1
0
mirror of https://github.com/openbsd/src.git synced 2025-01-10 06:47:55 -08:00
Commit Graph

399 Commits

Author SHA1 Message Date
tb
2c1036d8e6 Check the security of DH key shares
ok beck, looks good to jsing
2022-06-29 08:27:51 +00:00
tb
9f1e22a9e6 Rename one s to ssl for consistency 2022-06-29 07:59:14 +00:00
tb
157ca3d87e Add prototypes for ssl{_ctx,}_security()
ok beck jsing sthen
2022-06-28 21:14:32 +00:00
tb
6638350c69 Implement the default security level callback
And here is where the fun starts. The tentacles will grow everywhere.

ok beck jsing sthen
2022-06-28 20:40:24 +00:00
tb
bef105c623 Add security callback, level and ex_data fields to SSL_CERT
ok beck jsing sthen
2022-06-28 20:31:43 +00:00
tb
2c2a1afcd6 Switch sid_ctx_length in SSL, SSL_CTX and SSL_SESSION to a size_t
ok jsing
2022-06-07 17:52:00 +00:00
tb
1fe5733cec Switch SSL_SESSION's session_id_length to a size_t
ok jsing
2022-06-07 17:42:35 +00:00
tb
7c49745add Switch the SSL_SESSION's master_key_length to a size_t
ok jsing
2022-06-07 17:18:21 +00:00
tb
135c3cf284 Tweak comment describing the SSL_SESSION ASN.1
ok jsing
2022-06-06 16:11:00 +00:00
tb
6ec8cfd130 Fix spaces before tabs 2022-06-06 08:48:11 +00:00
tb
a5e02c8285 Add a use_psk_dhe_ke flag to the TLSv1.3 handshake struct
This will be used to indicate client side support for DHE key
establishment.

ok jsing
2022-06-03 13:28:36 +00:00
jsing
f4578efd6f Remove const from tls1_transcript_hash_value()
This function populates the passed *out argument, hence it should not be
marked const.

ok tb@
2022-03-17 17:22:16 +00:00
jsing
b23067a600 Factor out change cipher spec handing code in the legacy stack.
Factor out the code that handles the processing of a change cipher spec
message that has been read in the legacy stack, deduplicating code in the
DTLS stack.

ok inoguchi@ tb@
2022-03-12 12:53:03 +00:00
jsing
56fd52a708 Factor out alert handing code in the legacy stack.
Pull out the code that processes incoming alerts - a chunk of the
complexity is due to the fact that in TLSv1.2 and earlier, alerts can be
fragmented across multiple records or multiple alerts can be delivered
in a single record.

In DTLS there is no way that we can reassemble fragmented alerts (although
the RFC is silent on this), however we could have multiple alerts in the
same record. This change means that we will handle this situation more
appropriately and if we encounter a fragmented alert we will now treat this
as a decode error (instead of silently ignoring it).

ok beck@ tb@
2022-02-21 18:22:20 +00:00
jsing
02876cc38f Bye bye S3I.
S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.

ok inoguchi@ tb@
2022-02-05 14:54:10 +00:00
jsing
e7fd08e8b6 Cleanup/simplify ssl_cert_type()
Remove the X509 argument as it is unused - this was passed so that
ssl_cert_type() can get the public key from the X509 object if the
EVP_PKEY argument is NULL, however this is never the case.

ok tb@
2022-02-03 16:33:12 +00:00
jsing
15b5e1ec81 Remove peer_pkeys from SSL_SESSION.
peer_pkeys comes from some world where peers can send multiple certificates
- in fact, one of each known type. Since we do not live in such a world,
get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2
and TLSv1.3, both clients and servers can only send a single leaf
(aka end-entity) certificate).

ok inoguchi@ tb@
2022-01-11 19:03:15 +00:00
jsing
666c9986a0 Rename 'peer' to 'peer_cert' in SSL_SESSION.
The 'peer' member of SSL_SESSION is the leaf/end-entity certificate
provided by our peer. Rename it since 'peer' on its own is unhelpful.

ok inoguchi@ tb@
2022-01-11 18:39:28 +00:00
jsing
7dd422f86e Plumb decode errors through key share parsing code.
Distinguish between decode errors and other errors, so that we can send
a SSL_AD_DECODE_ERROR alert when appropriate.

Fixes a tlsfuzzer failure, due to it expecting a decode error alert and
not receiving one.

Prompted by anton@

ok tb@
2022-01-11 18:28:41 +00:00
jsing
2675be24af Swap arguments to ssl_check_srvr_ecc_cert_and_alg()
If a libssl function takes an SSL *, it should normally be the first
argument.
2022-01-09 15:53:52 +00:00
jsing
7cf55da31c Merge SESS_CERT into SSL_SESSION.
There is no reason for SESS_CERT to exist - remove it and merge its members
into SSL_SESSION for the time being. More clean up to follow.

ok inoguchi@ tb@
2022-01-08 12:59:58 +00:00
jsing
0f5d253262 Remove commented out CERT_* defines. 2022-01-08 12:54:32 +00:00
jsing
ef36d1f9e8 Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY.
Nearly all structs in libssl start with an SSL_ suffix, rename CERT and
CERT_PKEY for consistency.

ok inoguchi@ tb@
2022-01-08 12:43:44 +00:00
jsing
c0b85757f9 Rename dh_tmp to dhe_params.
Support for non-ephemeral DH was removed a long time ago - as such, the
dh_tmp and dh_tmp_cb are used for DHE parameters. Rename them to reflect
reality.

ok inoguchi@ tb@
2022-01-07 16:45:06 +00:00
jsing
aebe267242 Convert legacy server to tls_key_share.
This requires a few more additions to the DHE key share code - we need to
be able to either set the DHE parameters or specify the number of key bits
for use with auto DHE parameters. Additionally, we need to be able to
serialise the DHE parameters to send to the client.

This removes the infamous 'tmp' struct from ssl3_state_internal_st.

ok inoguchi@ tb@
2022-01-07 15:46:30 +00:00
jsing
892af70e9e Convert legacy TLS client to tls_key_share.
This requires adding DHE support to tls_key_share. In doing so,
tls_key_share_peer_public() has to lose the group argument and gains
an invalid_key argument. The one place that actually needs the group
check is tlsext_keyshare_client_parse(), so add code to do this.

ok inoguchi@ tb@
2022-01-06 18:23:56 +00:00
jsing
b8e3503d5a Rename tls13_key_share to tls_key_share.
In preparation to use the key share code in both the TLSv1.3 and legacy
stacks, rename tls13_key_share to tls_key_share, moving it into the shared
handshake struct. Further changes will then allow the legacy stack to make
use of the same code for ephemeral key exchange.

ok inoguchi@ tb@
2022-01-05 17:10:02 +00:00
jsing
40050a9450 Clean up and refactor server side DHE key exchange.
Provide ssl_kex_generate_dhe_params_auto() which handles DHE key generation
based on parameters determined by the specified key bits. Convert the
existing DHE auto parameter selection code into a function that just tells
us how many key bits to use.

Untangle and rework the server side DHE key exchange to use the ssl_kex_*
functions.

ok inoguchi@ tb@
2021-12-04 14:03:22 +00:00
jsing
dfc82f2a7e Move the minimum DHE key size check into ssl_kex_peer_params_dhe()
ok inoguchi@ tb@
2021-12-04 13:50:35 +00:00
jsing
2caab47b79 Check DH public key in ssl_kex_peer_public_dhe().
Call DH_check_pub_key() after decoding the peer public key - this will be
needed for the server DHE key exchange, but also benefits the client.

ok inoguchi@ tb@
2021-12-04 13:15:10 +00:00
jsing
76bb720394 Factor out/rewrite DHE key exchange.
This follows what was done previously for ECDHE EC point key exchange and
will allow for deduplication and further code improvement.

Convert the TLSv1.2 client to use the new DHE key exchange functions.

ok inoguchi@ tb@
2021-11-29 16:00:32 +00:00
jsing
e2a9b68224 Use ssl_force_want_read() in the DTLS code.
Also mop up some mostly unhelpful comments while here.

ok beck@ tb@
2021-10-25 10:09:28 +00:00
jsing
7e08603548 Fold SSL_SESSION_INTERNAL back into SSL_SESSION.
ok beck@ tb@
2021-10-25 10:01:46 +00:00
beck
4a18b5ba2a Add SSL_get0_verified_chain - needed by some new stuff
symbol will be exposed with tb@'s forthcoming bump

ok tb@
2021-10-23 20:42:50 +00:00
beck
8095b13035 Add new OpenSSL API SSL_CTX_set_num_tickets and friends.
Since we don't support session tickets in LibreSSL at the moment
these functions currently do not have any effect.

Again, symbols will appear with tb@'s reptar sized bump..

ok tb@
2021-10-23 16:29:15 +00:00
jsing
a0f5591df7 Mop up enc_read_ctx and read_hash.
These are no longer public, so we can mop them up along with the machinery
needed to set/clear them.

ok beck@ tb@
2021-10-23 15:02:27 +00:00
jsing
01f29c5863 Provide a way to determine our maximum legacy version.
With the introduction of TLSv1.3, we need the ability to determine our
maximum legacy version and to track our peer's maximum legacy version.
This is needed for both the TLS record layer when using TLSv1.3, plus
it is needed for RSA key exhange in TLS prior to TLSv1.3, where the
maximum legacy version is incorporated in the pre-master secret to
avoid downgrade attacks.

This unbreaks RSA KEX for the TLS client when the non-version specific
method is used with TLSv1.0 or TLSv1.1 (clearly no one does this).

ok tb@
2021-10-23 14:40:54 +00:00
beck
d1ec7c35ff Add SSL_CTX_set_keylog_callback and SSL_CTX_get_keylog_callback
Some things in ports care about calling these functions. Since we will
not provide private key logging functionality they are documented
as being for compatibility and that they don't do anything.

ok tb@
2021-10-23 11:41:51 +00:00
jsing
f2c3e96427 Untangle ssl3_get_message() return values.
This function currently has a long return type that may be <= 0 on
error/retry (which is then cast to an int in order to return it up the
stack), or it returns the length of the handshake message (on success).
This obviously means that 0 can be returned for both success and failure,
which is the reason why a separate 'ok' argument has to exist.

Untangle this mess by changing the return value to an int that indicates
success (1) or error/retry (<= 0). The length never needs to actually be
returned as it is already stored in s->internal->init_num (which is where
the return value is read from anyway).

ok tb@
2021-10-23 08:34:36 +00:00
jsing
18631d238e Change tlsext_tick_lifetime_hint to uint32_t.
Now that SSL_SESSION is opaque, change tlsext_tick_lifetime_hint from long
to uint32_t (matching RFC4507), rather than continuing to work around an
inappropriate type choice.

ok tb@
2021-10-23 08:13:02 +00:00
jsing
47ccd49111 Move various structs from ssl.h/tls1.h to ssl_locl.h.
These were already under LIBRESSL_INTERNAL hence no ABI change.

ok tb@
2021-10-15 16:48:46 +00:00
jsing
545b2b6304 Clean up and simplify info and msg callbacks.
The info and msg callbacks result in duplication - both for code that
refers to the function pointers and for the call sites. Avoid this by
providing typedefs for the function pointers and pulling the calling
sequences into their own functions.

ok inoguchi@ tb@
2021-08-30 19:25:43 +00:00
jsing
44aae0c184 Replace DTLS r_epoch with the read epoch from the TLSv1.2 record layer.
ok inoguchi@ tb@
2021-08-30 19:12:25 +00:00
jsing
e3dbb073b2 Dedup dtls1_dispatch_alert()/ssl3_dispatch_alert().
The code for dtls1_dispatch_alert() and ssl3_dispatch_alert() is largely
identical - with a bit of reshuffling we can use ssl3_dispatch_alert() for
both protocols and remove the ssl_dispatch_alert function pointer.

ok inoguchi@ tb@
2021-07-26 03:17:38 +00:00
jsing
20358f906c Do a first pass clean up of SSL_METHOD.
The num_ciphers, get_cipher_by_char and put_cipher_by_char function
pointers use the same function for all methods - call ssl3_num_ciphers()
directly, absorb ssl3_get_cipher_by_char() into SSL_CIPHER_find() and
remove the unused ssl3_put_cipher_by_char() code.

ok inoguchi@ tb@
2021-07-03 16:06:44 +00:00
jsing
6ba40c1458 Merge SSL_METHOD_INTERNAL into SSL_METHOD.
Now that SSL_METHOD is opaque and in internal headers, we can remove
SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.

ok tb@
2021-07-01 17:53:39 +00:00
jsing
9c9268eadb Move some structs from public to private headers.
Move struct ssl_cipher_st, struct ssl_method_st, struct ssl_session_st and
struct ssl3_state_st from public to private headers. These are already
under #ifdef LIBRESSL_INTERNAL and are no longer publicly visible.

ok inoguchi@ tb@
2021-06-30 18:04:05 +00:00
jsing
adff4236f4 Track the sigalgs used by ourselves and our peer.
Move the sigalg pointer from SSL_HANDSHAKE_TLS13 to SSL_HANDSHAKE, naming
it our_sigalg, adding an equivalent peer_sigalg. Adjust the TLSv1.3 code
that records our signature algorithm. Add code to record the signature
algorithm used by our peer.

Needed for upcoming API additions.

ok tb@
2021-06-27 19:23:51 +00:00
tb
61547bf99d Garbage collect prototoype for ssl_parse_serverhello_tlsext() which
was removed in t1_lib.c r1.141.
2021-06-23 11:12:33 +00:00
jsing
bdaf1583af Correctly handle epoch wrapping in dtls1_get_bitmap().
Due to a type bug that has been present in DTLS since the code was first
committed in 2005, dtls1_get_bitmap() fails to handle next epoch correctly
when the epoch is currently 0xffff (and wraps to zero).

For various reasons unknown, the epoch field in the SSL3_RECORD_INTERNAL
(formerly SSL3_RECORD) was added as unsigned long (even though the value
is an unsigned 16 bit value on the wire, hence cannot exceed 0xffff),
however was added to other code as unsigned short.

Due to integer promotion, the r_epoch value is incremented by one to
become 0x10000, before being cast to an unsigned long and compared to
the value pulled from the DTLS record header (which is zero). Strangely
0x10000 != 0, meaning that we drop the DTLS record, instead of queueing
it for the next epoch.

Fix this issue by using more appropriate types and pulling up the
calculation of the next epoch value for improved readability.

ok inoguchi@ tb@
2021-06-19 17:21:39 +00:00