IABSD.fr/src/lib/libssl/ssl_srvr.c

Branch :


Log

Author Commit Date CI Message
8da299b8 2026-04-03 12:58:19 Ensure that we cannot negotiate TLSv1.1 or lower. TLS versions prior to TLSv1.2 were disabled a while ago, however this was done in the version handling code. Remove TLSv1.1 and earlier from ssl_get_method() and add an explicit min version check in the legacy client and server, to provide a stronger guarantee. ok kenjiro@ tb@
e8b75686 2025-12-04 21:03:42 Add a MLKEM768_X25519 hybrid key share. This implements the currently in use MLKEM768_X25519 hybrid key share as outlined in https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/ This commit does not yet wire this up to anything, that is done in follow on changes. ok tb@ jsing@ kenjiro@
f41886e8 2025-03-09 15:53:36 const correct tls_session_secret_cb_fn() Various ports throw a warning since their tls_session_secret_cb's signature doesn't match what we expect. Aligns us with OpenSSL 1.1. This is only useful for RFC 4851 EAP-FAST implementations and surprisingly it's undocumented. ok jsing
f4fe6251 2024-07-22 14:47:15 Use cipher suite values instead of IDs. OpenSSL has had the concept of cipher IDs, which were a way of working around overlapping cipher suite values between SSLv2 and SSLv3. Given that we no longer have to deal with this issue, replace the use of IDs with cipher suite values. In particular, this means that we can stop mapping back and forth between the two, simplifying things considerably. While here, remove the 'valid' member of the SSL_CIPHER. The ssl3_ciphers[] table is no longer mutable, meaning that ciphers cannot be disabled at runtime (and we have `#if 0' if we want to do it at compile time). Clean up the comments and add/update RFC references for cipher suites. ok tb@
387303bb 2024-07-20 04:04:23 Remove cipher from SSL_SESSION. For a long time SSL_SESSION has had both a cipher ID and a pointer to an SSL_CIPHER (and not both are guaranteed to be populated). There is also a pointer to an SSL_CIPHER in the SSL_HANDSHAKE that denotes the cipher being used for this connection. Some code has been using the cipher from SSL_SESSION and some code has been using the cipher from SSL_HANDSHAKE. Remove cipher from SSL_SESSION and use the version in SSL_HANDSHAKE everywhere. If resuming from a session then we need to use the SSL_SESSION cipher ID to set the SSL_HANDSHAKE cipher. And we still need to ensure that we update the cipher ID in the SSL_SESSION whenever the SSL_HANDSHAKE cipher changes (this only occurs in a few places). ok tb@
59ec10be 2024-07-19 08:56:17 Annotate issues with tls_session_secret_cb() related code.
1a5be6e3 2024-07-19 08:54:31 Move client ciphers from SSL_SESSION to SSL_HANDSHAKE. SSL_SESSION has a 'ciphers' member which contains a list of ciphers that were advertised by the client. Move this from SSL_SESSION to SSL_HANDSHAKE and rename it to match reality. ok tb@
b9e57b4b 2024-06-25 14:10:45 Implement RSA key exchange in constant time. RSA key exchange is known to have multiple security weaknesses, including being potentially susceptible to padding oracle and timing attacks. The RSA key exchange code that we inherited from OpenSSL was riddled with timing leaks, many of which we fixed (or minimised) early on. However, a number of issues still remained, particularly those related to libcrypto's RSA decryption and padding checks. Rework the RSA key exchange code such that we decrypt with RSA_NO_PADDING and then check the padding ourselves in constant time. In this case, the pre-master secret is of a known length, hence the padding is also a known length based on the size of the RSA key. This makes it easy to implement a check that is much safer than having RSA_private_decrypt() depad for us. Regardless, we still strongly recommend disabling RSA key exchange and using other key exchange methods that provide perfect forward secrecy and do not depend on client generated keys. Thanks to Marcel Maehren, Nurullah Erinola, Robert Merget, Juraj Somorovsky, Joerg Schwenk and Hubert Kario for raising these issues with us at various points in time. ok tb@
54e1aced 2024-02-03 17:39:17 Zap a trailing blank that snuck into ssl3_get_client_hello()
689a9b7e 2024-02-03 15:58:33 Remove GOST and STREEBOG support from libssl. This version of GOST is old and not anywhere close to compliant with modern GOST standards. It is also very intrusive in libssl and makes a mess everywhere. Efforts to entice a suitably minded anyone to care about it have been unsuccessful. At this point it is probably best to remove this, and if someone ever showed up who truly needed a working version, it should be a clean implementation from scratch, and have it use something closer to the typical API in libcrypto so it would integrate less painfully here. This removes it from libssl in preparation for it's removal from libcrypto with a future major bump ok tb@
699224b0 2023-12-29 12:24:33 Neuter the SSL_set_debug(3) API The TLSv1.3 stack didn't support this in the first place, and in the legacy stack it only added some dubious BIO_flush(3) calls. The sleep call between SSL_read(3) and SSL_write(3) advertised in the comment next to the flag has been a sleep call in the s_server since time immemorial, nota bene between calls to BIO_gets(3). Anyway. This can all go and what remains will go with the next major bump. ok jsing
56b1ac2f 2023-11-18 10:51:09 Check for negative EVP_CIPHER_CTX_iv_length() return in libssl ok beck
71e04849 2023-07-08 16:40:13 Hide all public symbols in libssl With the guentherizer 9000 ok tb@
bf68ec7f 2023-06-11 19:01:01 Convert legacy server kex to one-shot sign/verify This converts ssl3_{get,send}_server_key_exchange() to EVP_DigestVerify() and EVP_DigestSign(). In order to do this, build the full signed_params up front and rework the way the key exchange parameters are constructed. This way we can do the verify and sign steps in one go and at the same use a more idiomatic approach with CBB/CBS. with/ok jsing
80a887b4 2023-06-11 18:50:51 Easy EVP_Digest{Sign,Verify} conversions for legacy stack Convert ssl3_send_client_verify_{sigalgs,gost}() to EVP_DigestSign() and ssl3_get_cert_verify() to EVP_DigestVerify(). ok jsing
40ca958b 2022-12-26 07:31:44 spelling fixes; from paul tagliamonte ok tb
c9675a23 2022-11-26 16:08:50 Make internal header file names consistent Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
6f7f653b 2022-10-02 16:36:41 Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL. These are no longer necessary due to SSL_CTX and SSL now being fully opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back into SSL. Prompted by tb@
eb1ff9ef 2022-10-01 16:23:15 Move handshake message handling functions from ssl_both.c to client/server. Currently, ssl_both.c contains several functions that are used by both the legacy client and legacy server. This interwines the client and server, making it harder to make progressive changes. While it does deduplicate some code, it also ends up with code that is conditioned on s->server and forces the caller to pass in SSL3_ST_* values. Move these functions from ssl_both.c into ssl_clnt.c and ssl_srvr.c, renaming as appropriate and removing the s->server conditionals. Also move the client and server function prototypes from ssl_locl.h into the .c files, making them static in the process. ok tb@
ad618767 2022-08-17 07:39:19 Deduplicate peer certificate chain processing code. Rather than reimplement this in each TLS client and server, deduplicate it into a single function. Furthermore, rather than dealing with the API hazard that is SSL_get_peer_cert_chain() in this code, simply produce two chains - one that has the leaf and one that does not. SSL_get_peer_cert_chain() can then return the appropriate one. This also moves the peer cert chain from the SSL_SESSION to the SSL_HANDSHAKE, which makes more sense since it is not available on resumption. ok tb@
a5c907f4 2022-07-03 14:58:00 Simplify certificate list handling code in legacy server. A client is required to send an empty list if it does not have a suitable certificate - handle this case up front, rather than going through the normal code path and ending up with an empty certificate list. This matches what we do in the TLSv1.3 stack and will allow for ruther clean up (in addition to making the code more readable). Also tidy up the CBS code and remove some unnecessary length checks. Use 'cert' and 'certs' for certificates, rather than 'x' and 'sk'. ok tb@
c5270c5d 2022-07-02 16:00:12 Rename uses 'curve' to 'group' and rework tls1 group API. This reworks various tls1_ curve APIs to indicate success via a boolean return value and move the output to an out parameter. This makes the caller code easier and more consistent. Based on a suggestion by jsing ok jsing
89b4969b 2022-06-30 11:17:49 Add checks to ensure we do not initiate or negotiate handshakes with versions below the minimum required by the security level. input & ok jsing
2c1036d8 2022-06-29 08:27:51 Check the security of DH key shares ok beck, looks good to jsing
678f3880 2022-06-29 07:53:58 Check the security level when building sigalgs ok beck jsing
bab2d47b 2022-06-28 14:51:37 Free ciphers before assigning to them While this is not a leak currently, it definitely looks like one. Pointed out by jsing on review of a diff that touched the vicinity a while ago. ok jsing
573b2ffa 2022-06-07 17:14:17 Add error checking to tls_session_secret_cb() calls Failure of this undocumented callback was previously silently ignored. Follow OpenSSL's behavior and throw an internal error (for lack of a better choice) if the callback failed or if it set the master_key_length to a negative number. Unindent the success path and clean up some strange idioms. ok jsing
02876cc3 2022-02-05 14:54:10 Bye bye S3I. S3I has served us well, however now that libssl is fully opaque it is time to say goodbye. Aside from removing the calloc/free/memset, the rest is mechanical sed. ok inoguchi@ tb@
15b5e1ec 2022-01-11 19:03:15 Remove peer_pkeys from SSL_SESSION. peer_pkeys comes from some world where peers can send multiple certificates - in fact, one of each known type. Since we do not live in such a world, get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2 and TLSv1.3, both clients and servers can only send a single leaf (aka end-entity) certificate). ok inoguchi@ tb@
666c9986 2022-01-11 18:39:28 Rename 'peer' to 'peer_cert' in SSL_SESSION. The 'peer' member of SSL_SESSION is the leaf/end-entity certificate provided by our peer. Rename it since 'peer' on its own is unhelpful. ok inoguchi@ tb@
7dd422f8 2022-01-11 18:28:41 Plumb decode errors through key share parsing code. Distinguish between decode errors and other errors, so that we can send a SSL_AD_DECODE_ERROR alert when appropriate. Fixes a tlsfuzzer failure, due to it expecting a decode error alert and not receiving one. Prompted by anton@ ok tb@
c3b8e425 2022-01-09 15:40:13 Clean up ssl3_{send,get}_client_kex_gost() Fix leaks, use sizeof() instead of hardcoded sizes, actually check return codes, explicit_bzero() the premaster secret on the server side and generally try to kick the GOST kex code into some sort of shape. ok inoguchi@ tb@
7caec30c 2022-01-09 15:34:21 Return 0/1 from ssl3_{send,get}_client_kex_gost() Like other KEX handling functions, there is no need to return anything other than failure/success here. ok inoguchi@ tb@
54ad05ac 2022-01-09 15:28:47 Fix GOST skip certificate verify handling. GOST skip certificate verify handling got broken in r1.132 of s3_srvr.c circa 2016. Prior to this, ssl3_get_client_key_exchange() returned an 'extra special' value to indicate that the state machine should skip certificate verify. Fix this by setting and checking the TLS1_FLAGS_SKIP_CERT_VERIFY flag, which is the same as is done in the client. ok inoguchi@ tb@
7cf55da3 2022-01-08 12:59:58 Merge SESS_CERT into SSL_SESSION. There is no reason for SESS_CERT to exist - remove it and merge its members into SSL_SESSION for the time being. More clean up to follow. ok inoguchi@ tb@
ef36d1f9 2022-01-08 12:43:44 Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY. Nearly all structs in libssl start with an SSL_ suffix, rename CERT and CERT_PKEY for consistency. ok inoguchi@ tb@
c0b85757 2022-01-07 16:45:06 Rename dh_tmp to dhe_params. Support for non-ephemeral DH was removed a long time ago - as such, the dh_tmp and dh_tmp_cb are used for DHE parameters. Rename them to reflect reality. ok inoguchi@ tb@
aebe2672 2022-01-07 15:46:30 Convert legacy server to tls_key_share. This requires a few more additions to the DHE key share code - we need to be able to either set the DHE parameters or specify the number of key bits for use with auto DHE parameters. Additionally, we need to be able to serialise the DHE parameters to send to the client. This removes the infamous 'tmp' struct from ssl3_state_internal_st. ok inoguchi@ tb@
9ccbb9b1 2022-01-04 12:53:31 Return 0 on failure from send/get kex functions in the legacy stack. In the legacy stack, a message handling function returns -1 for failure, 0 for need more data and 1 for success (although in extra special cases 2 may also be used). However, the various send/get kex functions only need to indicate success or failure - switch these to return 0 on failure (rather than -1) and use normal result testing. This leaves GOST unchanged for now, as that code is special and needs extra work. ok inoguchi@ tb@
2a6cb758 2021-12-26 15:10:59 Hoist memset of CBB above EVP_MD_CTX_new() and HMAC_CTX_new() to avoid a use of uninitialized in the unlikely event that either of them fails. Problem introduced in r1.128. CID 345113 ok jsing
e0f8f021 2021-12-09 17:53:29 Convert ssl_srvr.c to opaque EVP_MD_CTX. ok inoguchi jsing
40050a94 2021-12-04 14:03:22 Clean up and refactor server side DHE key exchange. Provide ssl_kex_generate_dhe_params_auto() which handles DHE key generation based on parameters determined by the specified key bits. Convert the existing DHE auto parameter selection code into a function that just tells us how many key bits to use. Untangle and rework the server side DHE key exchange to use the ssl_kex_* functions. ok inoguchi@ tb@
ff0f83bf 2021-11-29 16:03:56 Convert server serialisation of DHE parameters/public key to new functions. ok inoguchi@ tb@
5c273ab3 2021-11-26 16:41:42 Stop reaching into EVP_PKEY in the rest of libssl. ok inoguchi jsing
7aaded86 2021-11-19 18:53:10 libssl: don't reach for pkey->save_type. For some strange historical reason ECDSA_sign() and ECDSA_verify}() have a type argument that they ignore. For another strange historical reason, the type passed to them from libssl is pkey->save_type, which is used to avoid expensive engine lookups when setting the pkey type... Whatever the aforementioned reasons were, we can't access pkey->save_type with the OpenSSL 1.1 API, and this is thus in the way of making EVP_PKEY opaque. Simply pass in 0 instead. ok jsing
7e086035 2021-10-25 10:01:46 Fold SSL_SESSION_INTERNAL back into SSL_SESSION. ok beck@ tb@
01f29c58 2021-10-23 14:40:54 Provide a way to determine our maximum legacy version. With the introduction of TLSv1.3, we need the ability to determine our maximum legacy version and to track our peer's maximum legacy version. This is needed for both the TLS record layer when using TLSv1.3, plus it is needed for RSA key exhange in TLS prior to TLSv1.3, where the maximum legacy version is incorporated in the pre-master secret to avoid downgrade attacks. This unbreaks RSA KEX for the TLS client when the non-version specific method is used with TLSv1.0 or TLSv1.1 (clearly no one does this). ok tb@
f19d9718 2021-10-23 13:36:03 Fold DTLS1_STATE_INTERNAL into DTLS1_STATE. Now that DTLS1_STATE is opaque, fold DTLS1_STATE_INTERNAL back into DTLS1_STATE and remove D1I() usage. ok tb@
f2c3e964 2021-10-23 08:34:36 Untangle ssl3_get_message() return values. This function currently has a long return type that may be <= 0 on error/retry (which is then cast to an int in order to return it up the stack), or it returns the length of the handshake message (on success). This obviously means that 0 can be returned for both success and failure, which is the reason why a separate 'ok' argument has to exist. Untangle this mess by changing the return value to an int that indicates success (1) or error/retry (<= 0). The length never needs to actually be returned as it is already stored in s->internal->init_num (which is where the return value is read from anyway). ok tb@
b73cd773 2021-09-03 13:18:01 Ensure that a client hello does not have trailing data. Found by tlsfuzzer. ok beck@
545b2b63 2021-08-30 19:25:43 Clean up and simplify info and msg callbacks. The info and msg callbacks result in duplication - both for code that refers to the function pointers and for the call sites. Avoid this by providing typedefs for the function pointers and pulling the calling sequences into their own functions. ok inoguchi@ tb@
ca31118f 2021-06-29 19:43:15 Track sigalg used by ourselves and our peer in the legacy stack. This is needed for upcoming API additions.
68cc6f9a 2021-06-29 19:24:07 Convert legacy stack server to ssl_sigalg_for_peer(). ok inoguchi@ tb@
9bba4ac0 2021-06-29 19:10:08 Move the RSA-PSS check for TLSv1.3 to ssl_sigalg_pkey_ok(). Also, rather than passing in a check_curve flag, pass in the SSL * and handle version checks internally to ssl_sigalg_pkey_ok(), simplifying the callers. ok inoguchi@ tb@
d2a2fa5f 2021-06-27 18:15:35 Change ssl_sigalgs_from_value() to perform sigalg list selection. Rather that passing in a sigalg list at every call site, pass in the appropriate TLS version and have ssl_sigalgs_from_value() perform the sigalg list selection itself. This allows the sigalg lists to be made internal to the sigalgs code. ok tb@
36e55595 2021-06-27 18:09:07 Rename ssl_sigalg() to ssl_sigalg_from_value(). This makes the code more self-documenting and avoids the ambiguity between ssl_sigalg the struct and ssl_sigalg the function. ok tb@
c4b0c3ce 2021-06-27 17:59:17 Change ssl_sigalgs_build() to perform sigalg list selection. Rather that doing sigalg list selection at every call site, pass in the appropriate TLS version and have ssl_sigalgs_build() perform the sigalg list selection itself. This reduces code duplication, simplifies the calling code and is the first step towards internalising the sigalg lists. ok tb@
10e340b2 2021-05-16 14:10:43 Make local header inclusion consistent. Consistently include local headers in the same location, using the same grouping/sorting across all files.
4b0cebd1 2021-05-16 13:56:30 Move DTLS structs/definitions/prototypes to dtls_locl.h. Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists. ok inoguchi@ tb@
f4dd87b5 2021-05-16 08:24:21 Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_* Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
b3d9ef4b 2021-05-02 17:46:58 Clean up tls1_change_cipher_state(). Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code. ok inoguchi@ tb@
56985c13 2021-05-02 17:28:33 In the TLSv1.2 server, set up the key block after sending the CCS. This avoids calling into the key block setup code multiple times and makes the server code consistent with the client. ok inoguchi@ tb@
8950dd79 2021-05-02 17:18:10 Clean up dtls1_reset_seq_numbers(). Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server. ok inoguchi@ tb@
155a0ed0 2021-04-30 19:26:44 Clean up and harden TLSv1.2 master key derivation. The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites. If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later. ok inoguchi@ tb@
643d65b6 2021-04-25 13:15:22 Clean up derivation of finished/peer finished. Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code. ok inoguchi@ tb@
1f38de1d 2021-04-21 19:27:56 Clean up TLSv1.2 certificate request handshake data. Currently cert_req is used by clients and cert_request is used by servers. Replace this by a single cert_request used by either client or server. Remove the certificate types as they are currently unused. This also fixes a bug whereby if the number of certificate types exceeds SSL3_CT_NUMBER the number of bytes read in is insufficient, which will break decoding. ok inoguchi@ tb@
03eef713 2021-04-19 16:51:56 Move reuse_message, message_type, message_size and cert_verify into the TLSv1.2 handshake struct. ok inoguchi@ tb@
5c4127ad 2021-03-29 16:56:20 Avoid transcript initialisation when sending a TLS HelloRequest. When server side renegotiation is triggered, the TLSv1.2 state machine sends a HelloRequest before going to ST_SW_FLUSH and ST_OK. In this case we do not need the transcript and currently hit the sanity check in ST_OK that ensures the transcript has been freed, breaking server initiated renegotiation. We do however need the transcript in the DTLS case. ok tb@
b0828d45 2021-03-27 17:56:28 Garbage collect s->internal->type This variable is used in the legacy stack to decide whether we are a server or a client. That's what s->server is for... The new TLSv1.3 stack failed to set s->internal->type, which resulted in hilarious mishandling of previous_{client,server}_finished. Indeed, both client and server would first store the client's verify_data in previous_server_finished and later overwrite it with the server's verify_data. Consequently, renegotiation has been completely broken for more than a year. In fact, server side renegotiation was broken during the 6.5 release cycle. Clearly, no-one uses this. This commit fixes client side renegotiation and restores the previous behavior of SSL_get_client_CA_list(). Server side renegotiation will be fixed in a later commit. ok jsing
661440b7 2021-03-24 18:43:59 Rename new_cipher to cipher. This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data. ok inoguchi@ tb@
48b0de1e 2021-03-24 18:40:03 Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data. Move TLSv1.2 specific components over from SSL_HANDSHAKE. ok inoguchi@ tb@
1927d779 2021-03-11 17:14:46 Remove ssl_downgrade_max_version(). Now that we store our maximum TLS version at the start of the handshake, we can check against that directly. ok inoguchi@ tb@
c5e6469d 2021-03-10 18:27:01 Improve internal version handling. Add handshake fields for our minimum TLS version, our maximum TLS version and the TLS version negotiated during the handshake. Initialise our min/max versions at the start of the handshake and leave these unchanged. The negotiated TLS version is set in the client once we receive the ServerHello and in the server at the point we select the highest shared version. Provide an ssl_effective_version() function that returns the negotiated TLS version if known, otherwise our maximum TLS version - this is effectively what is stored in s->version currently. Convert most of the internal code to use one of these three version fields, which greatly simplifies code (especially in the TLS extension handling code). ok tb@
3586f9d4 2021-02-20 14:16:56 ugly whitespace
ba06b73e 2021-02-20 14:14:16 Rename f_err into fatal_err. discussed with jsing
e0d5994d 2021-02-20 14:03:50 Rename the truncated label into decode_err. This describes its purpose better and doesn't look odd if there's trailing data for exapmle. Indent a few labels in the neighborhood while there. ok jsing
4ddbf855 2021-02-20 08:22:55 Revise HelloVerifyRequest handling for DTLSv1.2. Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always contain DTLSv1.0 - ensure this is the case on the server side, allow both DTLSv1.0 and DTLSv1.2 on the client. ok tb@
b81375cc 2021-02-07 15:04:10 Factor out the legacy stack version checks. Also check for explicit version numbers, rather than just the major version value. ok tb@
f2284ad0 2021-01-26 14:22:19 Move sequence numbers into the new TLSv1.2 record layer. This allows for all of the DTLS sequence number save/restore code to be removed. ok inoguchi@ "whee!" tb@
1365e68c 2021-01-19 18:57:09 Provide functions to determine if TLSv1.2 record protection is engaged. Call these functions from code that needs to know if we've changed cipher state and enabled record protection, rather than inconsistently checking various pointers from other places in the code base. This also fixes a minor bug where the wrong pointers are checked if we're operating with AEAD. ok inoguchi@ tb@
9e659261 2020-10-14 16:57:33 Replace SSL_IS_DTLS with SSL_is_dtls(). Garbage collect the now unused SSL_IS_DTLS macro. ok tb@
9fef1c44 2020-10-11 02:22:27 Condense and simplify TLS methods. Historically, OpenSSL has had client and server specific methods - the only difference between these is that the .ssl_connect or .ssl_accept function pointer is set to ssl_undefined_function, with the intention of reducing code size for a statically linked binary that was only a client or server. These days the difference is minimal or non-existant in many cases and we can reduce the amount of code and complexity by having single method. Internally remove all of the client and server specific methods, simplifying code in the process. The external client/server specific API remain, however these now return the same thing as TLS_method() does. ok tb@
f6d60a7a 2020-10-03 18:01:55 Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c The d1_{clnt,srvr}.c contain a single function each - merge these into the ssl_{clnt,srvr}.c, renaming them with an ssl3_ prefix for consistency. ok beck@ tb@
beb7767d 2020-09-24 18:12:00 Simplify the cleanup of init_buf via a ssl3_release_init_buffer() function. ok beck@ inoguchi@ tb@
bfc125de 2020-09-17 15:23:29 Simplify SSL method lookups. There are three places where we call tls1_get_{client,server}_method() and if that returns NULL, call dtls1_get_{client,server}_method(). Simplify this by combining the lookup into a single function. While here also use uint16_t for version types. ok inoguchi@ millert@
930c38d2 2020-09-12 17:27:11 Use the correct type for tls1_set_ec_id() The curve_id is a uint16, not an int. ok beck jsing
8b316ce8 2020-09-11 17:36:27 Remove cipher_list_by_id. When parsing a cipher string, a cipher list is created, before being duplicated and sorted - the second copy being stored as cipher_list_by_id. This is done only so that a client can ensure that the cipher selected by a server is in the cipher list. This is pretty pointless given that most clients are short-lived and that we already had to iterate over the cipher list in order to build the client hello. Additionally, any update to the cipher list requires that cipher_list_by_id also be updated and kept in sync. Remove all of this and replace it with a simple linear scan - the overhead of duplicating and sorting the cipher list likely exceeds that of a simple linear scan over the cipher list (64 maximum, more typically ~9 or so). ok beck@ tb@
9a3f7535 2020-08-31 14:04:51 Send alert on ssl_get_prev_session failure ssl_get_prev_session() can fail for various reasons some of which may be internal_error others decode_error alerts. Propagate the appropriate alert up to the caller so we can abort the handshake by sending a fatal alert instead of rudely closing the pipe. Currently only 28 of 292 test cases of tlsfuzzer's test-extension.py pass. With this diff, 272 pass. The rest will require fixes elsewhere. ok beck inoguchi jsing
9b8a142f 2020-07-03 04:12:50 Improve argument order for the internal tlsext API Move is_server and msg_type right after the SSL object so that CBS and CBB and alert come last. This brings these functions more in line with other internal functions and separates state from data. requested by jsing
c2a7ee20 2020-06-05 17:53:26 Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures. GOST cipher suites requires that CertVerify signatures be generated in a special way (see ssl3_send_client_kex_gost(), ssl3_get_cert_verify()). However, the GOST_SIG_FORMAT_RS_LE flag was not passed in case of TLS 1.2 connections (because they use different code path). Set this flag on GOST PKEYs. Diff from Dmitry Baryshkov <dbaryshkov@gmail.com> Sponsored by ROSA Linux ok inoguchi@ tb@
fc1fe0f6 2020-06-01 08:04:02 Send an illegal_parameter alert if a client sends us invalid DH key shares. Previously we would fail and just close the pipe. Fixes the remaining failing test-dhe-rsa-key-exchange-with-bad-messages.py tests of tlsfuzzer. ok beck (earlier version) jsing
3231e218 2020-05-31 16:36:35 Correct downgrade sentinels when a version pinned method is in use. Previously only the enabled protocol versions were considered, however we also have to consider the method in use which may be version pinned. Found the hard way by danj@ with haproxy and force-tlsv12. ok beck@ inoguchi@ tb@
16933562 2020-05-19 16:35:20 Replace SSL_PKEY_RSA_ENC/SSL_PKEY_RSA_SIGN with SSL_PKEY_RSA. Some time prior to SSLeay 0.8.1b, SSL_PKEY_RSA_SIGN got added with the intention of handling RSA sign only certificates... this incomplete code had the following comment: /* check to see if this is a signing only certificate */ /* EAY EAY EAY EAY */ And while the comment was removed in 2005, the incomplete RSA sign-only handling has remained ever since. Remove SSL_PKEY_RSA_SIGN and rename SSL_PKEY_RSA_ENC to SSL_PKEY_RSA. While here also remove the unused SSL_PKEY_DH_RSA. ok tb@
d875fefd 2020-05-10 14:17:47 Use size_t for OCSP response length. The OCSP response length is currently an integer, which is overloaded with -1 meaning "unset". Use a size_t for the OCSP response length and infer unset from the OCSP response being NULL. This makes code more readable, simpler and less error prone. ok beck@
380a8bef 2020-05-09 13:51:44 On receiving an overlong session ID terminate with an illegal_parameter alert. Found with tlsfuzzer. ok jsing
34393826 2020-03-06 16:31:30 TLSv1.3 servers that intend to downgrade are required to set the last eight bytes of the server's random to a magic cookie (RFC 8446, 4.1.3). The TLSv1.3 spec changes the TLSv1.2 spec in that it recommends that TLSv1.2 servers that negotiate TLSv1.1 or below do the same. This gives a limited additional protection against downgrade attacks beyond what is already present in the Finished exchange. The TLSv1.3 part was already implemented in Hobart and can be trivially modified to do the TLSv1.2 bit as well. ok inoguchi, jsing
bcac99ac 2020-02-16 14:33:04 Avoid leak for tmp.x25519 Changed to use local variable to hold malloc address rather than directly set to S3I(s)->tmp.x25519, and set that private_key pointer to S3I(s)->tmp.x25519 after all the "goto err;". Also added freezero for S3I(s)->tmp.x25519 to ssl3_free() and ssl3_clear(). ok jsing@ tb@
69428dca 2020-01-30 16:25:09 Factor out/rewrite the ECDHE EC point key exchange code. This reduces replication between the existing TLS client/server and allows the code to soon be reused for TLSv1.3. With feedback from inoguchi@ and tb@ ok inoguchi@ tb@
dc77a1b6 2020-01-23 10:48:37 Remove the ssl_get_message function pointer from SSL_METHOD_INTERNAL. ssl_get_message is essentially a switch between ssl3_get_message and dtls1_get_message, both only used by the legacy stack. Instead, use SSL_IS_DTLS() in ssl3_get_message to call the DTLS function when necessary. ok beck@ inoguchi@ tb@
bec9724e 2020-01-23 08:04:50 If we are building a legacy server hello, check to see if we are downgrading from TLS 1.3. If we are, set the last 8 bytes of the server_random value to the required values as per RFC 8446 section 4.1.3 indicating that we deliberately meant to downgrade. ok jsing@