| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current AES-NI x86_64 assembly does some strange, although valid
things, such as making internal function calls without creating stack
frames. In this case, the return address lands in the red zone (which it
allows for when making use of the stack) and everything works as expected.
However, this trips a false positive in valgrind, which seems to think that
any data saved on the stack prior to the internal function call is now
"undefined" once the function returns.
Avoid this by actually using stack frames - this brings in most of
6a40ebe86b4 from OpenSSL, omitting the unnecessary explicit stack alignment
(which was apparently added so this code could be used in the Linux kernel
with an incorrectly aligned stack).
Valgrind issue reported by Steffen Jaeckel (@sjaeckel), found via
libstrophe unit tests.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
The current code simply shoves the unvalidated ASN.1 bytes into a BIGNUM on
the hope that other things will detect issues (such as negative values
being flipped to positive). Instead of doing this, decode and validate the
ASN.1 data using ASN1_INTEGER, then convert it to a BIGNUM. Similarly, for
encoding convert from BIGNUM to ASN1_INTEGER and use ASN1_INTEGER encoding.
ok tb@
|
| |
|
|
|
|
| |
Also tidy up bn_new() while here.
ok tb@
|
| |
|
|
| |
Requested by & ok jsing
|
| |
|
|
| |
Requested by and ok jsing
|
| |
|
|
|
| |
a shortcut bypassing expensive computation, so change goto err to
goto done. Bug introduced in last refactoring before commit.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Input length < 0 is an error and input length == 0 can result in
strange effects in some ciphers, except in CCM mode, which is extra
special.
Based on OpenSSL 420cb707 by Matt Caswell and Richard Levitte
found by & ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
and wctrans_t values are locale-specific) so we can simplify our
implementation in libc
ok schwarze@
|
| |
|
|
|
| |
This validates the tables used in bn_is_perfect_square() and checks that
for randomly generated numbers the isqrt() is what it is expected to be.
|
| |
|
|
|
|
|
|
|
|
| |
for the macro generating test functions for other data types.
This makes sense because both are sufficiently different.
It also avoids a large number of false positive compiler warnings
that guenther@ reported.
OK guenther@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
UNIX System V mention it. Only do so in manual pages with a
pre-existing HISTORY section.
Prompted by the comparison of System V and BSD commands and interfaces
in Sun's "System V Enhancements Overview" document.
checked against manuals on bitsavers, TUHS archive and CSRG archive CDs
ok jmc@ schwarze@
|
| |
|
|
|
|
|
|
| |
Do not leak the extension that was deleted from the stack.
via OpenSSL c3efe5c9.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This was removed shortly after the fork since TS is not 2038-ready
and since there were no consumers of this API. Now there are consumers
and they add it themselves if it's missing from libcrypto. This will no
longer be possible with opaque TS structs, so begrudgingly add it back.
ok jsing kn
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The setters make no sense since they do not free the old members and
return what was passed in instead of returning the old struct member
so that the caller has a chance of freeing them. This has the side
effect that calling a setter a second time will likely result in a leak.
TS_VERIFY_CTX_set_imprint() was "fixed" upstream by adding a free() but
the other three setters were missed since discussing the contributor's
CLA was more important. Also missed was that adding frees will result in
double frees: careful consumers like openssl/ruby have workarounds for
the strange existing semantics.
Add a compat #define for TS_VERIF_CTS_set_certs() that made it into the
public API with a typo.
A good illustration of the amount of thought and care that went into
the OpenSSL 1.1 API by both the implementers and the reviewers.
Amazing job overall.
We will be stuck with this nonsense for a long time.
ok jsing kn
|
| |
|
|
|
|
|
|
| |
This adds TS_STATUS_get0_{failure_info,text,status}() as well as
TS_STATUS_INFO_set_status(). These will be needed by Ruby and openssl(1)
when we make the structs in ts.h opaque.
ok kn jsing
|
| |
|
|
|
|
|
|
| |
This is Dr Stephen Henson's rewrite avoiding BIGNUM (OpenSSL 54c68d35).
Additionally this pulls in a < vs <= fix by Pauli Dale (OpenSSL 9d868840).
There is also some minor cleanup by myself.
ok jsing
|
| |
|
|
|
|
|
|
| |
Pull up clearing of output parameters before first return
(OpenSSL 524fdd51 by Bernd Edlinger), explicit comparisons
against NULL, '\0', etc.
ok jsing
|
| |
|
|
|
|
| |
OpenSSL b709babb by Richard Levitte
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Also switch to heap-allocated HMAC_CTX and clean a few things up
stylistically.
loosely based on OpenSSL f5cee414 by Shane Lontis
ok jsing
|
| |
|
|
|
|
| |
based on OpenSSL 1b8f1937 by Dmitry Belyavskiy
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
| |
When used with QUIC, the SSL BIOs are effectively unused, however we still
currently expect them to exist for status (such as SSL_ERROR_WANT_READ and
SSL_ERROR_WANT_WRITE). Set up NULL BIOs if QUIC is in use.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
QUIC uses TLS to complete the handshake, however unlike normal TLS it does
not use the TLS record layer, rather it provides its own transport. This
means that we need to intercept all communication between the TLS handshake
and the record layer. This allows TLS handshake message writes to be
directed to QUIC, likewise for TLS handshake message reads. Alerts also
need to be sent via QUIC, plus it needs to be provided with the traffic
keys that are derived by TLS.
ok tb@
|
| |
|
|
| |
This is the order that they're called/run in.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
QUIC wants to know what "encryption level" handshake messages should be
sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that
defines these (of course quictls decided to make this an
OSSL_ENCRYPTION_LEVEL typedef, so provide that as well).
Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so
that they can be used in upcoming commits.
ok tb@
|
| |
|
|
|
|
|
|
| |
Instead of setting the alert manually in various parse handlers, we can
make use of the fact that tlsext_parse() sets the alert to decode_error
by default. This simplifies the code quite a bit.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Move the not yet exposed EssCertIDv2 struct internals to ts_local.h and move
the ASN.1 function prototypes that we don't want to expose with them.
Include ts_local.h where necessary or where it will be needed soon.
ok jsing
|
| | |
|
| |
|
|
| |
ok beck@ tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
tls_buffer was original created for a specific use case, namely reading in
length prefixed messages. This adds read and write support, along with a
capacity limit, allowing it to be used in additional use cases.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
We can rely on tlsext_client_parse() to set the alert, so no need to
do this in the error path.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
The main parsing function already checks that the entire extension data
was consumed, so the length checks inside some of the parse handlers are
redundant. They were also not done everywhere, so this makes the parse
handlers more consistent.
Similar diff was sent by jsing a long while back
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Add an early return in the s->internal->hit case so that we can unindent
a lot of this code. In the HRR case, we do not need to check that the list
of supported groups is unmodified from the first CH. The CH extension
hashing already does that for us.
ok jsing
|
| | |
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
This makes the code both shorter and safer since freeing, allocation,
and copying are handled by CBS_stow() internally.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
This wonderful API requires users to pass the protocol list in wire
format. This list is then sent as part of the ClientHello. Validate
it to be of the correct form. This reuses tlsext_alpn_check_format()
that was split out of tlsext_alpn_server_parse().
Similar checks were introduced in OpenSSL 86a90dc7
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This simplifies the freeing, assigning and copying of the passed
protocols by replacing all that code with a pair of CBS_init() and
CBS_stow(). In addition, this aligns the behavior with OpenSSL,
which no longer errors on NULL proto or 0 proto_len since 86a90dc7.
ok jsing
|
| |
|
|
|
|
|
|
| |
Change alpn_client_proto_list and alpn_selected from unsigned char *
to uint8_t and change alpn_client_proto_list_len to be a size_t instead
of an unsigned int.
ok jsing
|
| |
|
|
|
|
|
|
| |
The ALPN extension must contain a non-empty list of protocol names.
Split a check of this out of tlsext_alpn_server_parse() so that it
can be reused elsewhere in the library.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There is no way that tls_buffer_set_data() can currently work in
conjunction with tls_buffer_expand(). This fact is currently hidden by the
way that PHH works, which reads the same data from the record layer (which
it needs to do anyway, since we may not have all of the handshake message
in a single record).
Since this is broken, mop it up and change the PHH callback to not provide
the record data.
ok beck@ tb@
|
