| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
| |
no longer ignore the expected failures from the legacy name
constraints validation, and will have a regress failure if
we regress.
|
|
|
|
|
| |
have to re-generate these certificates and this should
just keep working even if the certs get old
|
|
|
|
|
| |
Yak for my shaving pleasure found by llvm static analyzer
ok tb@
|
|
|
|
|
| |
found by llvm static analyzer.
ok tb@
|
|
|
|
|
| |
noticed by llvm static analyzer
ok tb@
|
|
|
|
|
| |
noticed by llvm static analyzer
ok tb@
|
|
|
|
|
|
|
| |
eat a NULL.
found by clang static analyzer
ok tb@
|
|
|
|
| |
ok tb@
|
|
|
|
|
|
|
| |
the roots for a ctx are only freed in the free function, not in the
clear function, so that a ctx can be re-used with the same roots.
ok tb@
|
|
|
|
| |
so we don't need to pop free the roots separately
|
| |
|
|
|
|
| |
ok jsing@ tb@
|
|
|
|
|
|
|
| |
openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS
version number. Incompatible versions must fail. Check that client
and server have used correct version by grepping in their session
print out.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide
this API, while retaining the current behaviour of being able to configure
TLSv1.3 via the existing interface.
Note that this is not currently exposed in the headers/exported symbols.
ok beck@ inoguchi@ tb@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator
This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When BIO returns a failure, it does not always add an error to the error
stack. In the case of the legacy stack, this was generally handled by the
guesswork performed by SSL_get_error(). However, in the case of the new
stack we push an 'unknown' error onto the stack.
Improve this situation by specifically checking errno in the case of a
BIO_read() or BIO_write() failure. If the error stack is empty then push
a SYSerror() with the errno which is preferable to the 'unknown' error
later.
Noted by bluhm@ via syslogd regress.
ok beck@ tb@
|
|
|
|
|
|
| |
The curve_id is a uint16, not an int.
ok beck jsing
|
|
|
|
|
|
|
| |
Use more descriptive variable names, explain why NID_undef is fine
and simplify the logic.
ok beck jsing
|
|
|
|
| |
figure out whether top > 0 or top == 0.
|
|
|
|
| |
chacha-poly over aes-gcm. Expect both fallbacks for non 1.3 ciphers.
|
|
|
|
|
|
|
|
|
|
| |
If BN_rand() is called with top > 0 and bits == 1, it would allocate
a buf[] of size 1 and set the top bit of buf[1].
Found in OpenSSL commit efee575ad464bfb60bf72dcb73f9b51768f4b1a1 while
looking for something else.
ok beck djm inoguchi
|
|
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
|
| |
To pick up __STRICT_ALIGNMENT define, include machine/endian.h.
No kidding... deraadt@
ok bcook@ jsing@
|
|
|
|
|
|
|
|
| |
been fixed to work with libressl TLS 1.3. Both libressl and openssl11
replace obsolete TLS 1.2 ciphers with AEAD-AES256-GCM-SHA384 or
TLS_AES_256_GCM_SHA384 in TLS 1.3 respectively. The test expects
that now. Currently GOST does not work with libressl and TLS 1.3
and is disabled.
|
|
|
|
|
|
|
| |
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When parsing a cipher string, a cipher list is created, before being
duplicated and sorted - the second copy being stored as cipher_list_by_id.
This is done only so that a client can ensure that the cipher selected by
a server is in the cipher list. This is pretty pointless given that most
clients are short-lived and that we already had to iterate over the cipher
list in order to build the client hello. Additionally, any update to the
cipher list requires that cipher_list_by_id also be updated and kept in
sync.
Remove all of this and replace it with a simple linear scan - the overhead
of duplicating and sorting the cipher list likely exceeds that of a simple
linear scan over the cipher list (64 maximum, more typically ~9 or so).
ok beck@ tb@
|
|
|
|
| |
ok beck@, tb@
|
|
|
|
|
|
|
|
|
|
| |
The name ssl_cipher_is_permitted() is not entirely specific - what it
really means is "can this cipher be used with a given version range".
Use ssl_cipher_allowed_in_version_range() to more clearly indicate this.
Bikeshedded with tb@
ok tb@
|
|
|
|
|
|
| |
TLS13_ALERT_* defines.
ok beck@ tb@
|
|
|
|
| |
ok tb@ jsing@
|
|
|
|
|
|
|
| |
Consistently use the names 'ciphers' and 'cipher' instead of 'sk' and 'c'.
Remove some redundant code, unnecessary parentheses and fix some style(9).
ok inoguchi@ tb@
|
|
|
|
|
|
| |
Skip sending an empty ECPF extension for now: we don't accept it since
according to RFC 4492 and 8422 it needs to advertise uncompressed point
formats.
|
| |
|
| |
|
| |
|
|
|
|
| |
input and ok tb@
|
|
|
|
| |
ok tb@
|
|
|
|
| |
ok jsing@ tb@
|
|
|
|
| |
ok tb@
|
|
|
|
| |
wording from jmc
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is only set in one place and read in one place to set the badly
named tlsext_ticket_expected flag. It seems preferable to set this
flag directly, thus simplifying the logic. This slightly changes the
behavior in that this flag is now set earlier, but this seems preferable
anyway. Any error between the old and the new position where the flag
is set is either fatal (so the connection will be closed) or a decrypt
error (so the flag will be set).
discussed with jsing
|
|
|
|
|
|
|
| |
shaving off into the cache but unamp them. Pages in the cache get
re-used and then a future grow of the first allocation will be
hampered. Also make realloc a no-op for small shrinkage.
ok deraadt@
|
|
|
|
|
|
| |
This makes piping the OCSP response to other programs with -o - work.
input and r+ guenther
|
|
|
|
|
|
|
|
|
|
| |
Instead of using malloc(3) and manually setting part of the structure to
zero, part to something else and leaving the rest uninitialized, we can
benefit from the fact that there's this thing called calloc(3).
Moreover, all variants of free(3) in libcrypto are NULL safe.
ok beck inoguchi
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Zap a memset that was redundant since OpenSSL 0.97b was merged by
markus in 2003. Nowadays it's otto's recallocarray(3) that does the
zeroing.
ok beck inoguchi otto
PS: ASN1_BIT_STRING_set_bit(3) was committed on Dec 21 1998 by Ralf S.
Engelschnall and used this bizarre allocation idiom:
if (a->data == NULL)
c=(unsigned char *)Malloc(w+1);
else
c=(unsigned char *)Realloc(a->data,w+1);
People complained about Malloc, Realloc and Free being used elsewhere, so
on Jun 1 2000, Richarde Levitte swept the OpenSSL tree and it became this.
if (a->data == NULL)
c=(unsigned char *)OPENSSL_malloc(w+1);
else
c=(unsigned char *)OPENSSL_realloc(a->data,w+1);
Then it was found that existing data should be cleaned, and on Nov 13 2002
Ben Laurie changed the last line to
c=(unsigned char *)OPENSSL_realloc_clean(a->data,
a->length,
w+1);
|
| |
|
|
|
|
|
|
|
| |
the session id in case the copied session id is shorter than
SSL_MAX_SESSION_ID_LENGTH.
long standing bug pointed out by jsing
|
|
|
|
| |
get_session_cb is completed.
|