summaryrefslogtreecommitdiff
path: root/ssl/statem
Commit message (Collapse)AuthorAgeFilesLines
* Be more accurate about what we accept as a valid DTLS versionMatt Caswell2023-05-051-2/+4
| | | | | | | | We accepted more version numbers as valid DTLS then we really should do. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20830)
* Do not send the empty renegotiation info SCSV in QUICTomas Mraz2023-05-021-1/+3
| | | | | | | | | There is no point in sending that when min_proto_version is >= TLS1_3_VERSION. So we set that during SSL_CTX initialization and skip adding the SCSV. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/20764)
* Make the data field for get_record() constMatt Caswell2023-04-121-1/+2
| | | | | | | | | | | Improves consistency with the QUIC rstream implementation - and improves the abstraction between the TLS implementation and the abstract record layer. We should not expect that the TLS implementation should be able to change the underlying buffer. Future record layers may not expect that. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20404)
* RFC7250 (RPK) supportTodd Short2023-03-288-51/+940
| | | | | | | | | | | | | | Add support for the RFC7250 certificate-type extensions. Alows the use of only private keys for connection (i.e. certs not needed). Add APIs Add unit tests Add documentation Add s_client/s_server support Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18185)
* Added `CERTIFICATE_VERIFY_MAX_LENGTH` constantVeronikaNguyen2023-03-213-2/+5
| | | | | | | | | | | | | - Set `CERTIFICATE_VERIFY_MAX_LENGTH` to 65539 (2 bytes for the algorithm identifier + 2 bytes of signature length + 65535 bytes of signature) - Changed `SSL3_RT_MAX_PLAIN_LENGTH` to `CERTIFICATE_VERIFY_MAX_LENGTH` in `statem_srvr.c` and `statem_clnt.c` Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20486)
* Fix early_data age calculationMatt Caswell2023-03-011-7/+9
| | | | | | | | | | | The ticket_age/age_add values use ms granualarity. We were incorrectly treating them as seconds and so the ticket was always being rejected for early data. We also clarify a comment which could have been the source of the confusion. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20387)
* first cut at sigalg loadingMichael Baentsch2023-02-242-9/+16
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19312)
* Add the ability to mutate TLS handshake messages before they are writtenMatt Caswell2023-02-222-146/+44
| | | | | | | | | | | We add callbacks so that TLS handshake messages can be modified by the test framework before they are passed to the handshake hash, possibly encrypted and written to the network. This enables us to simulate badly behaving endpoints. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20030)
* fuzz: fix coverity warningsPhilippe Antoine2023-02-202-2/+2
| | | | | | | | | introduced by 2b9e2afc382490592078cdb69d06f54f0fefd4c6 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/20253)
* fuzz: make post handshake reachablePhilippe Antoine2023-02-082-4/+22
| | | | | | | | So that CVE-2021-3449 can be found through fuzzing Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/20128)
* Add the ability to add a custom extension on an SSL objectMatt Caswell2023-01-241-18/+22
| | | | | | | | | Previously we could only do this at the SSL_CTX level. We add the ability to also do this on an SSL - but only for internal code. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19748)
* Extend the new_record_layer functionMatt Caswell2023-01-241-4/+5
| | | | | | | | | Add the ability to pass the main secret and length, as well as the digest used for the KDF. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19748)
* Create the SSL object for QUIC-TLSMatt Caswell2023-01-241-5/+5
| | | | | | | | | The "user" SSL object which represents the QUIC connection should have an "inner" SSL object to represent the TLS connection. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19748)
* Make error reason for disallowed legacy sigalg more specificTomas Mraz2022-12-132-2/+4
| | | | | | | | | | | The internal error reason is confusing and indicating an error in OpenSSL and not a configuration problem. Fixes #19867 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19875)
* Remove references to read_mac_secret and write_mac_secretMatt Caswell2022-11-141-2/+0
| | | | | | | | They are no longer used and can be removed. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19586)
* Remove remaining refs to enc_(write|read)_ctx/(read|write)_hashMatt Caswell2022-11-141-4/+14
| | | | | | | | | Those fields are no longer used. Their previous function is now in the new record layer. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19586)
* Fix CertificateCompressionAlgorithm to be read as 2-octet-wideAlexander Sosedkin2022-11-081-1/+1
| | | | | | | | CLA: trivial Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19600)
* Assert that we do not exceed the DTLS MTUMatt Caswell2022-11-071-0/+11
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19516)
* Add zlib oneshot compressionTodd Short2022-11-072-2/+2
| | | | | | | | Fixes #19520 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19603)
* stack: Do not add error if pop/shift/value accesses outside of the stackTomas Mraz2022-10-211-1/+1
| | | | | | | | | | | | This partially reverts commit 30eba7f35983a917f1007bce45040c0af3442e42. This is legitimate use of the stack functions and no error should be reported apart from the NULL return value. Fixes #19389 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19400)
* Fix coverity 1516094 uninitTodd Short2022-10-211-1/+4
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19440)
* Remove some redundant codeMatt Caswell2022-10-203-3/+3
| | | | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19424)
* Remove the old buffer management codeMatt Caswell2022-10-202-10/+0
| | | | | | | | | | We no longer use the old buffer management code now that it has all been moved to the new record layer. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19424)
* Ensure the record layer is responsible for calculating record overheadsMatt Caswell2022-10-201-21/+5
| | | | | | | | | | | Don't calculate the potential record layer expansion outside of the record layer. We move some code that was doing that into the record layer. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19424)
* Convert dtls_write_records to use standard record layer functionsMatt Caswell2022-10-201-26/+21
| | | | | | | | | | We have standard functions for most of the work that dtls_write_records does - so we convert it to use those functions instead. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19424)
* Add `for_comp` flag when retrieving certs for compressionTodd Short2022-10-187-39/+47
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18186)
* Update COMP_METHODTodd Short2022-10-182-5/+5
| | | | | | | | | size_t-ify the COMP_METHOD structure and functions. Get rid of the non-functional COMP_METHODS and return NULL instead. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18186)
* Add support for compressed certificates (RFC8879)Todd Short2022-10-188-9/+503
| | | | | | | | | | * Compressed Certificate extension (server/client) * Server certificates (send/receive) * Client certificate (send/receive) Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18186)
* Fix sctp compile errorsslontis2022-10-183-1/+7
| | | | | | | | | | | Fixes #19371 running config with 'enable-sctp' gave compiler errors. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19398)
* Ensure that the key share group is allowed for our protocol versionMatt Caswell2022-10-122-2/+15
| | | | | | | | | We should never send or accept a key share group that is not in the supported groups list or a group that isn't suitable for use in TLSv1.3 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/19317)
* Use the configured max_send_fragment value in the write record layerMatt Caswell2022-10-121-4/+8
| | | | | | Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19343)
* Remove enc_write_stateMatt Caswell2022-10-122-12/+1
| | | | | | | | | | | | | This field was used to track whether a cipher ctx was valid for writing or not, and also whether we should write out plaintext alerts. With the new record layer design we no longer need to track whether a cipher ctx is valid since the whole record layer will be aborted if it is not. Also we have a different mechanism for tracking whether we should write out plaintext alerts. Therefore this field is removed from the SSL object. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19343)
* Convert the TLSv1.3 crypto code to the new write record layerMatt Caswell2022-10-121-9/+16
| | | | | | | | | We also clean up some of the KTLS code while we are doing it now that all users of KTLS have been moved to the new write record layer. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19343)
* Partial revert and reimplement "Enable brainpool curves for TLS1.3"Matt Caswell2022-10-074-32/+4
| | | | | | | | | | | | | This partially reverts commit 0a10825a0 in order to reimplement it in a simpler way in the next commit. The reverted aspects are all related to the TLSv1.3 brainpool curves in the supported_groups extension. Rather than special casing the handling of these curves we simply add new entries to the groups table to represent them. They can then be handled without any additional special casing. This makes the code simpler to maintain. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/19315)
* Stop raising ERR_R_MALLOC_FAILURE in most placesRichard Levitte2022-10-057-55/+52
| | | | | | | | | | | | | | | | | | | | | | | Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from, there's no need to report ERR_R_MALLOC_FAILURE where they are called directly, or when SSLfatal() and RLAYERfatal() is used, the reason `ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`. There were a number of places where `ERR_R_MALLOC_FAILURE` was reported even though it was a function from a different sub-system that was called. Those places are changed to report ERR_R_{lib}_LIB, where {lib} is the name of that sub-system. Some of them are tricky to get right, as we have a lot of functions that belong in the ASN1 sub-system, and all the `sk_` calls or from the CRYPTO sub-system. Some extra adaptation was necessary where there were custom OPENSSL_malloc() wrappers, and some bugs are fixed alongside these changes. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19301)
* Test TLS extension orderingTodd Short2022-09-282-1/+20
| | | | | | | | | | | Adding extensions is fragile, with the TLSEXT_TYPE entry needing to be located at TLSEXT_IDX in the array. This adds a test to ensure extensions are in the correct order. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19269)
* Move logic for figuring out the record version out of record layerMatt Caswell2022-09-233-11/+14
| | | | | | | | | | This calculation is based on lots of information from state machine and elsewhere that the record layer cannot access. In reality it is sufficient to simply tell the record layer what version to use. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19198)
* Correctly handle a retransmitted ClientHelloMatt Caswell2022-09-221-10/+85
| | | | | | | | | | | | | If we receive a ClientHello and send back a HelloVerifyRequest, we need to be able to handle the scenario where the HelloVerifyRequest gets lost and we receive another ClientHello with the message sequence number set to 0. Fixes #18635 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18654)
* Use an enum for the return value from a construction functionMatt Caswell2022-09-207-133/+162
| | | | | | | | | | Construction return values are no longer boolean but can return 3 different values, so we use an enum to represent them. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18990)
* If a ticket key callback returns 0 in TLSv1.3 don't send a ticketMatt Caswell2022-09-202-22/+64
| | | | | | | | | | | | | If we can't construct the ticket don't send one. This requires a change to the TLS state machine to be able to a handle a construction function deciding not to send a message after all. Fixes #18977 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18990)
* stack.c: add missing direct error reporting and improve coding styleDr. David von Oheimb2022-09-161-1/+1
| | | | | | | | | | Doing so, had to fix sloppiness in using the stack API in crypto/conf/conf_def.c, ssl/ssl_ciph.c, ssl/statem/statem_srvr.c, and mostly in test/helpers/ssltestlib.c. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18918)
* ssl: modify libssl so that it uses OSSL_TIMEPauli2022-09-134-20/+23
| | | | | | | | | | This is instead of time_t and struct timeval. Some public APIs mandate a presence of these two types, but they are converted to OSSL_TIME internally. Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19082)
* Cleanup EBCDIC string defintionsTodd Short2022-09-092-20/+10
| | | | | | | | Use a single definiton for protocol string defintions. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19122)
* Coverity: misuses of time_tPauli2022-08-192-13/+11
| | | | | | | | | | | | | | | | Coverity 1508506: Fixes a bug in the cookie code which would have caused problems for ten minutes before and after the lower 32 bits of time_t rolled over. Coverity 1508534 & 1508540: Avoid problems when the lower 32 bits of time_t roll over by delaying the cast to integer until after the time delta has been computed. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19004)
* Remove redefinition of SSL_AD_NO_ALERTMatt Caswell2022-08-181-1/+0
| | | | | | | | | The SSL_AD_NO_ALERT value was defined in two places. We centralise its definition. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18132)
* Remove some redundant codeMatt Caswell2022-08-181-1/+0
| | | | | | Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18132)
* Move some fields out of the SSL object and into the record layer objectMatt Caswell2022-08-185-17/+21
| | | | | | | | | Fields such as rrlmethod and rrl are entirely related to the record layer, and so should be in that object. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18132)
* Remove some remaining SSL object references from DTLS record layerMatt Caswell2022-08-181-4/+6
| | | | | | Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18132)
* Remove reliance on the SSL object from the DTLS read record layer codeMatt Caswell2022-08-181-2/+14
| | | | | | Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18132)
* Move some DTLS read code into the read record layerMatt Caswell2022-08-181-1/+1
| | | | | | Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18132)
View Lorry Controller Status