summaryrefslogtreecommitdiff
path: root/lib/libssl/s3_lib.c
AgeCommit message (Collapse)Author
2020-04-18Expose the peer ephemeral public key used for TLSv1.3 key exchange.Joel Sing
SSL_get_server_tmp_key() provides the peer ephemeral public key used for key exchange. In the case of TLSv1.3 this is essentially the peer public key from the key share used for TLSv1.3 key exchange, hence make it availaable via SSL_get_server_tmp_key(). ok inoguchi@ tb@
2020-02-16Avoid leak for tmp.x25519Kinichiro Inoguchi
Changed to use local variable to hold malloc address rather than directly set to S3I(s)->tmp.x25519, and set that private_key pointer to S3I(s)->tmp.x25519 after all the "goto err;". Also added freezero for S3I(s)->tmp.x25519 to ssl3_free() and ssl3_clear(). ok jsing@ tb@
2020-01-30Provide struct/functions for handling TLSv1.3 key shares.Joel Sing
Pull out the key share handling code and provide a clean/self contained interface. This will make it easier to support groups other than X25519. ok beck@ inoguchi@ tb@
2020-01-23Correctly handle TLSv1.3 ciphers suites in ssl3_choose_cipher().Joel Sing
Currently, TLSv1.3 cipher suites are filtered out by the fact that they have authentication and key exchange algorithms that are not being set in ssl_set_cert_masks(). Fix this so that ssl3_choose_cipher() works for TLSv1.3, however we also now need to ensure that we filter out TLSv1.3 for non-TLSv1.3 and only select TLSv1.3 for TLSv1.3. ok beck@ tb@
2020-01-02Revise SSL_CTX_get_extra_chain_certs() to match OpenSSL behaviour.Joel Sing
In OpenSSL, SSL_CTX_get_extra_chain_certs() really means return extra certs, unless there are none, in which case return the chain associated with the certificate. If you really just want the extra certs, including knowing if there are no extra certs, then you need to call SSL_CTX_get_extra_chain_certs_only()! And to make this even more entertaining, these functions are not documented in any OpenSSL release. Reported by sephiroth-j on github, since the difference in behaviour apparently breaks OCSP stapling with nginx. ok beck@ inoguchi@ tb@
2019-10-04Use a valid curve when constructing an EC_KEY that looks like X25519.Joel Sing
The recent EC group cofactor change results in stricter validation, which causes the EC_GROUP_set_generator() call to fail. Issue reported and fix tested by rsadowski@ ok tb@
2019-04-04Provide SSL chain/cert chain APIs.Joel Sing
These allow for chains to be managed on a per-certificate basis rather than as a single "extra certificates" list. Note that "chain" in this context does not actually include the leaf certificate however, unlike SSL_CTX_use_certificate_chain_{file,mem}(). Thanks to sthen@ for running this through a bulk ports build. ok beck@ tb@
2019-03-25Defer sigalgs selection until the certificate is known.Joel Sing
Previously the signature algorithm was selected when the TLS extension was parsed (or the client received a certificate request), however the actual certificate to be used is not known at this stage. This leads to various problems, including the selection of a signature algorithm that cannot be used with the certificate key size (as found by jeremy@ via ruby regress). Instead, store the signature algorithms list and only select a signature algorithm when we're ready to do signature generation. Joint work with beck@.
2019-02-09Rename tls1_handshake_hash*() to tls1_transcript_hash*().Joel Sing
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches. ok inoguchi@ tb@
2019-01-24Set pointer variables in tls13 handshake to NULL on clearBob Beck
ok jsing@ bcook@
2019-01-24Add server side of versions, keyshare, and client and server of cookieBob Beck
extensions for tls1.3. versions is currently defanged to ignore its result until tls13 server side wired in full, so that server side code still works today when we only support tls 1.2 ok bcook@ tb@ jsing@
2019-01-24move the extensions_seen into the handshake structBob Beck
ok jsing@
2019-01-23revert previous, accidentally contained another diff in additionBob Beck
to the one I intended to commit
2019-01-23Modify sigalgs extension processing for TLS 1.3.Bob Beck
- Make a separate sigalgs list for TLS 1.3 including only modern algorithm choices which we use when the handshake will not negotiate TLS 1.2 - Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2 ok jsing@ tb@
2019-01-21Ensure we free TLS 1.3 handshake state.Joel Sing
There is no guarantee that ssl3_clear() is called before ssl3_free(), so free things here. Also move the chunk in ssl3_clear() up so that it is with the "free" code rather than the "reinit" code. ok beck@ tb@
2019-01-18Add client side of supported versions and keyshare extensions with basic regressBob Beck
ok jsing@
2018-11-08Clean up and simplify the handshake transcript code.Joel Sing
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO. ok beck@ ("hurry up") and tb@.
2018-11-08Stop pretending that a cert member in a SSL and SSL_CTX can be NULL.Joel Sing
ok beck@ tb@
2018-11-07Add TLSv1.3 cipher suites (with appropriate guards).Joel Sing
ok beck@ tb@
2018-11-05Rename the TLS Supported Elliptic Curves extension to Supported Groups.Joel Sing
RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported Groups and redefined it to include finite field DH (FFDH) in addition to elliptic curve DH (ECDH). As such, rename the TLS extension and change the associated code to refer to groups rather than curves. ok beck@ tb@
2018-11-05Clean up the code that checks if we can choose an EC cipher suite.Joel Sing
The tls1_check_ec_tmp_key() function is now rather misnamed, so just inline the code. Also, rather than running tls1_get_shared_curve() once per EC cipher suite, we can run it once at the start of the ssl3_choose_cipher() function. ok bluhm@ tb@
2018-10-24Make more of libssl's record layer state internal.Joel Sing
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal. ok tb@
2018-09-06Drop SSL_CIPHER_ALGORITHM2_AEAD flag.Joel Sing
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag. ok tb@
2018-08-27Add some missing statics.Joel Sing
2018-08-24Clean up handshake message start/finish functions.Joel Sing
Now that all handshake messages are created using CBB, remove the non-CBB ssl3_handshake_msg_start()/ssl3_handshake_msg_finish() functions. Rename the CBB variants by dropping the _cbb suffix. ok bcook@ inoguchi@ tb@
2018-06-02Remove the three remaining single DES cipher suites.Joel Sing
These are insecure and should not be used - furthermore, we would should not have been allowing their negotiation with TLSv1.2 (as noted by Robert Merget, Juraj Somorovsky and Simon Friedberger). Removing these cipher suites also fixes this issue. ok beck@ inoguchi@
2018-04-07Nuke SSL3_FLAGS_DELAY_CLIENT_FINISHED and SSL3_FLAGS_POP_BUFFER.Joel Sing
These flags enabled experimental behaviour in the write path, which nothing uses. Removing this code greatly simplifies ssl3_write(). ok beck@ inoguchi@ sthen@ tb@
2018-03-15Provide SSL_CTX_get_min_proto_version and SSL_CTX_get_max_proto_versionJeremie Courreges-Anglas
We already provided the setters, so also provide the getters like OpenSSL does. Addition prompted by the use of those functions in recent openvpn releases. manpage diff from schwarze@ (thanks!) with input from jsing@, ok tb@ jsing@
2018-02-17Provide SSL_CTX_get_tlsext_status_cb() and SSL_CTX_get_tlsext_status_arg().Joel Sing
2018-01-27Convert ssl3_put_cipher_by_char() to CBB.Joel Sing
While here make the CBS usage in ssl3_get_cipher_by_char() more consistent with other code. ok inoguchi@
2017-10-08Convert ssl3_send_change_cipher_spec() to use CBB and make it handle DTLS,Joel Sing
which allows us to drop dtls1_send_change_cipher_spec() entirely. ok inoguchi@
2017-09-25Annotate some API-side memory leaks for future resolution.Joel Sing
2017-08-28ECDHE-RSA-DES-CBC3-SHA should not be marked HIGH.Joel Sing
Spotted by Andreas Bartelt <obsd at bartula dot de>
2017-08-28Remove the original (pre-IETF) chacha20-poly1305 cipher suites.Joel Sing
Support for the IETF standardised chacha20-poly1305 cipher suites was added 16 months ago, which means they exist in both of the currently supported OpenBSD releases. Also prompted by Andreas Bartelt <obsd at bartula dot de>. ok beck@ doug@
2017-08-12Remove NPN support.Joel Sing
NPN was never standardised and the last draft expired in October 2012. ALPN was standardised in July 2014 and has been supported in LibreSSL since December 2014. NPN has also been removed from Chromium in May 2016. TLS clients and servers that try to use/enable NPN will fail gracefully and fallback to the default protocol, since it will essentially appear that the otherside does not support NPN. At some point in the future we will actually remove the NPN related symbols entirely. ok bcook@ beck@ doug@
2017-08-12Remove support for DSS/DSA, since we removed the cipher suites a whileJoel Sing
back. ok guenther@
2017-08-11Convert ssl3_send_certificate_request() to CBB.Joel Sing
ok beck@ doug@
2017-08-10Clean up the EC key/curve configuration handling.Joel Sing
Over the years OpenSSL grew multiple ways of being able to specify EC keys (and/or curves) for use with ECDH and ECDHE key exchange. You could specify a static EC key (SSL{_CTX,}_set_tmp_ecdh()), use that as a curve and generate ephemeral keys (SSL_OP_SINGLE_ECDH_USE), provide the EC key via a callback that was provided with insufficient information (SSL{_CTX,}_set_tmp_ecdh_cb()) or enable automatic selection and generation of EC keys via SSL{_CTX,}_set_ecdh_auto(). This complexity leads to problems (like ECDHE not being enabled) and potential weird configuration (like being able to do ECDHE without the ephemeral part...). We no longer support ECDH and ECDHE can be disabled by removing ECDHE ciphers from the cipher list. As such, permanently enable automatic EC curve selection and generation, effectively disabling all of the configuration knobs. The only exception is the SSL{_CTX,}_set_tmp_ecdh() functions, which retain part of their previous behaviour by configuring the curve of the given EC key as the only curve being enabled. Everything else becomes a no-op. ok beck@ doug@
2017-08-09Consistently return from each SSL/SSL_CTX control case, rather thanJoel Sing
breaking from some and returning from others.
2017-08-09Split out the remaining SSL_CTX controls into individual functions.Joel Sing
2017-08-09Start splitting out SSL_CTX controls into individual functions, so thatJoel Sing
they can eventually be exposed as direct functions/symbols.
2017-08-09Be consistent and return from each SSL control case, rather than breakingJoel Sing
from some.
2017-08-09Split out the remaining SSL controls into individual functions.Joel Sing
2017-08-09Split more controls into individual functions.Joel Sing
2017-08-09Start splitting out controls into individual functions, so that they canJoel Sing
eventually be exposed as direct functions/symbols.
2017-08-09Remove unnecessary curly braces and unindent. Also add a few blank linesJoel Sing
for readability.
2017-08-09Fix conditionals for DH controls.Joel Sing
2017-07-15Remove unused variable.Joel Sing
Reported by <dravion at ht-foss dot net>
2017-05-07Drop cipher suites with DSS authentication - there is no good reason toJoel Sing
keep these around. ok beck@
2017-05-07Move state from ssl->internal to the handshake structure.Bob Beck
while we are at it, convert SSLerror to use a function internally, so that we may later allocate the handshake structure and check for it ok jsing@