summaryrefslogtreecommitdiff
path: root/lib/libssl
AgeCommit message (Collapse)Author
2022-10-01Move handshake message handling functions from ssl_both.c to client/server.Joel Sing
Currently, ssl_both.c contains several functions that are used by both the legacy client and legacy server. This interwines the client and server, making it harder to make progressive changes. While it does deduplicate some code, it also ends up with code that is conditioned on s->server and forces the caller to pass in SSL3_ST_* values. Move these functions from ssl_both.c into ssl_clnt.c and ssl_srvr.c, renaming as appropriate and removing the s->server conditionals. Also move the client and server function prototypes from ssl_locl.h into the .c files, making them static in the process. ok tb@
2022-09-17Allow TLSv1.3 clients to send CCS without middlebox compatibility mode.Joel Sing
While RFC 8446 is clear about what legacy session identifiers can be sent by a TLSv1.3 client and how middlebox compatibility mode is requested, it is delightfully vague about the circumstances under which a client is permitted to send CCS messages. While it does not make sense for a client to send CCS messages when they are not requesting middlebox compatibility mode, it is not strictly forbidden by the RFC and at least one (unknown) TLSv1.3 stack has been observed to do this in the wild. Revert part of the previous change and allow clients to send CCS messages, even if they are not requesting middlebox compatibility mode. Found the hard way by florian@ ok tb@
2022-09-17Link to SSL_read_early_data(3)Klemens Nanni
OK tb
2022-09-11Enforce the minimum TLS version requirement for QUIC.Joel Sing
ok tb@
2022-09-11Crank major after symbol addition and libcrypto major bumpTheo Buehler
2022-09-11Update Symbols.listTheo Buehler
ok jsing
2022-09-11Expose SSL_get_share_{group,curve}() and related #definesTheo Buehler
ok jsing
2022-09-11Expose some error codes needed for QUIC supportTheo Buehler
ok jsing
2022-09-11Be stricter with middlebox compatibility mode in the TLSv1.3 server.Joel Sing
Only allow a TLSv1.3 client to request middlebox compatibility mode if this is permitted. Ensure that the legacy session identifier is either zero length or 32 bytes in length. Additionally, only allow CCS messages on the server side if the client actually requested middlebox compatibility mode. ok tb@
2022-09-11Only permit CCS messages if requesting middlebox compatibility mode.Joel Sing
Currently the TLSv1.3 client always permits the server to send CCS messages. Be more strict and only permit this if the client is actually requesitng middlebox compatibility mode. ok tb@
2022-09-11Use CBS when procesing a CCS message in the legacy stack.Joel Sing
ok tb@
2022-09-11Ensure there is no trailing data for a CCS received by the TLSv1.3 stack.Joel Sing
ok tb@
2022-09-10Use CBS to parse TLS alerts in the legacy stack.Joel Sing
ok tb@
2022-09-10Provide a version of ssl_msg_callback() that takes a CBS.Joel Sing
Use this from the TLSv1.3 code. ok tb@
2022-09-10fix repeated wordsJonathan Gray
ok ok miod@ ack ack jmc@
2022-09-08ssl_cipher_process_rulestr: return early if a cipher command is invalidTodd C. Miller
This is a safer fix for the bug where we might read outside rule_str buffer and is how BoringSSL fixed it. OK tb@
2022-09-07ssl_cipher_process_rulestr: don't read outside rule_str bufferTodd C. Miller
If rule_str ended in a "-", "l" was incremented one byte past the end of the buffer. This resulted in an out-of-bounds read when "l" is dereferenced at the end of the loop. OK tb@
2022-09-04Make ssl_create_cipher_list() have a single exitTheo Buehler
This simplifies memory management and makes it easier to see the leak that were introduced in the previous commit. Sprinkle a few malloc errors for consistency. CID 278396 with/ok jsing
2022-09-01Check sk_SSL_CIPHER_push() return valueTheo Buehler
CID 24797 ok jsing
2022-08-31Recommit -r1.45 but without error checking EVP_PKEY_copy_parameters()Theo Buehler
EVP_PKEY_copy_parameters() will unconditionally fail if the pkey's ameth has no copy_params(). Obviously this is indistinguishable from actual failure... ok jsing
2022-08-31Revert r1.46. Causes fireworks in regress.Theo Buehler
2022-08-31Avoid potential NULL dereference in ssl_set_pkey()Theo Buehler
Switch from X509_get_pubkey() to X509_get0_pubkey() to avoid an unnecessary EVP_PKEY_free(). Check the return values of X509_get0_pubkey() and EVP_PKEY_copy_parameters(). If the former returns NULL, the latter will dereference NULL. CID 25020 ok jsing
2022-08-30Remove a commented-out sk_push that has been hanging around for > 20 yearsTheo Buehler
2022-08-30Plug leak of BIO in tls13_quic_init()Theo Buehler
If rbio and wbio are the same, SSL_free() only frees one BIO, so the BIO_up_ref() before SSL_set_bio() leads to a leak. ok jsing
2022-08-27Handle SSL_do_handshake() being called before SSL_provide_quic_data().Joel Sing
If SSL_do_handshake() is called before SSL_provide_quic_data() has been called, the QUIC read buffer will not have been initialised. In this case we want to return TLS13_IO_WANT_POLLIN so that the QUIC stack will provide handshake data.
2022-08-21Provide the remaining QUIC API.Joel Sing
While more work is still required, this is sufficient to get ngtcp2 to compile with QUIC and for curl to be able to make HTTP/3 requests. ok tb@
2022-08-21Wire up SSL_QUIC_METHOD callbacks to the record layer callbacks for QUIC.Joel Sing
ok tb@
2022-08-21Provide SSL_QUIC_METHOD.Joel Sing
This provides SSL_QUIC_METHOD (aka ssl_quic_method_st), which allows for QUIC callback hooks to be passed to an SSL_CTX or SSL. This is largely ported/adapted from BoringSSL. It is worth noting that this struct is not opaque and the original interface exposed by BoringSSL differs to the one they now use. The original interface was copied by quictls and it appears that this API will not be updated to match BoringSSL. To make things even more challenging, at least one consumer does not use named initialisers, making code completely dependent on the order in which the function pointers are defined as struct members. In order to try to support both variants, the set_read_secret/set_write_secret functions are included, however they have to go at the end. ok tb@
2022-08-21Provide and use QUIC specific error reasons.Joel Sing
ok tb@
2022-08-21Ensure that SSL_{peek,read,write}() are not called if QUIC is in use.Joel Sing
ok tb@
2022-08-21Prepare to provide SSL_ERROR_WANT_{ASYNC,ASYNC_JOB,CLIENT_HELLO_CB}Joel Sing
LibreSSL will not return these values, however software is starting to check for these as return values from SSL_get_error(). ok tb@
2022-08-20zap a tabTheo Buehler
2022-08-18Tweak prototype to match function definition (n -> index)Theo Buehler
2022-08-17Implement the SSL_CTRL_GET_SHARED_GROUP controlTheo Buehler
This implements SSL_get_shared_{curve,group}() in a bug-compatible fashion with OpenSSL. This is your average OpenSSL-style overloaded parameter API where n >= 0 means "return the n-th shared group's NID" (as if anyone possibly ever cared about the case n > 0) and n == -1 means "return the number of shared groups". There is also an undocumented case n == -2 for Suite B profile support which falls back to n == 0 in case Suite B profile support is disabled, so n == -2 is the same as n == 0 in LibreSSL. The API also returns 0 for error, which is indistinguishable from a count of 0 shared groups but coincides with NID_undef. Contrary to claims in the documentation, the API doesn't actually return -1 for clients, rather it returns 0. Obviously this entire exercise is pretty useless, but since somebody exposed it because they could and someone else used it because they could we need to provide it. ok jsing
2022-08-17Refactor tls1_get_supported_group()Theo Buehler
This splits tls1_get_supported_group() into a few helper functions to be able to count shared groups and to return the n-th shared group since someone thought it is a great idea to expose that in a single API and some others thought it is useful to add this info to log noise. This is all made a bit more complicated thanks to the security level having its tentacles everywhere and because a user-provided security callback can influence the list of groups shared by the peers. ok jsing
2022-08-17Add SSL_get_shared_{curve,group}()Theo Buehler
These are wrappers of SSL_ctrl() using the SSL_CTRL_GET_SHARED_GROUP control. Do not provide SSL_CTRL_GET_SHARED_CURVE since that is only mentioned in Net::SSLeay docs according to codesearch.debian.net. ok jsing
2022-08-17Make tls1_get_{format,group_}list() take a const SSLTheo Buehler
ok jsing
2022-08-17Provide ssl_security_shared_group()Theo Buehler
Refactor ssl_security_supported_group() into a wrapper of a new internal ssl_security_group() which takes a secop as an argument. This allows adding ssl_security_shared_group() which will be needed in upcoming commits. ok jsing
2022-08-17Deduplicate peer certificate chain processing code.Joel Sing
Rather than reimplement this in each TLS client and server, deduplicate it into a single function. Furthermore, rather than dealing with the API hazard that is SSL_get_peer_cert_chain() in this code, simply produce two chains - one that has the leaf and one that does not. SSL_get_peer_cert_chain() can then return the appropriate one. This also moves the peer cert chain from the SSL_SESSION to the SSL_HANDSHAKE, which makes more sense since it is not available on resumption. ok tb@
2022-08-15Avoid shadowing the cbs function parameter in tlsext_alpn_server_parse()Theo Buehler
ok jsing
2022-08-15Remove redeclaration of retTheo Buehler
When ret was introduced in an outer scope in r1.113, this declaration wasn't garbage collected. ok jsing
2022-08-04Make tlsext_*_{build,needs,parse}() functions staticTheo Buehler
None of these functions are used outside of ssl_tlsext.c. The only reason they are prototyped in the header is for the use of tlsexttest.c. Rather than having a big pile of useless copy-paste in the header, we can adapt the test to avoid using these functions directly. ok jsing
2022-07-30update copyright yearsTheo Buehler
2022-07-24Move cipher_id bsearch functions back to the bottom of the file.Joel Sing
2022-07-24Set NULL BIOs for QUIC.Joel Sing
When used with QUIC, the SSL BIOs are effectively unused, however we still currently expect them to exist for status (such as SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE). Set up NULL BIOs if QUIC is in use. ok tb@
2022-07-24Provide record layer callbacks for QUIC.Joel Sing
QUIC uses TLS to complete the handshake, however unlike normal TLS it does not use the TLS record layer, rather it provides its own transport. This means that we need to intercept all communication between the TLS handshake and the record layer. This allows TLS handshake message writes to be directed to QUIC, likewise for TLS handshake message reads. Alerts also need to be sent via QUIC, plus it needs to be provided with the traffic keys that are derived by TLS. ok tb@
2022-07-24Move tls13_phh_done_cb() after tl13_phh_received_cb().Joel Sing
This is the order that they're called/run in.
2022-07-24Provide QUIC encryption levels.Joel Sing
QUIC wants to know what "encryption level" handshake messages should be sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that defines these (of course quictls decided to make this an OSSL_ENCRYPTION_LEVEL typedef, so provide that as well). Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so that they can be used in upcoming commits. ok tb@
2022-07-24Rely on tlsext_parse() to set a decode_error alertTheo Buehler
Instead of setting the alert manually in various parse handlers, we can make use of the fact that tlsext_parse() sets the alert to decode_error by default. This simplifies the code quite a bit. ok jsing
2022-07-22Convert TLS transcript from BUF_MEM to tls_buffer.Joel Sing
ok beck@ tb@