summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* Pull in fix for EVP_CipherUpdate() overflow from OpenSSL.tb2021-02-181-1/+23
| | | | | | | | | | | | | | ok inoguchi commit 6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1 Author: Matt Caswell <matt@openssl.org> Date: Tue Feb 2 17:17:23 2021 +0000 Don't overflow the output length in EVP_CipherUpdate calls CVE-2021-23840 Reviewed-by: Paul Dale <pauli@openssl.org>
* mark test-inlabel-wildcard-cert-no-CA-client as an expected failuretb2021-02-181-1/+2
|
* Add x509 certificate validation regression testsjan2021-02-163-2/+242
| | | | | | | The validation tests are originaly createtd by Steffen Ullrich. OK tb@ No objection jsing@
* Only print the certificate file once on verifification failure.jsing2021-02-151-4/+2
| | | | | | Noted by Steffen Ullrich. ok tb@
* Some people still argue that rand(3) and random(3) have suitable deterministicderaadt2021-02-122-4/+10
| | | | | | | | | | | use cases, so explain the situation a bit more. Since the 80's, I estimate around 5 algorithm changes, so any chosen seed is unrepeatable UB. +The deterministic sequence algorithm changed a number of times since +original development, is underspecified, and should not be relied upon to +remain consistent between platforms and over time. ok jmc kettenis
* Sync cert.pem with Mozilla NSS root CAs, except "GeoTrust Global CA", ok tb@sthen2021-02-121-659/+417
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Notably this update removes various old Symantec roots (GeoTrust, thawte, VeriSign) that were set in NSS to be distrusted on 1/1/2021. Nobody should have been using these for years; only certain subCAs signed by these were valid in NSS in that time due to an exemption: https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec Notably Apple's "Apple IST CA 2 - G1" which is still in use for some endpoints (it is cross signed by another CA too but these endpoints are publishing the GeoTrust intermediate cert). So for now I have skipped removal of "GeoTrust Global CA" to avoid affecting these sites. Debian ran into this when they updated their cert database and had to back this part out, affected sites are not reachable on Android Firefox and maybe other newer Firefoxes. Some sites that were affected have moved to a different CA in the last few days but others, notably api.push.apple.com, remain (I can only guess that there is a complicated problem involved, possibly cert pinning on old devices - the clock is ticking though as this expires in May 2022 anyway ;) Additions: /C=RO/O=CERTSIGN SA/OU=certSIGN ROOT CA G2 /C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno Root CA 2017 /C=KR/O=NAVER BUSINESS PLATFORM Corp./CN=NAVER Global Root Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority Removals: /C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2 /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 /C=TW/O=Government Root Certification Authority /C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2 /C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4 /C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA
* A few more flag combo's to testotto2021-02-121-2/+14
|
* KNFtb2021-02-111-4/+7
|
* Walk over all results from getaddrinfo() instead of giving up after theclaudio2021-02-091-2/+1
| | | | | | | first entry. This way ocspcheck will try all returned IPs to contact the OCSP server. Found by the regress test and a resolv.conf file with 'family inet6 inet4'. OK kn@ deraadt@
* Update DTLS client hello due to ECC changes.jsing2021-02-081-5/+8
|
* Remove bogus DTLS checks to disable ECC and OCSP.jsing2021-02-082-10/+3
| | | | | | | ECC and OCSP can be used with DTLS, so remove bogus checks that currently prevent it. These are long lasting remnants from the original OpenSSL code. ok tb@
* Enforce read ahead with DTLS.jsing2021-02-081-5/+5
| | | | | | | DTLS is largely broken/useless without read ahead being enabled, so enforce it for DTLS. This behaviour matches both our documentation and OpenSSL. ok tb@
* Use dtls1_retrieve_buffered_record() to load buffered application data.jsing2021-02-081-11/+3
| | | | | | | Replace the current copy of dtls1_retrieve_buffered_record() with a call to it instead. ok tb@
* Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().jsing2021-02-074-22/+19
| | | | | | | | The mess that is ssl_get_algorithm2() only exists to upgrade the handshake MAC of a pre-TLSv1.2 cipher suite to SHA256 when used with TLSv1.2. We can readily do this in ssl_get_handshake_evp_md(), which is far more readable. ok tb@
* Correct handshake MAC/PRF for various TLSv1.2 cipher suites.jsing2021-02-071-8/+8
| | | | | | | | For some reason various TLSv1.2 cipher suites were added with the default handshake MAC and PRF, rather than the SHA256 handshake MAC and PRF. This gets patched up in ssl3_get_algorithm2(), hence goes unnoticed. ok tb@
* Factor out the legacy stack version checks.jsing2021-02-074-28/+24
| | | | | | | Also check for explicit version numbers, rather than just the major version value. ok tb@
* Enable auto DHE and disable session tickets for some tests.jsing2021-02-071-12/+13
| | | | This allows us to drop the server messages that we intend on dropping.
* Only hexdump packets/messages on higher debug levels.jsing2021-02-061-3/+4
|
* Test reads and writes between the client and server.jsing2021-02-061-3/+49
|
* Fail early in legacy exporter if master secret is not availabletb2021-02-031-1/+6
| | | | | | | | | | | | The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard. with/ok jsing
* Add OID for draft-ietf-opsawg-finding-geofeedsjob2021-02-032-0/+2
| | | | | | | | | https://tools.ietf.org/html/draft-ietf-opsawg-finding-geofeeds describes a mechanism to authenticate RFC 8805 Geofeed data files through the RPKI. OpenSSL counterpart https://github.com/openssl/openssl/pull/14050 OK tb@ jsing@
* Add a bunch of RPKI OIDsjob2021-02-022-1/+26
| | | | | | | | | | | | | RFC6482 - A Profile for Route Origin Authorizations (ROAs) RFC6484 - Certificate Policy (CP) for the RPKI RFC6493 - The RPKI Ghostbusters Record RFC8182 - The RPKI Repository Delta Protocol (RRDP) RFC8360 - RPKI Validation Reconsidered draft-ietf-sidrops-rpki-rta - A profile for RTAs Also in OpenSSL: https://github.com/openssl/openssl/commit/d3372c2f35495d0c61ab09daf7fba3ecbbb595aa OK sthen@ tb@ jsing@
* Use "EC/RSA key setup failure" to align error with otherstb2021-02-011-3/+3
| | | | ok eric jsing
* missing word in commenttb2021-01-301-3/+3
|
* Remove direct assignment of aead_ctx.jsing2021-01-281-13/+7
| | | | | | Now that AEAD is handled internally, we should no longer be assigning aead_ctx directly, as this will result in a leak. Missed during the previous change.
* Move AEAD handling into the new TLSv1.2 record layer.jsing2021-01-284-134/+102
| | | | ok tb@
* wrap an overlong linetb2021-01-271-2/+3
|
* Link SSL_get_finished.3 to build.tb2021-01-271-1/+2
|
* Write SSL_get_finished() documentation from scratch.tb2021-01-271-0/+77
| | | | ok beck
* Merge SSL_set_hostflags documentation from OpenSSL 1.1.1i andtb2021-01-271-3/+20
| | | | | | add HISTORY section. This is currently ignored input next to SSL_get0_peername() and will be unignored once the symbols are made publicly visible in libssl.
* Rewrap a comment line to fit into 80 columns.tb2021-01-261-3/+3
|
* zap a tabtb2021-01-261-2/+2
|
* Prepare to provide SSL_set_hostflags()tb2021-01-262-2/+9
| | | | | | | | Yet another one of these X509_VERIFY_PARAM reacharounds into libcrypto. Recently found in imapfilter, also used elsewhere. Will be made publicly visible with the next minor bump. ok jsing
* Move sequence numbers into the new TLSv1.2 record layer.jsing2021-01-267-84/+38
| | | | | | | This allows for all of the DTLS sequence number save/restore code to be removed. ok inoguchi@ "whee!" tb@
* Move private key setup to a helper function with proper erroreric2021-01-261-10/+47
| | | | | | | checking. Only install the hash on the key if fake key is used, and do it for EC keys too. ok tb@ jsing@
* Avoid NULL deref on BIO_new{_mem_buf,}() failure.tb2021-01-222-7/+11
|
* when using fake keys, skip the private key checkeric2021-01-211-1/+2
| | | | ok tb@
* return -1 on error for consistencyeric2021-01-211-2/+2
| | | | ok tb@
* minor bump after symbol additioneric2021-01-211-1/+1
|
* Allow setting a keypair on a tls context without specifying the privateeric2021-01-214-26/+77
| | | | | | | | key, and fake it internally with the certificate public key instead. It makes it easier for privsep engines like relayd that don't have to use bogus keys anymore. ok beck@ tb@ jsing@
* Mop up unused dtls1_build_sequence_number() function.jsing2021-01-212-25/+2
|
* don't set AUTO_RETRY. it's a remnant of an experiment.tb2021-01-211-3/+1
|
* Drop unneeded cast in seal_record_protected_ciphertb2021-01-201-2/+2
| | | | | | | eiv_len was changed from an int to a size_t in r1.10, so casting it to a size_t is now a noop. ok jsing
* Add code to handle change of cipher state in the new TLSv1.2 record layer.jsing2021-01-195-17/+137
| | | | | | | | | | This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state. ok inoguchi@ tb@
* Provide functions to determine if TLSv1.2 record protection is engaged.jsing2021-01-195-18/+37
| | | | | | | | | | Call these functions from code that needs to know if we've changed cipher state and enabled record protection, rather than inconsistently checking various pointers from other places in the code base. This also fixes a minor bug where the wrong pointers are checked if we're operating with AEAD. ok inoguchi@ tb@
* Provide record layer overhead for DTLS.jsing2021-01-193-17/+38
| | | | | | | | Rather than manually calculating the maximum record layer overhead in the DTLS code, have the record layer provide this information. This also makes it work correctly with AEAD ciphersuites. ok inoguchi@ tb@
* Factor out code for explicit IV length, block size and MAC length.jsing2021-01-191-21/+77
| | | | | | | | Pull this code up into the record protection struct, which means we only need the length checks in one place. This code will soon be used for additional purposes. ok inoguchi@ tb@
* Prevent an overflow in inet_net_pton(3) when the passed in buffer isflorian2021-01-191-11/+18
| | | | | | | | | | | | | | | | | too small in the AF_INET6 case. Spotted by Brad House (brad AT brad-house.com) with the c-ares regression test. The man page says Caution: The dst field should be zeroed before calling inet_net_pton() as the function will only fill the number of bytes necessary to encode the network number in network byte order. Which seems to suggest that the function should work if the passed in storage is big enough to hold the prefix, which might be smaller than sizeof(in6_addr). Input & OK tb
* Clean up dtls1_reset_seq_numbers()jsing2021-01-131-10/+7
| | | | | | Inline/remove some variables and use sizeof with the correct variables. ok inoguchi@ tb@
* Clean up read sequence handling in DTLS.jsing2021-01-131-19/+21
| | | | | | | | | | Pass the explicit DTLS read sequence number to dtls1_record_bitmap_update() and dtls1_record_replay_check(), rather than expecting it to be in S3I(s)->read_sequence. Also, store the read sequence number into S3I(s)->rrec.seq_num when we're processing the record header, rather than having dtls1_record_replay_check() be responsible for copying it. ok inoguchi@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 02:22:04 +0000