Add message callbacks for alerts in the TLSv1.3 stack.

This will make it easier to regress test shutdown behaviour in the TLSv1.3
stack. Additionally, `openssl -msg` now shows alerts for TLSv1.3
con

Add message callbacks for alerts in the TLSv1.3 stack.

This will make it easier to regress test shutdown behaviour in the TLSv1.3
stack. Additionally, `openssl -msg` now shows alerts for TLSv1.3
connections.

ok tb@

show more ...

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_l

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

show more ...

Move tls13_exporter() code.

It makes more sense to have tls13_exporter() in tls13_key_schedule.c,
rather than tls13_lib.c

ok tb@

Initial parsing of the NewSessionTicket message

TLSv1.3 introduces a New Session Ticket post-handshake handshake message
that allows a unique association between a ticket value and a pre-shared
key

Initial parsing of the NewSessionTicket message

TLSv1.3 introduces a New Session Ticket post-handshake handshake message
that allows a unique association between a ticket value and a pre-shared
key derived from the resumption master secret. Servers may send this
message arbitrarily often at any time after receiving the client's
Finished message.

Implement tls13_new_session_ticket_recv() which parses the contents of
the NewSessionTicket message into a fresh session derived from the
current session so as to avoid modifying sessions that are already in
the session cache.

This uses tls13_new_session_ticket_recv() in tls13_phh_received_cb().
We currently rely on the general rate limiting of 100 PHH messages per
connection and hour to avoid problems from connecting to a misbehaving
or malicious server.

ok jsing

show more ...

Provide TLS13_MAX_TICKET_LIFETIME #define

TLSv1.3 servers must not indicate a lifetime longer than 7 days and
clients must not cache sessions for longer than 7 days. Encode this
in a macro internal

Provide TLS13_MAX_TICKET_LIFETIME #define

TLSv1.3 servers must not indicate a lifetime longer than 7 days and
clients must not cache sessions for longer than 7 days. Encode this
in a macro internal to tls13_lib.c for now.

ok jsing

show more ...

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

P

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

Prompted by tb@

show more ...

Provide a version of ssl_msg_callback() that takes a CBS.

Use this from the TLSv1.3 code.

ok tb@

Provide record layer callbacks for QUIC.

QUIC uses TLS to complete the handshake, however unlike normal TLS it does
not use the TLS record layer, rather it provides its own transport. This
means tha

Provide record layer callbacks for QUIC.

QUIC uses TLS to complete the handshake, however unlike normal TLS it does
not use the TLS record layer, rather it provides its own transport. This
means that we need to intercept all communication between the TLS handshake
and the record layer. This allows TLS handshake message writes to be
directed to QUIC, likewise for TLS handshake message reads. Alerts also
need to be sent via QUIC, plus it needs to be provided with the traffic
keys that are derived by TLS.

ok tb@

show more ...

Move tls13_phh_done_cb() after tl13_phh_received_cb().

This is the order that they're called/run in.

Provide QUIC encryption levels.

QUIC wants to know what "encryption level" handshake messages should be
sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that
defines these (of course

Provide QUIC encryption levels.

QUIC wants to know what "encryption level" handshake messages should be
sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that
defines these (of course quictls decided to make this an
OSSL_ENCRYPTION_LEVEL typedef, so provide that as well).

Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so
that they can be used in upcoming commits.

ok tb@

show more ...

Remove tls_buffer_set_data() and remove/revise callers.

There is no way that tls_buffer_set_data() can currently work in
conjunction with tls_buffer_expand(). This fact is currently hidden by the
wa

Remove tls_buffer_set_data() and remove/revise callers.

There is no way that tls_buffer_set_data() can currently work in
conjunction with tls_buffer_expand(). This fact is currently hidden by the
way that PHH works, which reads the same data from the record layer (which
it needs to do anyway, since we may not have all of the handshake message
in a single record).

Since this is broken, mop it up and change the PHH callback to not provide
the record data.

ok beck@ tb@

show more ...

Correct server-side handling of TLSv1.3 key updates.

The existing code updates the correct secret, however then sets it for the
wrong direction. Fix this, while untangling the code and consistenly u

Correct server-side handling of TLSv1.3 key updates.

The existing code updates the correct secret, however then sets it for the
wrong direction. Fix this, while untangling the code and consistenly using
'read' and 'write' rather than 'local' and 'peer'.

ok beck@ tb@

show more ...

Disable TLSv1.3 middlebox compatibility mode for QUIC connections.

This is required by RFC 9001.

ok tb@

Pass SSL pointer to tls13_ctx_new().

struct tls13_ctx already knows about SSL's and this way tls13_ctx_new() can
set up various pointers, rather than duplicating this in
tls13_legacy_accept() and tl

Pass SSL pointer to tls13_ctx_new().

struct tls13_ctx already knows about SSL's and this way tls13_ctx_new() can
set up various pointers, rather than duplicating this in
tls13_legacy_accept() and tls13_legacy_connect().

ok tb@

show more ...

Bye bye S3I.

S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.

ok inoguchi@ tb@

Implement flushing for TLSv1.3 handshakes.

When we finish sending a flight of records, flush the record layer output.
This effectively means calling BIO_flush() on the wbio.

Some things (such as ap

Implement flushing for TLSv1.3 handshakes.

When we finish sending a flight of records, flush the record layer output.
This effectively means calling BIO_flush() on the wbio.

Some things (such as apache2) have custom BIOs that perform buffering and
do not actually send on BIO_write(). Without BIO_flush() the server thinks
it has sent data and starts receiving records, however the client never
sends records since it never received those that the server should have
sent.

Joint work with tb@

ok tb@

show more ...

Call the ocsp callback if present and we get no response, instead of
succeeding unconditionally. Makes muststaple work with tls1.3 in nc

ok tb@

Clean up and simplify info and msg callbacks.

The info and msg callbacks result in duplication - both for code that
refers to the function pointers and for the call sites. Avoid this by
providing ty

Clean up and simplify info and msg callbacks.

The info and msg callbacks result in duplication - both for code that
refers to the function pointers and for the call sites. Avoid this by
providing typedefs for the function pointers and pulling the calling
sequences into their own functions.

ok inoguchi@ tb@

show more ...

Avoid clobbering the error code when sending an alert

In order to fail gracefully on encountering a self-signed cert, curl looks
at the top-most error on the stack and needs specific SSL_R_ error co

Avoid clobbering the error code when sending an alert

In order to fail gracefully on encountering a self-signed cert, curl looks
at the top-most error on the stack and needs specific SSL_R_ error codes.
This mechanism was broken when the tls13_alert_sent_cb() was added after
people complained about unhelpful unknown errors. Fix this by only setting
the error code from a fatal alert if no error has been set previously.

Issue reported by Christopher Reid

ok jsing

show more ...

Move the TLSv1.3 handshake struct inside the shared handshake struct.

There are currently three different handshake structs that are in use -
the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSH

Move the TLSv1.3 handshake struct inside the shared handshake struct.

There are currently three different handshake structs that are in use -
the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct
(as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous
'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)).

This is the first step towards cleaning up the handshake structs so that
shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2
and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside
SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct
instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code
to access the shared handshake data without needing the SSL struct.

ok inoguchi@ tb@

show more ...

Avoid a use-after-scope in tls13_cert_add().

A parent CBB retains a reference to a child CBB until CBB_flush() or
CBB_cleanup() is called. As such, the cert_exts CBB must be at function
scope.

Repo

Avoid a use-after-scope in tls13_cert_add().

A parent CBB retains a reference to a child CBB until CBB_flush() or
CBB_cleanup() is called. As such, the cert_exts CBB must be at function
scope.

Reported by Ilya Shipitsin.

ok tb@

show more ...

Convert tls13_exporter() to tls13_secret_{init,cleanup}()

ok jsing

Implement exporter for TLSv1.3.

This implements the key material exporter for TLSv1.3, as defined in
RFC8446 section 7.5.

Issue reported by nmathewson on github.

ok inoguchi@ tb@

Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them with
TLS13_ALERT_* defines.

ok beck@ tb@

Add minimal info callback support for TLSv1.3

As abieber@ found the hard way, some python frameworks (twisted, synapse)
thought it a great idea to use the info callback mechanism (designed to
get st

Add minimal info callback support for TLSv1.3

As abieber@ found the hard way, some python frameworks (twisted, synapse)
thought it a great idea to use the info callback mechanism (designed to
get state information about SSL objects) to modify state information such
as setting and verifying the SNI. The switch of TLS_method() to default
to TLSv1.3 broke these contraptions. Further bits of the info callback
mechanism will likely metastasize throughout the TLSv1.3 stack if we
need them, so we only do what's really necessary now.

Lots of debugging, crucial hint and testing by abieber

input & ok jsing

show more ...