| #
121bba80 |
| 11-Aug-2024 |
jsing <jsing@openbsd.org> |
Add include path for crypto_arch.h.
|
| #
21053144 |
| 13-Jul-2024 |
tb <tb@openbsd.org> |
ssl2.h and ssl23.h join the party in the attic
Now that the SSL2 client hello support is gone, nothing uses this anymore,
except that a few ports still need SSL2_VERSION.
ok beck
|
| #
35058f2b |
| 09-Jul-2024 |
beck <beck@openbsd.org> |
Actually enable namespaced builds in both libcrypto and libssl
(instead of commiting only one part)
|
| #
b9e57b4b |
| 25-Jun-2024 |
jsing <jsing@openbsd.org> |
Implement RSA key exchange in constant time.
RSA key exchange is known to have multiple security weaknesses,
including being potentially susceptible to padding oracle and timing
attacks.
The RSA ke
Implement RSA key exchange in constant time.
RSA key exchange is known to have multiple security weaknesses,
including being potentially susceptible to padding oracle and timing
attacks.
The RSA key exchange code that we inherited from OpenSSL was riddled
with timing leaks, many of which we fixed (or minimised) early on.
However, a number of issues still remained, particularly those
related to libcrypto's RSA decryption and padding checks.
Rework the RSA key exchange code such that we decrypt with
RSA_NO_PADDING and then check the padding ourselves in constant
time. In this case, the pre-master secret is of a known length,
hence the padding is also a known length based on the size of the
RSA key. This makes it easy to implement a check that is much safer
than having RSA_private_decrypt() depad for us.
Regardless, we still strongly recommend disabling RSA key exchange
and using other key exchange methods that provide perfect forward
secrecy and do not depend on client generated keys.
Thanks to Marcel Maehren, Nurullah Erinola, Robert Merget, Juraj
Somorovsky, Joerg Schwenk and Hubert Kario for raising these issues
with us at various points in time.
ok tb@
show more ...
|
| #
dfbca035 |
| 22-Nov-2023 |
tb <tb@openbsd.org> |
Unhook and remove the now even more useless ssl_algs.c than it was before.
ok jsing
|
| #
2c104577 |
| 06-Jul-2023 |
beck <beck@openbsd.org> |
unifdef the LIBRESSL_HAS_TLS1_3_[CLIENT|SERVER] goo
And remove the tendrils. This was useful for transition but we are now
well past this.
|
| #
90edf538 |
| 05-May-2023 |
tb <tb@openbsd.org> |
Use -Wshadow with clang
ok jsing (a very long time ago)
|
| #
ec6848bc |
| 11-Nov-2022 |
beck <beck@openbsd.org> |
Add support for symbol hiding disabled by default.
Fully explained in libcrypto/README. TL;DR make sure libcrypto
and libssl's function calls internally and to each other are via
symbol names that w
Add support for symbol hiding disabled by default.
Fully explained in libcrypto/README. TL;DR make sure libcrypto
and libssl's function calls internally and to each other are via
symbol names that won't get overridden by linking other libraries.
Mostly work by guenther@, which will currently be gated behind a
build setting NAMESPACE=yes. once we convert all the symbols to
this method we will do a major bump and pick up the changes.
ok tb@ jsing@
show more ...
|
| #
ad618767 |
| 17-Aug-2022 |
jsing <jsing@openbsd.org> |
Deduplicate peer certificate chain processing code.
Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
h
Deduplicate peer certificate chain processing code.
Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.
This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.
ok tb@
show more ...
|
| #
f7e8f89f |
| 24-Jul-2022 |
jsing <jsing@openbsd.org> |
Provide record layer callbacks for QUIC.
QUIC uses TLS to complete the handshake, however unlike normal TLS it does
not use the TLS record layer, rather it provides its own transport. This
means tha
Provide record layer callbacks for QUIC.
QUIC uses TLS to complete the handshake, however unlike normal TLS it does
not use the TLS record layer, rather it provides its own transport. This
means that we need to intercept all communication between the TLS handshake
and the record layer. This allows TLS handshake message writes to be
directed to QUIC, likewise for TLS handshake message reads. Alerts also
need to be sent via QUIC, plus it needs to be provided with the traffic
keys that are derived by TLS.
ok tb@
show more ...
|
| #
6638350c |
| 28-Jun-2022 |
tb <tb@openbsd.org> |
Implement the default security level callback
And here is where the fun starts. The tentacles will grow everywhere.
ok beck jsing sthen
|
| #
a366758f |
| 14-Jan-2022 |
tb <tb@openbsd.org> |
bio_ssl.c needs to peek into bio_local.h
|
| #
b8e3503d |
| 05-Jan-2022 |
jsing <jsing@openbsd.org> |
Rename tls13_key_share to tls_key_share.
In preparation to use the key share code in both the TLSv1.3 and legacy
stacks, rename tls13_key_share to tls_key_share, moving it into the shared
handshake
Rename tls13_key_share to tls_key_share.
In preparation to use the key share code in both the TLSv1.3 and legacy
stacks, rename tls13_key_share to tls_key_share, moving it into the shared
handshake struct. Further changes will then allow the legacy stack to make
use of the same code for ephemeral key exchange.
ok inoguchi@ tb@
show more ...
|
| #
f6184395 |
| 23-Oct-2021 |
jsing <jsing@openbsd.org> |
Rename tls13_buffer to tls_buffer.
This code will soon be used in the DTLSv1.2 and TLSv1.2 stack. Also
introduce tls_internal.h and move/rename the read/write/flush callbacks.
ok beck@ tb@
|
| #
8ccc3944 |
| 04-Sep-2021 |
jsing <jsing@openbsd.org> |
Factor out the TLSv1.3 code that handles content from TLS records.
Currently, the plaintext content from opened TLS records is handled via
the rbuf code in the TLSv1.3 record layer. Factor this out
Factor out the TLSv1.3 code that handles content from TLS records.
Currently, the plaintext content from opened TLS records is handled via
the rbuf code in the TLSv1.3 record layer. Factor this out and provide a
separate struct tls_content, which knows how to track and manipulate the
content.
This makes the TLSv1.3 code cleaner, however it will also soon also be used
to untangle parts of the legacy record layer.
ok beck@ tb@
show more ...
|
| #
d7351ddf |
| 05-May-2021 |
jsing <jsing@openbsd.org> |
Rewrite TLSv1.2 key block handling.
For TLSv1.2 a single key block is generated, then partitioned into
individual secrets for use as IVs and keys. The previous implementation
splits this across two
Rewrite TLSv1.2 key block handling.
For TLSv1.2 a single key block is generated, then partitioned into
individual secrets for use as IVs and keys. The previous implementation
splits this across two functions tls1_setup_key_block() and
tls1_change_cipher_state(), which means that the IV and key sizes have to
be known in multiple places.
This implementation generates and partitions the key block in a single
step, meaning that the secrets are then simply handed out when requested.
ok inoguchi@ tb@
show more ...
|
| #
643d65b6 |
| 25-Apr-2021 |
jsing <jsing@openbsd.org> |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions,
calling the correct one based on s->server. This allows to remove various
S
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions,
calling the correct one based on s->server. This allows to remove various
SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
show more ...
|
| #
f6d60a7a |
| 03-Oct-2020 |
jsing <jsing@openbsd.org> |
Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c
The d1_{clnt,srvr}.c contain a single function each - merge these into the
ssl_{clnt,srvr}.c, renaming them with an ssl3_ prefix for consistency.
ok be
Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c
The d1_{clnt,srvr}.c contain a single function each - merge these into the
ssl_{clnt,srvr}.c, renaming them with an ssl3_ prefix for consistency.
ok beck@ tb@
show more ...
|
| #
acef91a0 |
| 30-Aug-2020 |
jsing <jsing@openbsd.org> |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an
opaque struct that is self contained and cannot reach back into other
layers. F
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an
opaque struct that is self contained and cannot reach back into other
layers. For now this just implements/replaces the writing of records
for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the
plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
show more ...
|
| #
4d97159a |
| 09-Jun-2020 |
deraadt <deraadt@openbsd.org> |
The check_includes step is incorrect dependency management model for
how our tree gets built. If this was done in all the libraries (imagine
sys/dev), it would disrupt the development process hugely
The check_includes step is incorrect dependency management model for
how our tree gets built. If this was done in all the libraries (imagine
sys/dev), it would disrupt the development process hugely. So it should
not be done here either. use 'make includes' by hand instead.
show more ...
|
| #
be03a99e |
| 10-May-2020 |
jsing <jsing@openbsd.org> |
Provide an easy way to get debug information from TLSv1.3 handshakes.
This makes it easier to debug TLSv1.3 handshake failures.
"Yes please!" tb@, ok beck@
|
| #
da187288 |
| 13-Mar-2020 |
jsing <jsing@openbsd.org> |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed
copy of tls1_enc(). Since then tls1_enc() has been modified, however the
non-AEAD code remains largely t
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed
copy of tls1_enc(). Since then tls1_enc() has been modified, however the
non-AEAD code remains largely the same. As such, remove dtls1_enc() and
instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS,
however this is a non-issue since we do not support AEAD cipher suites with
DTLS currently.
ok tb@
show more ...
|
| #
8cf56ebe |
| 15-Feb-2020 |
jsing <jsing@openbsd.org> |
Move the TLSv1.3 code that interfaces with the legacy APIs/stack into a
separate file.
Discussed with beck@ and tb@
|
| #
4673309b |
| 30-Jan-2020 |
jsing <jsing@openbsd.org> |
Provide struct/functions for handling TLSv1.3 key shares.
Pull out the key share handling code and provide a clean/self contained
interface. This will make it easier to support groups other than X25
Provide struct/functions for handling TLSv1.3 key shares.
Pull out the key share handling code and provide a clean/self contained
interface. This will make it easier to support groups other than X25519.
ok beck@ inoguchi@ tb@
show more ...
|
| #
69428dca |
| 30-Jan-2020 |
jsing <jsing@openbsd.org> |
Factor out/rewrite the ECDHE EC point key exchange code.
This reduces replication between the existing TLS client/server and allows
the code to soon be reused for TLSv1.3.
With feedback from inoguc
Factor out/rewrite the ECDHE EC point key exchange code.
This reduces replication between the existing TLS client/server and allows
the code to soon be reused for TLSv1.3.
With feedback from inoguchi@ and tb@
ok inoguchi@ tb@
show more ...
|