IABSD.fr/src/lib/libssl

Branch :


Log

Author Commit Date CI Message
9b8b9b48 2020-03-10 17:23:25 Use ctx->hs->secrets rather than the S3I(s) version. ok inoguchi@ tb@
a097d0da 2020-03-10 17:15:02 Remove some unnecessary handshake enums/functions. Both session tickets and key updates are post-handshake handshake messages, which were originally included in the handshake code. ok inoguchi@ tb@
96130b2d 2020-03-10 17:11:25 Add a return value check to tls13_buffer_extend(). In the unlikely event that the return value from the read callback is larger than the number of bytes we asked for, we can end up incrementing buf->len beyond capacity. Check the return value from the read callback to prevent this. ok inoguchi@ tb@
6f4f83c6 2020-03-10 17:02:21 Remove the enc function pointers. The enc function pointers do not serve any purpose these days - remove a layer of indirection and call dtls1_enc()/tls1_enc() directly. ok inoguchi@ tb@
75c0f652 2020-03-06 16:36:47 RFC 8446, section 4.1.3: If a TLSv1.2 client receives a ServerHello for TLSv1.1 or below, it should check whether the server's random value contains the magic downgrade protection cookie and in that case abort the handshake with an illegal parameter alert. ok inoguchi, jsing
34393826 2020-03-06 16:31:30 TLSv1.3 servers that intend to downgrade are required to set the last eight bytes of the server's random to a magic cookie (RFC 8446, 4.1.3). The TLSv1.3 spec changes the TLSv1.2 spec in that it recommends that TLSv1.2 servers that negotiate TLSv1.1 or below do the same. This gives a limited additional protection against downgrade attacks beyond what is already present in the Finished exchange. The TLSv1.3 part was already implemented in Hobart and can be trivially modified to do the TLSv1.2 bit as well. ok inoguchi, jsing
5ac47ba7 2020-02-23 17:59:03 The decryption_failed alert must not be sent by compliant implementations. Use a bad_record_mac alert instead. Found with tlsfuzzer's ChaCha20 test. ok beck inoguchi jsing
94f24495 2020-02-23 17:51:36 According to RFC 8446, Section 4.4.4, recipients of incorrect Finished messages must terminate the connection with a decrypt_error alert, so replace the use of the deprecated decryption_failed alert accordingly. ok beck inoguchi jsing
0141ccba 2020-02-21 16:18:52 Remove the s2n macro now that it is finally unused. ok inoguchi@ tb@
970d668f 2020-02-21 16:16:59 Convert the SSL/TLS record creation code to CBB. ok inoguchi@ tb@
91a6bd55 2020-02-21 16:15:56 Convert the DTLS header creation code to CBB. Also consolidate it into the one place, since there is no reason to write the epoch and sequence out later. ok inoguchi@ tb@
e95d976f 2020-02-21 16:13:16 Remove some commented code, remove some pointless comments and move some comments to their correct places. ok inoguchi@ tb@
94777d7c 2020-02-21 16:12:18 Convert dtls1_build_sequence_number() to CBB. ok inoguchi@ tb@
f2e6ddf7 2020-02-21 16:07:00 Move l2n/l2n8 into s3_cbc.c, since this is the only code that uses it. ok inoguchi@ tb@
afa32179 2020-02-21 16:06:26 Remove prefix_len, since it is always zero. ok inoguchi@ tb@
a1f98e4a 2020-02-21 16:06:00 Remove now unused variable. ok inoguchi@ tb@
f91e30d7 2020-02-19 18:22:54 Refactor do_ssl3_write(). When empty fragments were added as a countermeasure against chosen plaintext attacks on CBC, it was done by adding a recursive call to do_ssl3_write(). This makes the code more complex and difficult to change. Split the record creation code into a separate ssl3_create_record() function, which do_ssl3_write() calls. In the case where an empty fragment is needed, ssl3_create_record() is simply called twice, removing the need for recursion. ok inoguchi@ tb@
b46dd106 2020-02-18 16:12:14 drop unused include <openssl/curve25519.h> ok inoguchi jsing
796dcee2 2020-02-16 16:36:40 Avoid potential NULL dereference when parsing a server keyshare extension. It is currently possible for key_share to be NULL when a TLS client receives a keyshare extension. However, for this to occur the client has to be doing TLS 1.2 or earlier, which means that it was invalid for the server to send the extension. As such, check for NULL and treat it as an invalid extension. Found by oss-fuzz (#20741 and #20745). ok inoguchi@ tb@
bcac99ac 2020-02-16 14:33:04 Avoid leak for tmp.x25519 Changed to use local variable to hold malloc address rather than directly set to S3I(s)->tmp.x25519, and set that private_key pointer to S3I(s)->tmp.x25519 after all the "goto err;". Also added freezero for S3I(s)->tmp.x25519 to ssl3_free() and ssl3_clear(). ok jsing@ tb@
8cf56ebe 2020-02-15 14:40:38 Move the TLSv1.3 code that interfaces with the legacy APIs/stack into a separate file. Discussed with beck@ and tb@
2c5c7241 2020-02-15 14:36:58 Remove #include that is not needed.
b7ca6301 2020-02-06 17:35:22 Re-enable the TLSv1.3 client since the known issues have been addressed. ok tb@
da308e26 2020-02-06 16:05:58 Add a workaround to make SSL_set_session() work with TLSv1.3. While we do not currently do session resumption, just return the TLS_client_method() or TLS_server_method() when asked for a method that does TLSv1.3. ok tb@ (who also arrived at the same diff)
9b437883 2020-02-06 13:19:18 Add support for handling hello retry requests in the TLSv1.3 client. In the case of a hello retry request, we need to replace the client hello with a synthetic handshake message, switch key share to that selected by the server, build and send a new client hello, then process the resulting server hello. ok tb@
e0404061 2020-02-06 13:14:17 Correctly handle key share extensions in a hello retry request. In a hello retry request the server will only send the selected group and not actually provide a key exchange. In this case we need to store the server selected group for further processing. ok tb@
2d2ee2e9 2020-02-05 17:30:30 Refactor the server hello processing code in the TLSv1.3 client. Use flags to signal the need to switch to the legacy client and to identify a hello retry request. This allows the caller to take appropriate action, rather than trying to do this in the parsing/processing code. Split the key deriviation and record protection engagement code into a separate function, both for readability and reuse. Change handshake states outside of the processing code. ok tb@
390a99a6 2020-02-05 17:01:43 Remove the hello retry request processing code that was previously added. This got added to the wrong functions (server side, not client) - swap the now unimplemented send/recv functions between client and server. ok tb@
3213f5ab 2020-02-05 16:47:34 Provide tls1_transcript_unfreeze() to avoid the need for manual flags mangling. ok tb@
5559e140 2020-02-05 16:42:29 Pull the handshake message transcript code into its own function. This is soon going to be used in the TLSv1.3 client code. ok tb@
753de96b 2020-02-05 06:12:43 Rework tls13_legacy_handshake_message_{recv,sent}_cb() to use their own CBS as a preparation for upcoming HRR diffs. ok jsing
9b242555 2020-02-04 18:06:26 Add support for TLSv1.3 key shares with secp256r1 and secp384r1 groups. ok inoguchi@ tb@
daaa2dc5 2020-02-04 18:00:30 Free the transcript as soon as we initialise the transcript hash. Unlike TLSv1.2 there is only a single hash in use, hence as soon as we know what the hash is and have initialised the transcript hash, we can free the transcript buffers. ok inoguchi@ tb@
282428a7 2020-02-01 12:41:58 Correctly unpack client key shares. Even if we're not processing/using the peer public key from the key share, we still need to unpack it in order to parse the TLS extension correctly. Resolves issues with TLSv1.3 clients talking to TLSv1.2 server. ok tb@
6769a24e 2020-02-01 11:38:35 Disable TLSv1.3 client while some known issues are being addressed.
4673309b 2020-01-30 17:09:23 Provide struct/functions for handling TLSv1.3 key shares. Pull out the key share handling code and provide a clean/self contained interface. This will make it easier to support groups other than X25519. ok beck@ inoguchi@ tb@
69428dca 2020-01-30 16:25:09 Factor out/rewrite the ECDHE EC point key exchange code. This reduces replication between the existing TLS client/server and allows the code to soon be reused for TLSv1.3. With feedback from inoguchi@ and tb@ ok inoguchi@ tb@
4099293a 2020-01-29 17:08:49 Remove dead prototypes.
ae613d71 2020-01-29 17:03:58 If the TLSv1.3 code has not recorded an error and something already exists on the error stack, refrain from pushing an 'unknown' error on the stack. This should allow libcrypto errors (including bio) to be visible, where we have nothing better to offer. ok tb@
2e9d76d9 2020-01-29 13:44:42 Remove unused stub implementation of tls13_accept(). The correct and used version is in tls13_server.c. ok inoguchi jsing
783b23ad 2020-01-26 12:39:16 Fix SSL_CIPHER_description ok jsing@
3fafa71a 2020-01-26 07:24:47 When an SSL method is set, bump the max version back to that of the incoming method if it is a client. This addresses the case where TLS_method() is used to initialise a SSL_CTX, then a TLS_client_method() is then set, resulting in TLSv1.2 being used instead of TLSv1.3. This is observable in smtpd. ok beck@
637b1bc4 2020-01-26 06:55:17 When switching back to a legacy client or server, ensure we reset the handshake function pointer. Fixes an isssue found by jca@ with OpenVPN. ok beck@ tb@
0992a619 2020-01-26 06:31:51 Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting. ok jsing@
f25edc96 2020-01-26 03:55:22 Add server side support for requesting client certificates in tls 1.3 ok jsing@
40ef3650 2020-01-26 03:38:24 Add client certificate support for tls 1.3 ok jsing@
bf9ed00f 2020-01-26 03:29:30 Add sigalgs for server side to enable client certificate processing in tls 1.3 Will be used in a follow on commit to enable tls1.3 client certificates ok jsing@
2a0f8bf3 2020-01-26 02:45:27 Move pad and verify context into tls13_lib.c ok jsing@
a8f674cb 2020-01-25 19:01:43 Add an underbar for consistency.
834d06e6 2020-01-25 15:06:17 Revert change to certificate request check from r1.45. This code was correct, it was the entry in the table that was incorrect. ok beck@
2a8e2a39 2020-01-25 14:23:27 Only perform the downgrade check if our max version is less than TLSv1.3. Issue noticed by kn@ when talking to a TLSv1.3 capable mail server, but with smtpd capping max version to TLSv1.2. ok beck@
455de176 2020-01-25 13:21:52 Preserve the transcript hash for the client finished message, and correct the message type for certificate request. ok jsing@
6b92931a 2020-01-25 13:11:20 Support legacy message callbacks. First step for SSL_set_msg_callback(3) support. Makes openssl s_client -msg work for handshake messages. ok beck jsing
9d1ad83a 2020-01-25 12:58:27 Correct value for SSL_TLSEXT_MSG_HRR. ok beck@ tb@
abdcc162 2020-01-25 12:37:06 Only discard the extension block for client hello and server hello messages. TLSv1.3 messages that include extensions need a length prefixed field with zero bytes, rather than no data at all. ok beck@ tb@
f4c38f60 2020-01-25 12:31:42 Only send an RI extension for pre-TLSv1.3 versions. ok beck@
781d0746 2020-01-25 09:20:56 It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello. Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3. Noticed by ajacoutot@ while connecting to www.openprinting.org. ok tb@
96b47d8c 2020-01-25 06:37:30 Correct backwards test so that we may accept a certificate requst from the server. ok jsing@
18f4ffe1 2020-01-24 08:21:24 Complete the initial TLSv1.3 implementation. ok beck@ tb@
80fedd56 2020-01-24 06:45:09 Preserve the TLS transcript at additional points. This is needed for the TLSv1.3 server and will also be needed for client certificate authentication. Note that we preserve on receive but before recording the new handshake message, whereas we preserve on send after recording the new handshake message. ok tb@
c8ce398f 2020-01-24 05:11:34 Permit 0 length writes, because openssl s_client is special ok jsing@
3365064d 2020-01-24 04:47:13 Store the legacy session identifier from the ClientHello so we can actually echo it. ok beck@ tb@
be8ffa84 2020-01-24 04:43:09 Switch to encrypted records in the TLSv1.3 server. This adds code to perform key derivation and set the traffic keys once the ServerHello message has been sent, enabling encrypted records. ok beck@ tb@
04a19b29 2020-01-24 04:39:44 Enable SSL_ENC_FLAG_SIGALGS on TLSv1_3_enc_data. This means that we actually try to process and use signature algorithms. ok beck@ tb@
b1b5d3f0 2020-01-24 04:38:12 Add strings for SSL_aTLS1_3 and SSL_kTLS1_3 to SSL_CIPHER_description(). Mkaes `openssl ciphers -v` print au and kx values for TLSv1.3 cipher suites. ok beck@ tb@
c9e61bce 2020-01-24 04:36:29 Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations. ok jsing@ tb@
10361718 2020-01-23 11:57:20 Implement client hello processing in the TLSv1.3 server. ok beck@
c43b2f19 2020-01-23 11:47:13 Correct several issues in the current TLSv1.3 server code. Correct the parsing of the client hello support versions extension. This has one or more values, rather than just the single selected version. Allocate an SSL_SESSION - this is unused currently, but is needed as soon as we start parsing extensions. Also, pull the cipher suites list off correctly - this is u16 prefixed, not u8. ok beck@
b183e949 2020-01-23 11:06:59 When certificate validation fails, we must send a DECRYPT_ERROR alert according to RFC8446. ok jsing@
dc77a1b6 2020-01-23 10:48:37 Remove the ssl_get_message function pointer from SSL_METHOD_INTERNAL. ssl_get_message is essentially a switch between ssl3_get_message and dtls1_get_message, both only used by the legacy stack. Instead, use SSL_IS_DTLS() in ssl3_get_message to call the DTLS function when necessary. ok beck@ inoguchi@ tb@
467a4acc 2020-01-23 10:48:36 Implement sending client certificate requests for 1.3 server ok jsing@
d86fea23 2020-01-23 10:40:59 Correctly handle TLSv1.3 ciphers suites in ssl3_choose_cipher(). Currently, TLSv1.3 cipher suites are filtered out by the fact that they have authentication and key exchange algorithms that are not being set in ssl_set_cert_masks(). Fix this so that ssl3_choose_cipher() works for TLSv1.3, however we also now need to ensure that we filter out TLSv1.3 for non-TLSv1.3 and only select TLSv1.3 for TLSv1.3. ok beck@ tb@
aa78e754 2020-01-23 08:44:31 Build the encrypted extensions for the 1.3 server ok jsing@
bec9724e 2020-01-23 08:04:50 If we are building a legacy server hello, check to see if we are downgrading from TLS 1.3. If we are, set the last 8 bytes of the server_random value to the required values as per RFC 8446 section 4.1.3 indicating that we deliberately meant to downgrade. ok jsing@
709e85ff 2020-01-23 07:30:55 Add checking int the client to check the magic values which are set by a 1.3 server when it downgrades to tls 1.2 or 1.1 as per RFC 8446 section 4.1.3 ok jsing@
9b4fd993 2020-01-23 06:59:11 Add code to build and send a server hello for tls 1.3 ok jsing@
87b47fe3 2020-01-23 06:15:44 Save the legacy session id in the client, and enforce that it is returned the same from the server. ok jsing@ tb@
7003a9cc 2020-01-23 05:08:30 Implement pending for TLSv1.3. Makes `openssl s_client -peekaboo` work with TLSv1.3. ok beck@ tb@
8d8592f6 2020-01-23 03:40:18 Remove lies from the SSL_pending man page, Our implementation never advances the record layer, it only reports internal state. ok jsing@ tb@
8dc90bba 2020-01-23 03:17:40 Switch back to a function pointer for ssl_pending. This will allow the TLSv1.3 stack to provide its own implementation. Nuke a completely bogus comment from SSL_pending() whilst here. ok beck@
52e1fd77 2020-01-23 02:49:38 Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert. Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure). ok beck@ tb@
dc02d6ed 2020-01-23 02:24:38 Pass a CBB to TLSv1.3 send handlers. This avoids the need for each send handler to call tls13_handshake_msg_start() and tls13_handshake_msg_finish(). ok beck@ tb@
0dbd9f91 2020-01-22 15:47:22 Wire up the TLSv1.3 server. This currently only has enough code to handle fallback to the legacy TLS stack for TLSv1.2 or earlier, however allows for further development and testing. ok beck@
0571c2d6 2020-01-22 13:10:51 Pass a handshake message content CBS to TLSv1.3 receive handlers. This avoids every receive handler from having to get the handshake message content itself. Additionally, pull the trailing data check up so that each receive handler does not have to implement it. This makes the code more readable and reduces duplication. ok beck@ tb@
f61b6f1e 2020-01-22 13:06:20 Fix things so that `make -DTLS1_3` works again.
2f00a6ae 2020-01-22 11:26:47 Send alerts on certificate verification failures of server certs ok tb@
9a32c9c8 2020-01-22 10:38:11 Rename failure into alert_desc in tlsext_ocsp_server_parse().
060b62af 2020-01-22 10:36:57 fix previous: alert_desc needs to be an int.
2c0a43e2 2020-01-22 10:28:49 Avoid modifying alert in the success path. ok beck jsing
106f0259 2020-01-22 08:24:25 Enable the TLSv1.3 client in libssl. This also makes it available to clients that use libtls, including ftp(1) and nc(1). Note that this does not expose additional defines via public headers, which means that any code conditioning on defines like TLS1_3_VERSION or SSL_OP_NO_TLSv1_3 will not enable or use TLSv1.3. This approach is necessary since too many pieces of software assume that if TLS1_3_VERSION is available, other OpenSSL 1.1 API will also be available, which is not necessarily the case. ok beck@ tb@
c1fdfe6b 2020-01-22 07:58:27 Add checks to ensure that lib{crypto,ssl,tls} public headers have actually been installed prior to building. Requested by and ok tb@
fa99de6a 2020-01-22 07:49:33 Move guards from public to internal headers, and fix not use values. reverts previous attempt which would have broken ports ok jsing@
373302c0 2020-01-22 06:23:00 Implement support for SSL_peek() in the TLSv1.3 record layer. ok beck@ tb@
138e3c44 2020-01-22 05:06:23 After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it. ok jsing
0b837ea7 2020-01-22 03:20:09 Correctly set the legacy version when TLSv1.3 is building a client hello. The legacy version field is capped at TLSv1.2, however it may be lower than this if we are only choosing to use TLSv1.0 or TLSv1.1. ok beck@ tb@
0e228d0f 2020-01-22 03:15:43 Don't add an extra unknown error if we got a fatal alert ok jsing@
94ab85a5 2020-01-22 02:39:45 The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire. ok beck jsing
df62dce5 2020-01-22 02:34:39 Hook up the TLSv1.3 legacy shutdown code. Missed in an earlier commit.
aee99653 2020-01-22 02:21:05 Add minimal support for hello retry request for RFC conformance. We currently don't support sending a modified clienthello ok jsing@ tb@
7214807f 2020-01-22 01:21:43 Split the TLSv1.3 guards into separate client and server guards. ok beck@ tb@