshake message content itself. Additionally, pull the trailing data check up so that each receive handler does not have to implement it. This makes the code more readable and reduces duplication. ok beck@ tb@
Revision 1.20 / (download) - annotate - [select for diffs], Wed Jan 22 06:23:00 2020 UTC (4 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.19: +6 -8 lines
Diff to previous 1.19 (colored)
Implement support for SSL_peek() in the TLSv1.3 record layer. ok beck@ tb@
Revision 1.19 / (download) - annotate - [select for diffs], Wed Jan 22 03:15:43 2020 UTC (4 years, 4 months ago) by beck
Branch: MAIN
Changes since 1.18: +3 -2 lines
Diff to previous 1.18 (colored)
Don't add an extra unknown error if we got a fatal alert ok jsing@
Revision 1.18 / (download) - annotate - [select for diffs], Wed Jan 22 02:21:05 2020 UTC (4 years, 4 months ago) by beck
Branch: MAIN
Changes since 1.17: +4 -1 lines
Diff to previous 1.17 (colored)
Add minimal support for hello retry request for RFC conformance. We currently don't support sending a modified clienthello ok jsing@ tb@
Revision 1.17 / (download) - annotate - [select for diffs], Wed Jan 22 01:02:28 2020 UTC (4 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.16: +51 -1 lines
Diff to previous 1.16 (colored)
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client. ok beck@ inoguchi@ tb@
Revision 1.16 / (download) - annotate - [select for diffs], Tue Jan 21 05:19:02 2020 UTC (4 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)
Provide SSL_R_UNKNOWN. This allows us to indicate that the cause of the failure is unknown, rather than implying that it was an internal error when it was not. ok beck@
Revision 1.15 / (download) - annotate - [select for diffs], Tue Jan 21 04:45:18 2020 UTC (4 years, 4 months ago) by tb
Branch: MAIN
Changes since 1.14: +2 -1 lines
Diff to previous 1.14 (colored)
Clear and free the tls13_ctx that hangs off an SSL *s from
SSL_{clear,free}(3). Make sure the handshake context is
cleaned up completely: the hs_tls13 reacharound is taken
care of by ssl3_{clear,free}(3). Add a missing
tls13_handshake_msg_free() call to tls13_ctx_free().
ok beck jsing
Revision 1.14 / (download) - annotate - [select for diffs], Mon Jan 20 13:10:37 2020 UTC (4 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.13: +19 -4 lines
Diff to previous 1.13 (colored)
Provide an error framework for use with the TLSv1.3 code. This is based on the libtls error handling code, but adds machine readable codes and subcodes. We then map these codes back to libssl error codes. ok beck@ inoguchi@
Revision 1.13 / (download) - annotate - [select for diffs], Tue Nov 26 23:46:18 2019 UTC (4 years, 6 months ago) by beck
Branch: MAIN
Changes since 1.12: +147 -3 lines
Diff to previous 1.12 (colored)
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server. ok jsing@ tb@
Revision 1.12 / (download) - annotate - [select for diffs], Sun Nov 17 00:10:47 2019 UTC (4 years, 6 months ago) by beck
Branch: MAIN
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored)
Separate the callbacks for recieved and completed post handshake messages from the record layer ok jsing@
Revision 1.11 / (download) - annotate - [select for diffs], Sun Mar 17 15:13:23 2019 UTC (5 years, 2 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6,
OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)
Remove the alert level from the TLSv1.3 alert callback. In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback. ok tb@
Revision 1.10 / (download) - annotate - [select for diffs], Mon Mar 4 16:46:44 2019 UTC (5 years, 3 months ago) by millert
Branch: MAIN
Changes since 1.9: +3 -2 lines
Diff to previous 1.9 (colored)
Don't index a void pointer, fixes compilation with visual studio. Gcc/clang will treat void * as char * but this is non-standard. OK deraadt@ jsing@ inoguchi@
Revision 1.9 / (download) - annotate - [select for diffs], Thu Feb 28 18:20:38 2019 UTC (5 years, 3 months ago) by jsing
Branch: MAIN
Changes since 1.8: +34 -3 lines
Diff to previous 1.8 (colored)
Implement non-SSL_MODE_ENABLE_PARTIAL_WRITE in tls13_legacy_write_bytes(). In non-SSL_MODE_ENABLE_PARTIAL_WRITE mode we have to write out all the things and only return success once all of the data has been sent. ok inoguchi@ tb@
Revision 1.8 / (download) - annotate - [select for diffs], Thu Feb 28 17:56:43 2019 UTC (5 years, 3 months ago) by jsing
Branch: MAIN
Changes since 1.7: +13 -1 lines
Diff to previous 1.7 (colored)
Automatically complete the handshake from tls13_legacy_{read,write}_bytes()
If the TLS handshake has not been completed, automatically complete the
handshake as part of the read/write call, implementing the current
SSL_read()/SSL_write() behaviour.
Once the TLS handshake is completed we push a WANT_POLLIN or WANT_POLLOUT
back up to the caller, since some applications appear to incorrectly call
SSL_read() or SSL_write(), rather than repeating the previous call. This
can lead to attempts to read data that does not exist, since the
WANT_POLLIN was actually triggered as part of the handshake.
ok inoguchi@ tb@
Revision 1.7 / (download) - annotate - [select for diffs], Thu Feb 28 17:44:56 2019 UTC (5 years, 3 months ago) by jsing
Branch: MAIN
Changes since 1.6: +9 -3 lines
Diff to previous 1.6 (colored)
Add appropriate length checks to tls13_legacy_{read,write}_bytes()
ok inoguchi@ tb@
Revision 1.6 / (download) - annotate - [select for diffs], Tue Feb 26 17:36:30 2019 UTC (5 years, 3 months ago) by jsing
Branch: MAIN
Changes since 1.5: +3 -1 lines
Diff to previous 1.5 (colored)
Correctly propagate EOF from BIO in tls13_legacy_wire_read(). ok tb@
Revision 1.5 / (download) - annotate - [select for diffs], Sat Feb 23 15:00:44 2019 UTC (5 years, 3 months ago) by jsing
Branch: MAIN
Changes since 1.4: +3 -1 lines
Diff to previous 1.4 (colored)
Set BIO retry on TLS13_IO_WANT_POLLIN/TLS13_IO_WANT_POLLOUT. In most cases a TLS13_IO_WANT_POLLIN or TLS13_IO_WANT_POLLOUT will have bubbled up from the wire callbacks, in which case the BIO retry flag will already be set. However, if we return TLS13_IO_WANT_POLLIN or TLS13_IO_WANT_POLLOUT from a higher layer the BIO retry flag will not be set and that will cause SSL_get_error() to return SSL_ERROR_SYSCALL rather than the intended SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE. ok beck@ tb@
Revision 1.4 / (download) - annotate - [select for diffs], Thu Feb 21 17:15:00 2019 UTC (5 years, 3 months ago) by jsing
Branch: MAIN
Changes since 1.3: +32 -2 lines
Diff to previous 1.3 (colored)
Wire up alert handling for TLSv1.3. In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour. ok tb@
Revision 1.3 / (download) - annotate - [select for diffs], Mon Jan 21 13:45:57 2019 UTC (5 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.2: +36 -3 lines
Diff to previous 1.2 (colored)
Provide the initial TLSv1.3 client implementation. Move tls13_connect() to a new tls13_client.c file and provide a legacy wrapper to it, which allocates a struct tls_ctx if necessary. Also move tls13_client_hello_send() to tls13_client.c and actual implement the building of a client hello. ok tb@
Revision 1.2 / (download) - annotate - [select for diffs], Mon Jan 21 10:24:25 2019 UTC (5 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.1: +13 -3 lines
Diff to previous 1.1 (colored)
Correct some rwstate handling that I broke when refactoring.
Revision 1.1 / (download) - annotate - [select for diffs], Mon Jan 21 09:10:58 2019 UTC (5 years, 4 months ago) by jsing
Branch: MAIN
Provide TLS 1.3 cipher AEAD/hash and legacy I/O handling functions. Provide functionality for determining AEADs and hashes for TLS 1.3 ciphers. Also provide wire read/write callbacks that interface with BIO and functions that interface between SSL_read/SSL_write and the TLS 1.3 record layer API. ok tb@