- Oct 30, 2015
-
-
Matt Caswell authored
The SSL variable |in_handshake| seems misplaced. It would be better to have it in the STATEM structure. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
tls_process_client_hello() failed to initialise the |al| variable in some (error) scenarios. This could cause issues with creating the alert. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Adding the new state machine broke the DTLSv1_listen code because calling SSL_in_before() was erroneously returning true after DTLSv1_listen had successfully completed. This change ensures that SSL_in_before returns false. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Remove repeated blocks of checking SSL and then SSL_CTX for the info_callback. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Remove all the defines for the old state machines states. Mapping old to new is probably going to cause more problems than it solves so it is probably better to just remove them. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Add an OSSL_ prefix onto STATEM Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
SSL_state has been replaced by SSL_get_state and SSL_set_state is no longer supported. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
The |no_cert_verify| should be in the state machine structure not in SSL Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Change various state machine functions to use the prefix ossl_statem instead. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
The macros SSL_in_connect_init() and SSL_in_accept_init() inadvertently depended on SSL structure internals. This fixes it to use public API calls instead. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Rename the enum HANDSHAKE_STATE to OSSL_HANDSHAKE_STATE to ensure there are no namespace clashes, and convert it into a typedef. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Fixed some issues in the logic for determining whether an SKE should be expected or not. In particular only allow an SKE for RSA if its export and the key size is not allowed. Also fix the ephemeral ciphersuite checks and add in a missing call to ssl3_check_cert_and_algorithm(). Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Update the return type for SSL_state in the documentation. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Update the CHANGES file for the state machine rewrite Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
s_server was (ab)using SSL_set_state to force a renegotiation. This is a bad way to do things and does not work with the new state machine code, so we need to do it a different way. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Fix an out of date reference to old state machine code in a comment Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
The next_state variable is no longer needed in the new state machine. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Add some documentation on the thinking behind the state machine. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Move some function definitions around within the state machine to make sure they are in the correct files. Also create a statem_locl.h header for stuff entirely local to the state machine code and move various definitions into it. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Pull out the state machine into a separate sub directory. Also moved some functions which were nothing to do with the state machine but were in state machine files. Pulled all the SSL_METHOD definitions into one place...most of those files had very little left in them any more. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
ssl_get_message is no longer used so it should be removed from ssl_method_st Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Previously each message specific process function would create its own PACKET structure. Rather than duplicate all of this code lots of times we should create it in the state machine itself. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
The SSL structure contained a "state" variable that kept track of the state machine in the old code. The new state machine does not use this so it can be removed. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
The SSL structure contained a "type" variable that was set to either SSL_ST_ACCEPT or SSL_ST_CONNECT depending on whether we are the server or the client. This duplicates the capability of the "server" variable and was actually rarely used. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
The DTLSv1_listen code set the state value explicitly to move into init. Change to use state_set_in_init() instead. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
ssl.h and ssl3.h have a number of defines for the various states in the old state machine code. Since this is public API it is not desirable to just remove them. Instead redefine them to the closest equivalent state in the new state machine code. If an application calls SSL_state then the return value can still be compared against these old values if necessary. However not all values have an equivalent state in the new code, so these are just redefined to a dummy value. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Clean up and remove lots of code that is now no longer needed due to the move to the new state machine. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Implement all of the necessary changes to make DTLS on the server work with the new state machine code. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Implement all of the necessary changes for moving TLS server side processing into the new state machine code. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Split the TLS server ssl3_get_* and ssl3_send_* functions into two ready for the migration to the new state machine code. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Remove all the functions and dead code that is now no longer required as a result of the DTLS client move into the new state machine code. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Move all DTLS client side processing into the new state machine code. A subsequent commit will clean up the old dead code. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Create a dtls_get_message function similar to the old dtls1_get_message but in the format required for the new state machine code. The old function will eventually be deleted in later commits. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Remove redundant code following moving client side TLS handling to the new state machine implementation. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
This swaps the implementation of the client TLS state machine to use the new state machine code instead. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
The new state machine code will split up the reading and writing of hanshake messages into discrete phases. In order to facilitate that the existing "get" type functions will be split into two halves: one to get the message and one to process it. The "send" type functions will also have all work relating to constructing the message split out into a separate function just for that. For some functions there will also be separate pre and post "work" phases to prepare or update state. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
This is the first drop of the new state machine code. The rewrite has the following objectives: - Remove duplication of state code between client and server - Remove duplication of state code between TLS and DTLS - Simplify transitions and bring the logic together in a single location so that it is easier to validate - Remove duplication of code between each of the message handling functions - Receive a message first and then work out whether that is a valid transition - not the other way around (the other way causes lots of issues where we are expecting one type of message next but actually get something else) - Separate message flow state from handshake state (in order to better understand each) - message flow state = when to flush buffers; handling restarts in the event of NBIO events; handling the common flow of steps for reading a message and the common flow of steps for writing a message etc - handshake state = what handshake message are we working on now - Control complexity: only the state machine can change state: keep all the state changes local to a file This builds on previous state machine related work: - Surface CCS processing in the state machine - Version negotiation rewrite Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-