#
1.73 |
|
27-Jan-2024 |
jsing |
Add message callbacks for alerts in the TLSv1.3 stack.
This will make it easier to regress test shutdown behaviour in the TLSv1.3 stack. Additionally, `openssl -msg` now shows alerts for TLSv1.3 connections.
ok tb@
|
Revision tags: OPENBSD_7_3_BASE OPENBSD_7_4_BASE
|
#
1.72 |
|
11-Nov-2022 |
jsing |
Convert the legacy TLS stack to tls_content.
This converts the legacy TLS stack to tls_content - records are now opened into a tls_content structure, rather than being written back into the same buffer that the sealed record was read into.
This will allow for further clean up of the legacy record layer.
ok tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.71 |
|
11-Sep-2022 |
jsing |
Ensure there is no trailing data for a CCS received by the TLSv1.3 stack.
ok tb@
|
#
1.70 |
|
24-Jul-2022 |
jsing |
Provide record layer callbacks for QUIC.
QUIC uses TLS to complete the handshake, however unlike normal TLS it does not use the TLS record layer, rather it provides its own transport. This means that we need to intercept all communication between the TLS handshake and the record layer. This allows TLS handshake message writes to be directed to QUIC, likewise for TLS handshake message reads. Alerts also need to be sent via QUIC, plus it needs to be provided with the traffic keys that are derived by TLS.
ok tb@
|
#
1.69 |
|
24-Jul-2022 |
jsing |
Provide QUIC encryption levels.
QUIC wants to know what "encryption level" handshake messages should be sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that defines these (of course quictls decided to make this an OSSL_ENCRYPTION_LEVEL typedef, so provide that as well).
Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so that they can be used in upcoming commits.
ok tb@
|
#
1.68 |
|
20-Jul-2022 |
jsing |
Remove tls_buffer_set_data() and remove/revise callers.
There is no way that tls_buffer_set_data() can currently work in conjunction with tls_buffer_expand(). This fact is currently hidden by the way that PHH works, which reads the same data from the record layer (which it needs to do anyway, since we may not have all of the handshake message in a single record).
Since this is broken, mop it up and change the PHH callback to not provide the record data.
ok beck@ tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.67 |
|
14-Jan-2022 |
tb |
Convert the new record layers to opaque EVP_AEAD_CTX
ok jsing
|
#
1.66 |
|
06-Jan-2022 |
jsing |
Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection.
This brings the code more in line with the tls12_record_layer and reduces the effort needed to make EVP_AEAD_CTX opaque.
Prompted by and ok tb@
|
#
1.65 |
|
15-Dec-2021 |
jsing |
Use CBS_get_last_u8() to find the content type in TLSv1.3 records.
ok tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.64 |
|
16-Sep-2021 |
jsing |
Implement flushing for TLSv1.3 handshakes.
When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio.
Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent.
Joint work with tb@
ok tb@
|
#
1.63 |
|
04-Sep-2021 |
jsing |
Factor out the TLSv1.3 code that handles content from TLS records.
Currently, the plaintext content from opened TLS records is handled via the rbuf code in the TLSv1.3 record layer. Factor this out and provide a separate struct tls_content, which knows how to track and manipulate the content.
This makes the TLSv1.3 code cleaner, however it will also soon also be used to untangle parts of the legacy record layer.
ok beck@ tb@
|
#
1.62 |
|
08-Jun-2021 |
tb |
Ignore the record version for early alerts
On receiving the first flight from the peer, we do not yet know if we are using TLSv1.3. In particular, we might get an alert record with record version 0x0300 from a pre-TLSv1.2 peer in response to our client hello. Ignore the record version instead of sending a protocol version alert in that situtation. This may also be hit when talking to a LibreSSL 3.3 server with an illegal SNI.
Part of an issue reported by danj.
ok jsing
|
#
1.61 |
|
16-May-2021 |
jsing |
Avoid pulling ssl_locl.h into self-contained code.
|
#
1.60 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.59 |
|
21-Mar-2021 |
jsing |
Split TLSv1.3 record protection from record layer.
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code.
ok inoguchi@ tb@
|
#
1.58 |
|
05-Jan-2021 |
tb |
Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()
ok jsing
|
#
1.57 |
|
04-Jan-2021 |
tb |
Keep the various free calls of tls13_record_layer_free() in the order of the struct members for reviewability.
ok jsing
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
branches: 1.53.4; Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.72 |
|
11-Nov-2022 |
jsing |
Convert the legacy TLS stack to tls_content.
This converts the legacy TLS stack to tls_content - records are now opened into a tls_content structure, rather than being written back into the same buffer that the sealed record was read into.
This will allow for further clean up of the legacy record layer.
ok tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.71 |
|
11-Sep-2022 |
jsing |
Ensure there is no trailing data for a CCS received by the TLSv1.3 stack.
ok tb@
|
#
1.70 |
|
24-Jul-2022 |
jsing |
Provide record layer callbacks for QUIC.
QUIC uses TLS to complete the handshake, however unlike normal TLS it does not use the TLS record layer, rather it provides its own transport. This means that we need to intercept all communication between the TLS handshake and the record layer. This allows TLS handshake message writes to be directed to QUIC, likewise for TLS handshake message reads. Alerts also need to be sent via QUIC, plus it needs to be provided with the traffic keys that are derived by TLS.
ok tb@
|
#
1.69 |
|
24-Jul-2022 |
jsing |
Provide QUIC encryption levels.
QUIC wants to know what "encryption level" handshake messages should be sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that defines these (of course quictls decided to make this an OSSL_ENCRYPTION_LEVEL typedef, so provide that as well).
Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so that they can be used in upcoming commits.
ok tb@
|
#
1.68 |
|
20-Jul-2022 |
jsing |
Remove tls_buffer_set_data() and remove/revise callers.
There is no way that tls_buffer_set_data() can currently work in conjunction with tls_buffer_expand(). This fact is currently hidden by the way that PHH works, which reads the same data from the record layer (which it needs to do anyway, since we may not have all of the handshake message in a single record).
Since this is broken, mop it up and change the PHH callback to not provide the record data.
ok beck@ tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.67 |
|
14-Jan-2022 |
tb |
Convert the new record layers to opaque EVP_AEAD_CTX
ok jsing
|
#
1.66 |
|
06-Jan-2022 |
jsing |
Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection.
This brings the code more in line with the tls12_record_layer and reduces the effort needed to make EVP_AEAD_CTX opaque.
Prompted by and ok tb@
|
#
1.65 |
|
15-Dec-2021 |
jsing |
Use CBS_get_last_u8() to find the content type in TLSv1.3 records.
ok tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.64 |
|
16-Sep-2021 |
jsing |
Implement flushing for TLSv1.3 handshakes.
When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio.
Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent.
Joint work with tb@
ok tb@
|
#
1.63 |
|
04-Sep-2021 |
jsing |
Factor out the TLSv1.3 code that handles content from TLS records.
Currently, the plaintext content from opened TLS records is handled via the rbuf code in the TLSv1.3 record layer. Factor this out and provide a separate struct tls_content, which knows how to track and manipulate the content.
This makes the TLSv1.3 code cleaner, however it will also soon also be used to untangle parts of the legacy record layer.
ok beck@ tb@
|
#
1.62 |
|
08-Jun-2021 |
tb |
Ignore the record version for early alerts
On receiving the first flight from the peer, we do not yet know if we are using TLSv1.3. In particular, we might get an alert record with record version 0x0300 from a pre-TLSv1.2 peer in response to our client hello. Ignore the record version instead of sending a protocol version alert in that situtation. This may also be hit when talking to a LibreSSL 3.3 server with an illegal SNI.
Part of an issue reported by danj.
ok jsing
|
#
1.61 |
|
16-May-2021 |
jsing |
Avoid pulling ssl_locl.h into self-contained code.
|
#
1.60 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.59 |
|
21-Mar-2021 |
jsing |
Split TLSv1.3 record protection from record layer.
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code.
ok inoguchi@ tb@
|
#
1.58 |
|
05-Jan-2021 |
tb |
Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()
ok jsing
|
#
1.57 |
|
04-Jan-2021 |
tb |
Keep the various free calls of tls13_record_layer_free() in the order of the struct members for reviewability.
ok jsing
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
branches: 1.53.4; Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.71 |
|
11-Sep-2022 |
jsing |
Ensure there is no trailing data for a CCS received by the TLSv1.3 stack.
ok tb@
|
#
1.70 |
|
24-Jul-2022 |
jsing |
Provide record layer callbacks for QUIC.
QUIC uses TLS to complete the handshake, however unlike normal TLS it does not use the TLS record layer, rather it provides its own transport. This means that we need to intercept all communication between the TLS handshake and the record layer. This allows TLS handshake message writes to be directed to QUIC, likewise for TLS handshake message reads. Alerts also need to be sent via QUIC, plus it needs to be provided with the traffic keys that are derived by TLS.
ok tb@
|
#
1.69 |
|
24-Jul-2022 |
jsing |
Provide QUIC encryption levels.
QUIC wants to know what "encryption level" handshake messages should be sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that defines these (of course quictls decided to make this an OSSL_ENCRYPTION_LEVEL typedef, so provide that as well).
Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so that they can be used in upcoming commits.
ok tb@
|
#
1.68 |
|
20-Jul-2022 |
jsing |
Remove tls_buffer_set_data() and remove/revise callers.
There is no way that tls_buffer_set_data() can currently work in conjunction with tls_buffer_expand(). This fact is currently hidden by the way that PHH works, which reads the same data from the record layer (which it needs to do anyway, since we may not have all of the handshake message in a single record).
Since this is broken, mop it up and change the PHH callback to not provide the record data.
ok beck@ tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.67 |
|
14-Jan-2022 |
tb |
Convert the new record layers to opaque EVP_AEAD_CTX
ok jsing
|
#
1.66 |
|
06-Jan-2022 |
jsing |
Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection.
This brings the code more in line with the tls12_record_layer and reduces the effort needed to make EVP_AEAD_CTX opaque.
Prompted by and ok tb@
|
#
1.65 |
|
15-Dec-2021 |
jsing |
Use CBS_get_last_u8() to find the content type in TLSv1.3 records.
ok tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.64 |
|
16-Sep-2021 |
jsing |
Implement flushing for TLSv1.3 handshakes.
When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio.
Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent.
Joint work with tb@
ok tb@
|
#
1.63 |
|
04-Sep-2021 |
jsing |
Factor out the TLSv1.3 code that handles content from TLS records.
Currently, the plaintext content from opened TLS records is handled via the rbuf code in the TLSv1.3 record layer. Factor this out and provide a separate struct tls_content, which knows how to track and manipulate the content.
This makes the TLSv1.3 code cleaner, however it will also soon also be used to untangle parts of the legacy record layer.
ok beck@ tb@
|
#
1.62 |
|
08-Jun-2021 |
tb |
Ignore the record version for early alerts
On receiving the first flight from the peer, we do not yet know if we are using TLSv1.3. In particular, we might get an alert record with record version 0x0300 from a pre-TLSv1.2 peer in response to our client hello. Ignore the record version instead of sending a protocol version alert in that situtation. This may also be hit when talking to a LibreSSL 3.3 server with an illegal SNI.
Part of an issue reported by danj.
ok jsing
|
#
1.61 |
|
16-May-2021 |
jsing |
Avoid pulling ssl_locl.h into self-contained code.
|
#
1.60 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.59 |
|
21-Mar-2021 |
jsing |
Split TLSv1.3 record protection from record layer.
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code.
ok inoguchi@ tb@
|
#
1.58 |
|
05-Jan-2021 |
tb |
Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()
ok jsing
|
#
1.57 |
|
04-Jan-2021 |
tb |
Keep the various free calls of tls13_record_layer_free() in the order of the struct members for reviewability.
ok jsing
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
branches: 1.53.4; Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.70 |
|
24-Jul-2022 |
jsing |
Provide record layer callbacks for QUIC.
QUIC uses TLS to complete the handshake, however unlike normal TLS it does not use the TLS record layer, rather it provides its own transport. This means that we need to intercept all communication between the TLS handshake and the record layer. This allows TLS handshake message writes to be directed to QUIC, likewise for TLS handshake message reads. Alerts also need to be sent via QUIC, plus it needs to be provided with the traffic keys that are derived by TLS.
ok tb@
|
#
1.69 |
|
24-Jul-2022 |
jsing |
Provide QUIC encryption levels.
QUIC wants to know what "encryption level" handshake messages should be sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that defines these (of course quictls decided to make this an OSSL_ENCRYPTION_LEVEL typedef, so provide that as well).
Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so that they can be used in upcoming commits.
ok tb@
|
#
1.68 |
|
20-Jul-2022 |
jsing |
Remove tls_buffer_set_data() and remove/revise callers.
There is no way that tls_buffer_set_data() can currently work in conjunction with tls_buffer_expand(). This fact is currently hidden by the way that PHH works, which reads the same data from the record layer (which it needs to do anyway, since we may not have all of the handshake message in a single record).
Since this is broken, mop it up and change the PHH callback to not provide the record data.
ok beck@ tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.67 |
|
14-Jan-2022 |
tb |
Convert the new record layers to opaque EVP_AEAD_CTX
ok jsing
|
#
1.66 |
|
06-Jan-2022 |
jsing |
Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection.
This brings the code more in line with the tls12_record_layer and reduces the effort needed to make EVP_AEAD_CTX opaque.
Prompted by and ok tb@
|
#
1.65 |
|
15-Dec-2021 |
jsing |
Use CBS_get_last_u8() to find the content type in TLSv1.3 records.
ok tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.64 |
|
16-Sep-2021 |
jsing |
Implement flushing for TLSv1.3 handshakes.
When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio.
Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent.
Joint work with tb@
ok tb@
|
#
1.63 |
|
04-Sep-2021 |
jsing |
Factor out the TLSv1.3 code that handles content from TLS records.
Currently, the plaintext content from opened TLS records is handled via the rbuf code in the TLSv1.3 record layer. Factor this out and provide a separate struct tls_content, which knows how to track and manipulate the content.
This makes the TLSv1.3 code cleaner, however it will also soon also be used to untangle parts of the legacy record layer.
ok beck@ tb@
|
#
1.62 |
|
08-Jun-2021 |
tb |
Ignore the record version for early alerts
On receiving the first flight from the peer, we do not yet know if we are using TLSv1.3. In particular, we might get an alert record with record version 0x0300 from a pre-TLSv1.2 peer in response to our client hello. Ignore the record version instead of sending a protocol version alert in that situtation. This may also be hit when talking to a LibreSSL 3.3 server with an illegal SNI.
Part of an issue reported by danj.
ok jsing
|
#
1.61 |
|
16-May-2021 |
jsing |
Avoid pulling ssl_locl.h into self-contained code.
|
#
1.60 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.59 |
|
21-Mar-2021 |
jsing |
Split TLSv1.3 record protection from record layer.
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code.
ok inoguchi@ tb@
|
#
1.58 |
|
05-Jan-2021 |
tb |
Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()
ok jsing
|
#
1.57 |
|
04-Jan-2021 |
tb |
Keep the various free calls of tls13_record_layer_free() in the order of the struct members for reviewability.
ok jsing
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
branches: 1.53.4; Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.68 |
|
20-Jul-2022 |
jsing |
Remove tls_buffer_set_data() and remove/revise callers.
There is no way that tls_buffer_set_data() can currently work in conjunction with tls_buffer_expand(). This fact is currently hidden by the way that PHH works, which reads the same data from the record layer (which it needs to do anyway, since we may not have all of the handshake message in a single record).
Since this is broken, mop it up and change the PHH callback to not provide the record data.
ok beck@ tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.67 |
|
14-Jan-2022 |
tb |
Convert the new record layers to opaque EVP_AEAD_CTX
ok jsing
|
#
1.66 |
|
06-Jan-2022 |
jsing |
Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection.
This brings the code more in line with the tls12_record_layer and reduces the effort needed to make EVP_AEAD_CTX opaque.
Prompted by and ok tb@
|
#
1.65 |
|
15-Dec-2021 |
jsing |
Use CBS_get_last_u8() to find the content type in TLSv1.3 records.
ok tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.64 |
|
16-Sep-2021 |
jsing |
Implement flushing for TLSv1.3 handshakes.
When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio.
Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent.
Joint work with tb@
ok tb@
|
#
1.63 |
|
04-Sep-2021 |
jsing |
Factor out the TLSv1.3 code that handles content from TLS records.
Currently, the plaintext content from opened TLS records is handled via the rbuf code in the TLSv1.3 record layer. Factor this out and provide a separate struct tls_content, which knows how to track and manipulate the content.
This makes the TLSv1.3 code cleaner, however it will also soon also be used to untangle parts of the legacy record layer.
ok beck@ tb@
|
#
1.62 |
|
08-Jun-2021 |
tb |
Ignore the record version for early alerts
On receiving the first flight from the peer, we do not yet know if we are using TLSv1.3. In particular, we might get an alert record with record version 0x0300 from a pre-TLSv1.2 peer in response to our client hello. Ignore the record version instead of sending a protocol version alert in that situtation. This may also be hit when talking to a LibreSSL 3.3 server with an illegal SNI.
Part of an issue reported by danj.
ok jsing
|
#
1.61 |
|
16-May-2021 |
jsing |
Avoid pulling ssl_locl.h into self-contained code.
|
#
1.60 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.59 |
|
21-Mar-2021 |
jsing |
Split TLSv1.3 record protection from record layer.
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code.
ok inoguchi@ tb@
|
#
1.58 |
|
05-Jan-2021 |
tb |
Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()
ok jsing
|
#
1.57 |
|
04-Jan-2021 |
tb |
Keep the various free calls of tls13_record_layer_free() in the order of the struct members for reviewability.
ok jsing
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
branches: 1.53.4; Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.67 |
|
14-Jan-2022 |
tb |
Convert the new record layers to opaque EVP_AEAD_CTX
ok jsing
|
#
1.66 |
|
06-Jan-2022 |
jsing |
Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection.
This brings the code more in line with the tls12_record_layer and reduces the effort needed to make EVP_AEAD_CTX opaque.
Prompted by and ok tb@
|
#
1.65 |
|
15-Dec-2021 |
jsing |
Use CBS_get_last_u8() to find the content type in TLSv1.3 records.
ok tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.64 |
|
16-Sep-2021 |
jsing |
Implement flushing for TLSv1.3 handshakes.
When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio.
Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent.
Joint work with tb@
ok tb@
|
#
1.63 |
|
04-Sep-2021 |
jsing |
Factor out the TLSv1.3 code that handles content from TLS records.
Currently, the plaintext content from opened TLS records is handled via the rbuf code in the TLSv1.3 record layer. Factor this out and provide a separate struct tls_content, which knows how to track and manipulate the content.
This makes the TLSv1.3 code cleaner, however it will also soon also be used to untangle parts of the legacy record layer.
ok beck@ tb@
|
#
1.62 |
|
08-Jun-2021 |
tb |
Ignore the record version for early alerts
On receiving the first flight from the peer, we do not yet know if we are using TLSv1.3. In particular, we might get an alert record with record version 0x0300 from a pre-TLSv1.2 peer in response to our client hello. Ignore the record version instead of sending a protocol version alert in that situtation. This may also be hit when talking to a LibreSSL 3.3 server with an illegal SNI.
Part of an issue reported by danj.
ok jsing
|
#
1.61 |
|
16-May-2021 |
jsing |
Avoid pulling ssl_locl.h into self-contained code.
|
#
1.60 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.59 |
|
21-Mar-2021 |
jsing |
Split TLSv1.3 record protection from record layer.
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code.
ok inoguchi@ tb@
|
#
1.58 |
|
05-Jan-2021 |
tb |
Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()
ok jsing
|
#
1.57 |
|
04-Jan-2021 |
tb |
Keep the various free calls of tls13_record_layer_free() in the order of the struct members for reviewability.
ok jsing
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
branches: 1.53.4; Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.66 |
|
06-Jan-2022 |
jsing |
Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection.
This brings the code more in line with the tls12_record_layer and reduces the effort needed to make EVP_AEAD_CTX opaque.
Prompted by and ok tb@
|
#
1.65 |
|
15-Dec-2021 |
jsing |
Use CBS_get_last_u8() to find the content type in TLSv1.3 records.
ok tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.64 |
|
16-Sep-2021 |
jsing |
Implement flushing for TLSv1.3 handshakes.
When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio.
Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent.
Joint work with tb@
ok tb@
|
#
1.63 |
|
04-Sep-2021 |
jsing |
Factor out the TLSv1.3 code that handles content from TLS records.
Currently, the plaintext content from opened TLS records is handled via the rbuf code in the TLSv1.3 record layer. Factor this out and provide a separate struct tls_content, which knows how to track and manipulate the content.
This makes the TLSv1.3 code cleaner, however it will also soon also be used to untangle parts of the legacy record layer.
ok beck@ tb@
|
#
1.62 |
|
08-Jun-2021 |
tb |
Ignore the record version for early alerts
On receiving the first flight from the peer, we do not yet know if we are using TLSv1.3. In particular, we might get an alert record with record version 0x0300 from a pre-TLSv1.2 peer in response to our client hello. Ignore the record version instead of sending a protocol version alert in that situtation. This may also be hit when talking to a LibreSSL 3.3 server with an illegal SNI.
Part of an issue reported by danj.
ok jsing
|
#
1.61 |
|
16-May-2021 |
jsing |
Avoid pulling ssl_locl.h into self-contained code.
|
#
1.60 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.59 |
|
21-Mar-2021 |
jsing |
Split TLSv1.3 record protection from record layer.
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code.
ok inoguchi@ tb@
|
#
1.58 |
|
05-Jan-2021 |
tb |
Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()
ok jsing
|
#
1.57 |
|
04-Jan-2021 |
tb |
Keep the various free calls of tls13_record_layer_free() in the order of the struct members for reviewability.
ok jsing
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
branches: 1.53.4; Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.65 |
|
15-Dec-2021 |
jsing |
Use CBS_get_last_u8() to find the content type in TLSv1.3 records.
ok tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.64 |
|
16-Sep-2021 |
jsing |
Implement flushing for TLSv1.3 handshakes.
When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio.
Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent.
Joint work with tb@
ok tb@
|
#
1.63 |
|
04-Sep-2021 |
jsing |
Factor out the TLSv1.3 code that handles content from TLS records.
Currently, the plaintext content from opened TLS records is handled via the rbuf code in the TLSv1.3 record layer. Factor this out and provide a separate struct tls_content, which knows how to track and manipulate the content.
This makes the TLSv1.3 code cleaner, however it will also soon also be used to untangle parts of the legacy record layer.
ok beck@ tb@
|
#
1.62 |
|
08-Jun-2021 |
tb |
Ignore the record version for early alerts
On receiving the first flight from the peer, we do not yet know if we are using TLSv1.3. In particular, we might get an alert record with record version 0x0300 from a pre-TLSv1.2 peer in response to our client hello. Ignore the record version instead of sending a protocol version alert in that situtation. This may also be hit when talking to a LibreSSL 3.3 server with an illegal SNI.
Part of an issue reported by danj.
ok jsing
|
#
1.61 |
|
16-May-2021 |
jsing |
Avoid pulling ssl_locl.h into self-contained code.
|
#
1.60 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.59 |
|
21-Mar-2021 |
jsing |
Split TLSv1.3 record protection from record layer.
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code.
ok inoguchi@ tb@
|
#
1.58 |
|
05-Jan-2021 |
tb |
Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()
ok jsing
|
#
1.57 |
|
04-Jan-2021 |
tb |
Keep the various free calls of tls13_record_layer_free() in the order of the struct members for reviewability.
ok jsing
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
branches: 1.53.4; Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.64 |
|
16-Sep-2021 |
jsing |
Implement flushing for TLSv1.3 handshakes.
When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio.
Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent.
Joint work with tb@
ok tb@
|
#
1.63 |
|
04-Sep-2021 |
jsing |
Factor out the TLSv1.3 code that handles content from TLS records.
Currently, the plaintext content from opened TLS records is handled via the rbuf code in the TLSv1.3 record layer. Factor this out and provide a separate struct tls_content, which knows how to track and manipulate the content.
This makes the TLSv1.3 code cleaner, however it will also soon also be used to untangle parts of the legacy record layer.
ok beck@ tb@
|
#
1.62 |
|
08-Jun-2021 |
tb |
Ignore the record version for early alerts
On receiving the first flight from the peer, we do not yet know if we are using TLSv1.3. In particular, we might get an alert record with record version 0x0300 from a pre-TLSv1.2 peer in response to our client hello. Ignore the record version instead of sending a protocol version alert in that situtation. This may also be hit when talking to a LibreSSL 3.3 server with an illegal SNI.
Part of an issue reported by danj.
ok jsing
|
#
1.61 |
|
16-May-2021 |
jsing |
Avoid pulling ssl_locl.h into self-contained code.
|
#
1.60 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.59 |
|
21-Mar-2021 |
jsing |
Split TLSv1.3 record protection from record layer.
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code.
ok inoguchi@ tb@
|
#
1.58 |
|
05-Jan-2021 |
tb |
Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()
ok jsing
|
#
1.57 |
|
04-Jan-2021 |
tb |
Keep the various free calls of tls13_record_layer_free() in the order of the struct members for reviewability.
ok jsing
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
branches: 1.53.4; Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.63 |
|
04-Sep-2021 |
jsing |
Factor out the TLSv1.3 code that handles content from TLS records.
Currently, the plaintext content from opened TLS records is handled via the rbuf code in the TLSv1.3 record layer. Factor this out and provide a separate struct tls_content, which knows how to track and manipulate the content.
This makes the TLSv1.3 code cleaner, however it will also soon also be used to untangle parts of the legacy record layer.
ok beck@ tb@
|
#
1.62 |
|
08-Jun-2021 |
tb |
Ignore the record version for early alerts
On receiving the first flight from the peer, we do not yet know if we are using TLSv1.3. In particular, we might get an alert record with record version 0x0300 from a pre-TLSv1.2 peer in response to our client hello. Ignore the record version instead of sending a protocol version alert in that situtation. This may also be hit when talking to a LibreSSL 3.3 server with an illegal SNI.
Part of an issue reported by danj.
ok jsing
|
#
1.61 |
|
16-May-2021 |
jsing |
Avoid pulling ssl_locl.h into self-contained code.
|
#
1.60 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.59 |
|
21-Mar-2021 |
jsing |
Split TLSv1.3 record protection from record layer.
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code.
ok inoguchi@ tb@
|
#
1.58 |
|
05-Jan-2021 |
tb |
Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()
ok jsing
|
#
1.57 |
|
04-Jan-2021 |
tb |
Keep the various free calls of tls13_record_layer_free() in the order of the struct members for reviewability.
ok jsing
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
branches: 1.53.4; Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.62 |
|
08-Jun-2021 |
tb |
Ignore the record version for early alerts
On receiving the first flight from the peer, we do not yet know if we are using TLSv1.3. In particular, we might get an alert record with record version 0x0300 from a pre-TLSv1.2 peer in response to our client hello. Ignore the record version instead of sending a protocol version alert in that situtation. This may also be hit when talking to a LibreSSL 3.3 server with an illegal SNI.
Part of an issue reported by danj.
ok jsing
|
#
1.61 |
|
16-May-2021 |
jsing |
Avoid pulling ssl_locl.h into self-contained code.
|
#
1.60 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.59 |
|
21-Mar-2021 |
jsing |
Split TLSv1.3 record protection from record layer.
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code.
ok inoguchi@ tb@
|
#
1.58 |
|
05-Jan-2021 |
tb |
Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()
ok jsing
|
#
1.57 |
|
04-Jan-2021 |
tb |
Keep the various free calls of tls13_record_layer_free() in the order of the struct members for reviewability.
ok jsing
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
branches: 1.53.4; Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.61 |
|
16-May-2021 |
jsing |
Avoid pulling ssl_locl.h into self-contained code.
|
#
1.60 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.59 |
|
21-Mar-2021 |
jsing |
Split TLSv1.3 record protection from record layer.
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code.
ok inoguchi@ tb@
|
#
1.58 |
|
05-Jan-2021 |
tb |
Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()
ok jsing
|
#
1.57 |
|
04-Jan-2021 |
tb |
Keep the various free calls of tls13_record_layer_free() in the order of the struct members for reviewability.
ok jsing
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
branches: 1.53.4; Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.59 |
|
21-Mar-2021 |
jsing |
Split TLSv1.3 record protection from record layer.
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code.
ok inoguchi@ tb@
|
#
1.58 |
|
05-Jan-2021 |
tb |
Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()
ok jsing
|
#
1.57 |
|
04-Jan-2021 |
tb |
Keep the various free calls of tls13_record_layer_free() in the order of the struct members for reviewability.
ok jsing
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
branches: 1.53.4; Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.58 |
|
05-Jan-2021 |
tb |
Convert tls13_record_layer.c to tls13_secret_{init,cleanup}()
ok jsing
|
#
1.57 |
|
04-Jan-2021 |
tb |
Keep the various free calls of tls13_record_layer_free() in the order of the struct members for reviewability.
ok jsing
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.57 |
|
04-Jan-2021 |
tb |
Keep the various free calls of tls13_record_layer_free() in the order of the struct members for reviewability.
ok jsing
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.56 |
|
02-Jan-2021 |
tb |
Free {alert,phh}_data in tls13_record_layer_free()
httpd(8)'s incorrect tls_close() after closing the underlying socket led to a leak: tls_close()'s attempt to send out the close_notify won't work very well over a closed pipe. This resulted in alert_data still hanging off the TLSv1.3 context's record layer struct. The tls_free() call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it as well. This diff makes -current httpd(8) run in constant memory over hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.55 |
|
15-Oct-2020 |
tb |
zap annoying stray spaces
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.54 |
|
03-Oct-2020 |
jsing |
Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert()
This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function.
Requested by tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.53 |
|
11-Sep-2020 |
jsing |
Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.53 |
|
11-Sep-2020 |
jsing |
Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with TLS13_ALERT_* defines.
ok beck@ tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.52 |
|
11-Aug-2020 |
jsing |
Send an unexpected message alert if no valid content type is found.
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified.
ok tb@
|
#
1.51 |
|
10-Aug-2020 |
tb |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext, the content_len would be decremented to -1 and cause a crash in freezero.
ok inoguchi jsing
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
branches: 1.33.4; Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.50 |
|
04-Aug-2020 |
inoguchi |
Cleanup aead_ctx
ok jsing@ tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.49 |
|
01-Jun-2020 |
tb |
Split the handling of post handshake handshake messages into its own recv function. This simplifies tls13_recod_layer_read_internal() greatly and makes the phh handling easier to reason about since the code is no longer glued to the right hand edge of the terminal.
ok jsing
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.48 |
|
01-Jun-2020 |
tb |
Add a mechanism to set an alert in those parts of the read half of the record layer that don't do I/O themselves. Use this mechanism to send a record overflow alert for messages that have overlong plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.47 |
|
29-May-2020 |
jsing |
Handle the case where we receive a valid 0 byte application data record.
In this situation we cannot return zero bytes, as that signals EOF. Rather we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again, at which point we'll pull up the next record.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.46 |
|
26-May-2020 |
jsing |
Add additional length checks for TLSv1.3 plaintext and inner plaintext.
Reminded by and ok beck@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.45 |
|
23-May-2020 |
jsing |
Provide the option to retry or return after post-handshake messages.
In TLSv1.3 post-handshake handshake messages are used for key updates and session tickets. These are in-band and mean that when the upper layer goes to read application data, we can end up reading and having to process handshake messages - this option changes whether we retry and read the next TLS record, or if we return, signalling that we want more data to be available.
ok beck@ inoguchi@ tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.44 |
|
20-May-2020 |
beck |
Revert 1.43 - this fix for PHH in blocking mode breaks SSL_accept and SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution for PHH in blocking mode, the breakage this causes is visible in real things, and we've only managed to hit the PHH breakage in a test case.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.43 |
|
16-May-2020 |
jsing |
Return TLS13_IO_WANT_POLLIN after processing post-handshake messages.
After post-handshake handshake messages have been processed, we need to return TLS13_IO_WANT_POLLIN rather than TLS13_IO_WANT_RETRY. The latter will cause us to try to read another TLS record, when there may not be any data available - this will then block in the case of a blocking read.
This reverts part of r1.25.
Issue noticed by inoguchi@
ok beck@ tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.42 |
|
13-May-2020 |
jsing |
Remove a no longer relevant XXX comment.
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.41 |
|
11-May-2020 |
jsing |
Propagate record overflows to the record layer and alert.
ok beck@ tb@
|
#
1.40 |
|
11-May-2020 |
jsing |
Add record version checks.
When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically.
ok beck@ tb@
|
#
1.39 |
|
11-May-2020 |
jsing |
Provide an alert sent record layer callback.
Use this to push an error on to the SSL error stack so that we report the details of the alert that we sent, rather than failing with an unknown error.
ok tb@
|
#
1.38 |
|
11-May-2020 |
jsing |
Move the record layer callbacks into a struct.
This makes the code more readable, requires less code churn when adding a new callback and is likely to avoid bugs due to function argument ordering.
ok beck@ inoguchi@ tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.37 |
|
10-May-2020 |
jsing |
Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.
Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_* defines, provide our own TLS13_ALERT_* defines and use those. This also provides the alerts that are new to TLSv1.3.
ok beck@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.36 |
|
09-May-2020 |
jsing |
Send dummy ChangeCipherSpec messages from the TLSv1.3 client.
When operating in middlebox compatibility mode, the TLSv1.3 client needs to send a dummy ChangeCipherSpec message immediately before its second flight of handshake messages (when early data is not offered).
ok tb@
|
#
1.35 |
|
09-May-2020 |
jsing |
Correct return value check to handle TLS13_IO_EOF case.
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.34 |
|
07-May-2020 |
tb |
On receiving a handshake or alert record with empty inner plaintext, terminate the connection with an unexpected_message alert. See RFC 8446 section 5.4.
Found with tlsfuzzer
hint/ok jsing
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.33 |
|
03-May-2020 |
jsing |
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.33 |
|
03-May-2020 |
jsing |
Accept two ChangeCipherSpec messages during a TLSv1.3 handshake.
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message immediately after its first handshake message. This is normally after the ServerHello message, but it can be after the HelloRetryRequest message. As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message and the ServerHello message. This is unexpected and as far as I'm aware, no other TLSv1.3 implementation does this. Unfortunately the RFC is rather ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.32 |
|
02-May-2020 |
inoguchi |
Add const to TLS1.3 internal vectors
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.31 |
|
29-Apr-2020 |
inoguchi |
tls13_record_layer internal functions to static in libssl
We might remove static again for further regress around record layer in the future.
ok jsing@ tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.30 |
|
16-Mar-2020 |
tb |
The RFC is clear (section 5.3) that sequence number should never wrap. We currently throw an error on overflow, but still wrap. Check up front if we would need to wrap and only increment if that case is excluded. This simplifies the increment loop and makes the returns in this function less magic.
ok jsing
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.29 |
|
13-Mar-2020 |
jsing |
Correct TLSv1.3 sequence number increment and wrapping check.
Fix proposed by tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.28 |
|
18-Feb-2020 |
tb |
drop unused include <openssl/curve25519.h>
ok inoguchi jsing
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.27 |
|
26-Jan-2020 |
beck |
Fix basement bug where record layer would not correctly deal with traffic retries when not yet encrypting.
ok jsing@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.26 |
|
25-Jan-2020 |
jsing |
It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3 client hello.
Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3.
Noticed by ajacoutot@ while connecting to www.openprinting.org.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.25 |
|
24-Jan-2020 |
beck |
Fix breakage in SSL_connect, SSL_accept, etc. by not propagating new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations.
ok jsing@ tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.24 |
|
23-Jan-2020 |
jsing |
Implement pending for TLSv1.3.
Makes `openssl s_client -peekaboo` work with TLSv1.3.
ok beck@ tb@
|
#
1.23 |
|
23-Jan-2020 |
jsing |
Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert.
Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure).
ok beck@ tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.22 |
|
22-Jan-2020 |
jsing |
Implement support for SSL_peek() in the TLSv1.3 record layer.
ok beck@ tb@
|
#
1.21 |
|
22-Jan-2020 |
tb |
After the ClientHello has been sent or received and before the peer's Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
#
1.20 |
|
22-Jan-2020 |
tb |
The legacy_record_version must be set to TLS1_2_VERSION except in the ClientHello where it may be set to TLS1_VERSION. Use the minimal supported version to decide whether we choose to do so or not. Use a sent hook to set it back TLS1_2_VERSION right after the ClientHello message is on the wire.
ok beck jsing
|
#
1.19 |
|
22-Jan-2020 |
jsing |
Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.
ok beck@ inoguchi@ tb@
|
#
1.18 |
|
21-Jan-2020 |
jsing |
Correct legacy fallback for TLSv1.3 client.
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data.
ok beck@ tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.17 |
|
20-Jan-2020 |
beck |
Add alerts to the tls 1.3 record layer and handshake layer ok jsing@, inoguchi@, tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.16 |
|
26-Nov-2019 |
beck |
Add support for TLS 1.3 post handshake messages and key updating. tested against openssl 1.1's server.
ok jsing@ tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.15 |
|
18-Nov-2019 |
jsing |
Provide a clean interface for sending TLSv1.3 alerts.
ok beck@
|
#
1.14 |
|
17-Nov-2019 |
jsing |
Change tls13_record_layer_phh() to take a CBS as this avoids ownership issues and makes call sites cleaner.
ok beck@
|
#
1.13 |
|
17-Nov-2019 |
tb |
Add a reference for the non-standard post-handshake handshake (PHH).
ok beck, jsing
|
#
1.12 |
|
17-Nov-2019 |
jsing |
Ensure that we are never operating in plaintext mode once the handshake is complete, which should never occur.
ok beck@
|
#
1.11 |
|
17-Nov-2019 |
jsing |
Provide framework for sending alerts and post-handshake handshake messages.
Discussed at length with beck@
ok beck@ tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.10 |
|
17-Nov-2019 |
beck |
Separate the callbacks for recieved and completed post handshake messages from the record layer
ok jsing@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.9 |
|
17-Mar-2019 |
jsing |
Remove the alert level from the TLSv1.3 alert callback.
In TLSv1.3 the alert level is effectively meaningless and the record layer has already checked that it is appropriate. As such, drop it from the alert callback.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.8 |
|
26-Feb-2019 |
jsing |
Correct return values for non-fatal alerts.
In the close notify case we need to signal EOF and in the user cancelled case we need to return WANT_POLLIN. Returning success results in tls13_record_layer_read_record() thinking that we have record data when we do not, which then results in the content type check later failing.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.7 |
|
25-Feb-2019 |
jsing |
Correctly handle oversize writes.
If the record layer is asked to write more than fits in a plaintext record, cap the amount at that limit. This means that we will effectively write out a single record and return a short-write.
This behaviour matches SSL_write() with SSL_MODE_ENABLE_PARTIAL_WRITE enabled and the non-SSL_MODE_ENABLE_PARTIAL_WRITE case will be handled at a higher layer.
ok inoguchi@ tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.6 |
|
23-Feb-2019 |
jsing |
Remove temporary gotos.
In the case of a dummy CCS or post-handshake handshake message, return TLS13_WANT_POLLIN rather than using a goto internally. This allows the caller to retry at an appropriate time and reduces the complexity within the record layer.
ok beck@ tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.5 |
|
21-Feb-2019 |
jsing |
Wire up alert handling for TLSv1.3.
In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour.
ok tb@
|
#
1.4 |
|
21-Feb-2019 |
jsing |
Change the alert callback return type from int to void.
There is nothing for the handler to really signal, since it cannot change the fact that we received an alert. While here use TLS13_IO_FAILURE instead of hardcoding -1.
ok tb@
|
#
1.3 |
|
21-Feb-2019 |
jsing |
Fix a few cases where int was used instead of ssize_t.
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.2 |
|
14-Feb-2019 |
jsing |
Split tls13_record_layer_set_traffic_keys() into two separate functions.
This allows the read traffic key to be set independently of the write traffic key. This will become necessary for KeyUpdate handling, however also allows for switching to application traffic keys at more appropriate stages of the handshake.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|
#
1.1 |
|
20-Jan-2019 |
jsing |
Provide an initial implementation of the TLS 1.3 record layer.
This is entirely self-contained and knows nothing about SSL or BIO. The bottom of the stack is provided by wire read and write callbacks, with the API to the record layer primarily being via tls13_{read,write}_{application,handshake}_data().
This currently lacks some functionality, however will be worked on in tree.
ok tb@
|