summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* Expose various DTLSv1.2 specific functions and definestb2021-03-315-27/+8
| | | | ok bcook inoguchi jsing
* Document SSL_set_hostflags(3) and SSL_get0_peername(3)tb2021-03-311-18/+4
| | | | ok bcook inoguchi jsing
* Expose SSL_set_hostflags(3) and SSL_get0_peername(3)tb2021-03-312-3/+3
| | | | ok bcook inoguchi jsing
* Document SSL_use_certificate_chain_file(3)tb2021-03-311-11/+3
| | | | ok bcook inoguchi jsing
* Expose SSL_use_certificate_chain_file(3)tb2021-03-312-3/+2
| | | | ok bcook inoguchi jsing
* Provide missing prototype for d2i_DSAPrivateKey_fp(3)tb2021-03-311-1/+2
| | | | ok bcook inoguchi jsing
* Document EVP_PKEY_new_CMAC_key(3)tb2021-03-311-16/+4
| | | | ok bcook inoguchi jsing
* Provide EVP_PKEY_new_CMAC_key(3)tb2021-03-312-5/+2
| | | | ok bcook inoguchi jsing
* whitespace nitstb2021-03-291-4/+4
|
* Prepare documenting EVP_PKEY_new_CMAC_key(3)tb2021-03-291-2/+54
| | | | Based on some text in OpenSSL 1.1.1's EVP_PKEY_new.pod.
* Remove pointless assignment in SSL_get0_alpn_selected().jsing2021-03-291-4/+1
| | | | ok tb@
* Avoid transcript initialisation when sending a TLS HelloRequest.jsing2021-03-291-4/+6
| | | | | | | | | | When server side renegotiation is triggered, the TLSv1.2 state machine sends a HelloRequest before going to ST_SW_FLUSH and ST_OK. In this case we do not need the transcript and currently hit the sanity check in ST_OK that ensures the transcript has been freed, breaking server initiated renegotiation. We do however need the transcript in the DTLS case. ok tb@
* Move finished and peer finished to the handshake struct.jsing2021-03-297-44/+44
| | | | | | | | | This moves the finish_md and peer_finish_md from the 'tmp' struct to the handshake struct, renaming to finished and peer_finished in the process. This also allows the remaining S3I(s) references to be removed from the TLSv1.3 client and server. ok inoguchi@ tb@
* Add regress coverage for TLSv1.2 record number increment.jsing2021-03-291-8/+151
|
* Move the TLSv1.2 record number increment into the new record layer.jsing2021-03-293-19/+44
| | | | | | | This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs. ok inoguchi@ tb@
* Prepare to provide EVP_PKEY_new_CMAC_key()tb2021-03-294-20/+84
| | | | | | | sebastia ran into this when attempting to update security/hcxtools. This will be tested via wycheproof.go once the symbol is public. ok jsing, tested by sebastia
* The failure mode of test-tls13-version-negotiation.py has changed.tb2021-03-281-4/+2
| | | | Update comment.
* Fix duplicate SSL_is_dtls in libssl and apps.cinoguchi2021-03-281-1/+3
| | | | | | | | | | Currently, SSL_is_dtls exists in both libssl and apps.c, and one in libssl is guarded by LIBRESSL_INTERNAL and not exposed yet. This causes portable build broke with openssl(1) and optionstest. To solve this temporarily, rename SSL_is_dtls by apps.h. This temporary renaming will be removed when the SSL_is_dtls() is exposed. ok jsing@
* Enable test-sig-algs-renegotiation-resumption.py.tb2021-03-271-5/+6
| | | | | | | This test covers various scenarios with renegotiation and session resumption. In particular it crashes the OpenSSL 1.1.1j server due to the sigalg NULL deref fixed this week. We need --sig-algs-drop-ok since we do not currently implement signature_algorithms_cert.
* Garbage collect s->internal->typetb2021-03-276-18/+9
| | | | | | | | | | | | | | | | | | | This variable is used in the legacy stack to decide whether we are a server or a client. That's what s->server is for... The new TLSv1.3 stack failed to set s->internal->type, which resulted in hilarious mishandling of previous_{client,server}_finished. Indeed, both client and server would first store the client's verify_data in previous_server_finished and later overwrite it with the server's verify_data. Consequently, renegotiation has been completely broken for more than a year. In fact, server side renegotiation was broken during the 6.5 release cycle. Clearly, no-one uses this. This commit fixes client side renegotiation and restores the previous behavior of SSL_get_client_CA_list(). Server side renegotiation will be fixed in a later commit. ok jsing
* Handle dynamic definition of SIGSTKSZ as of glibc 2.34 on Linux.bcook2021-03-271-7/+24
| | | | ok bluhm@, inoguchi@, tb@, deraadt@
* Add test-sig-algs-renegotiation-resumption.pytb2021-03-261-1/+5
| | | | This test currently fails but may soon be fixed.
* Sort header files and wrap long lines in x509.cinoguchi2021-03-261-67/+110
|
* Avoid mangled output in BIO_debug_callbacktb2021-03-251-4/+12
| | | | | | | Instead of blindly skipping 14 characters, we can use the return value of snprintf() to determine how much we should skip. From Martin Vahlensieck with minor tweaks by me
* The server only sends a cookie during a HRR, not a SHtb2021-03-241-4/+4
|
* Update regress for new_cipher rename.jsing2021-03-242-6/+6
|
* Rename new_cipher to cipher.jsing2021-03-2411-64/+64
| | | | | | | | This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data. ok inoguchi@ tb@
* Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.jsing2021-03-245-40/+48
| | | | | | Move TLSv1.2 specific components over from SSL_HANDSHAKE. ok inoguchi@ tb@
* Convert openssl(1) x509 option handlinginoguchi2021-03-241-414/+747
| | | | | | | | | | | | | Apply new option handling to openssl(1) x509. To handle incremental order value, using newly added OPTION_ORDER. I left the descriptions for -CAform, -inform, and -outform as it was, for now. These description would be fixed. And digest option handler could be consolidated to one between some subcommands in the future. ok and comments from tb@, and "I'd move forward with your current plan." from jsing@
* Add option type OPTION_ORDERinoguchi2021-03-242-2/+9
| | | | | | | | | | To handle incremental order value, added new option type OPTION_ORDER. openssl(1) x509 requires this option handling, since, - -CA and -signkey require to set both filename and incremental 'num'. - -dates requires to set two variables in a row, startdate and enddate. and this couldn't be solved by OPTION_FLAG_ORD. ok tb@ and "I'd move forward with your current plan." from jsing@
* OCSP_basic_verify() doesn't set errno, so use tls_set_errorx()tb2021-03-231-2/+2
| | | | ok inoguchi
* Don't leak ca in test_cms_sign_verify().tb2021-03-221-1/+2
| | | | Reported by Ilya Shipitsin
* Plug a few memory leaks reported by Ilya Shipitsintb2021-03-221-9/+7
|
* Fully initialize rrec in tls12_record_layer_open_record_protectedtb2021-03-211-1/+2
| | | | | | | | | | The CBC code path initializes rrec.padding_length in an indirect fashion and later makes use of it for copying the MAC. This is confusing some static analyzers as well as people investigating the whining. Avoid this confusion and add a bit of robustness by clearing the stack variable up front. ok jsing
* Revise regress to match handshake struct changes.jsing2021-03-211-18/+18
|
* Move the TLSv1.3 handshake struct inside the shared handshake struct.jsing2021-03-219-226/+227
| | | | | | | | | | | | | | | | There are currently three different handshake structs that are in use - the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct (as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous 'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)). This is the first step towards cleaning up the handshake structs so that shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2 and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code to access the shared handshake data without needing the SSL struct. ok inoguchi@ tb@
* Split TLSv1.3 record protection from record layer.jsing2021-03-211-46/+72
| | | | | | | | This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while it is not currently necessary from a functionality perspective, it makes for more readable and simpler code. ok inoguchi@ tb@
* Build options regress with -DLIBRESSL_INTERNAL.jsing2021-03-211-2/+2
| | | | | This is currently needed for DTLS1_2_VERSION, however it should be used here regardless.
* Avoid a use-after-scope in tls13_cert_add().jsing2021-03-211-4/+3
| | | | | | | | | | A parent CBB retains a reference to a child CBB until CBB_flush() or CBB_cleanup() is called. As such, the cert_exts CBB must be at function scope. Reported by Ilya Shipitsin. ok tb@
* Plug memory leak reported by Ilya Shipitsintb2021-03-211-3/+2
| | | | | Since r1.7, input in base64_decoding_test() is allocated unconditionally, so free it unconditionally.
* typotb2021-03-201-2/+2
|
* Add new test-tls13-multiple-ccs-messages.pytb2021-03-201-1/+8
| | | | | | | | | | | This is a test that checks for NSS's CCS flood DoS CVE-2020-25648. The test script currently fails on LibreSSL and OpenSSL 1.1.1j because it sends invalid records with version 0x0300 instead of 0x0303. We have the ccs_seen logic corresponding to NSS's fix: https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361 but we do allow up to two CCS due to an interop issue with Fizz, so at least one of the tests will likey be broken once the record version is fixed.
* Prepare documenting SSL_use_certificate_chain_filetb2021-03-191-2/+19
|
* Undo previous. As pointed out by jsing I clearly wasn't fully awake...tb2021-03-191-2/+2
|
* Prepare to provide SSL_use_certificate_chain_file()tb2021-03-192-15/+40
| | | | | | | | | This is the same as SSL_CTX_use_certificate_chain_file() but for an SSL object instead of an SSL_CTX object. remi found this in a recent librelp update, so we need to provide it. The function will be exposed in an upcoming library bump. ok inoguchi on an earlier version, input/ok jsing
* Fix copy-paste error in previoustb2021-03-191-2/+2
| | | | | | | Found the hard way by lists y42 org via an OCSP validation failure that in turn caused pkg_add over TLS to fail. Detailed report by sthen. ok sthen
* Type-cast getpagesize() from int to size_t for the comparison with d.claudio2021-03-181-2/+2
| | | | | | | getpagesize() will only return positive numbers (there is no negative page size system) and it can not fail. Should fix some compiler warnings seen in -portable projects. OK otto@
* Read ahead is now enforced for DTLS - remove workarounds.jsing2021-03-172-20/+2
| | | | ok inoguchi@ tb@
* Use consistent s_server_opt_ prefix.jsing2021-03-171-9/+9
|
* Add DTLSv1.2 support to openssl(1) s_client/s_server.jsing2021-03-174-34/+129
| | | | ok inoguchi@ tb@