summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* bump libssl major after struct visibility changes and symbol additiontb2021-05-101-2/+2
|
* bump libcrypto minor after symbol additiontb2021-05-101-1/+1
|
* Make SSL_CIPHER, SSL_CTX, SSL_SESSION, {DTLS1,SSL3}_STATEtb2021-05-103-8/+7
| | | | | | and a few other structs in libssl opaque. from/ok jsing
* Provide SSL_SESSION_get0_cipher(3)tb2021-05-103-2/+10
| | | | ok jsing
* Provide SSL_CTX_get_ssl_method(3)tb2021-05-103-2/+11
| | | | ok jsing
* Provide SSL_CIPHER_find(3)tb2021-05-103-2/+10
| | | | ok jsing
* Expose EVP_Digest{Sign,Verify}(3)tb2021-05-102-5/+3
| | | | ok jsing
* Expose EC_POINT_{get,set}_affine_coordinates(3) andtb2021-05-102-7/+11
| | | | | | EC_POINT_set_compressed_coordinates(3) ok jsing
* Expose EC_GROUP_{get,set}_curve(3)tb2021-05-102-3/+4
| | | | ok jsing
* Add draft-ietf-sidrops-rpki-rsc OIDjob2021-05-092-0/+2
| | | | | | | | Listed under 'SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)' https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1 OK tb@
* Prepare to provide EVP_Digest{Sign,Verify}tb2021-05-092-3/+35
| | | | | | | | | | | These are one-shot versions combining EVP_Digest{Sign,Verify}{Update,Final}. and are part of the OpenSSL 1.1.1 API. While they simplify callers in some situations slightly, their real use is for EdDSA that by design can't be split into Update/Final steps. Based on OpenSSL commit 7539418981c140648a620d72edd7398564878b5c ok inoguchi
* Replace DTLS w_epoch with epoch from TLSv1.2 record layer.jsing2021-05-055-29/+20
| | | | ok inoguchi@ tb@
* Rewrite TLSv1.2 key block handling.jsing2021-05-055-134/+247
| | | | | | | | | | | | | For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places. This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested. ok inoguchi@ tb@
* Rename shutdown_all() to shutdown_peers() for consistency.tb2021-05-041-3/+3
|
* Use limits.h instead of sys/limits.h in dtlstest.c for portableinoguchi2021-05-031-2/+2
| | | | discussed and input from jsing@
* Modify regress ssl_get_shared_ciphers for portableinoguchi2021-05-032-6/+6
| | | | | | | - Split out the intermediate path (../certs/) to Makefile - Change 'shutdown' to 'shutdown_all' ok tb@
* Hook openssl-ruby test to regress treetb2021-05-031-1/+2
|
* Add scaffold to run the ruby/openssl regression teststb2021-05-031-0/+72
| | | | | | | | | | | | | | | | | | This test depends on the ruby/ruby-openssl-tests port that bundles the sources and tests of the Ruby OpenSSL gem below /usr/local. The Makefile compiles the openssl.so shared object below obj/ that provides Ruby bindings for the OpenSSL API. Once this is built, the regression tests are run. There are currently 4 failing tests, all related to the new verifier. At least one libssl bug is hidden behind a pend. All this will hopefully be fixed during this release cycle. This adds a decent amount of test coverage without being overly expensive. This way, regressions should be spotted during development so jeremy will no longer have to chase and work around them. Joint work with jeremy, positive feedback from bcook and jsing.
* tweak one description to make it uniquetb2021-05-031-2/+3
|
* Prefix the hybrid_corner_case test with test_ for consistency.tb2021-05-031-3/+3
|
* Exercise the point conversion bit for octet string representationstb2021-05-031-1/+279
| | | | of points on secp256r1.
* Add a test that exercises the point conversion bit of the octettb2021-05-031-1/+362
| | | | string representations of points on the binary curve sect571k1.
* Fix corner case for compressed points on binary curvestb2021-05-031-1/+5
| | | | | | | | | Per X9.62 4.4.1.b., the compressed representation of a point with zero x coordinate on a binary curve must have y_bit unset. Error out in that case of ec_GF2m_set_compressed_coordinates() instead of ignoring y_bit. ok jsing
* riscv64 openssl configdrahn2021-05-021-0/+154
| | | | | copied from other 64 bit arch ok jsg@
* Prevent future internal use of some #definestb2021-05-021-1/+3
| | | | | | | | After jsing's recent commits, SSL3_CC_{READ,WRITE,CLIENT,SERVER} and the derived SSL3_CHANGE_CIPHER_{CLIENT,SERVER}_{READ,WRITE} are no longer used by LibreSSL and should never be used again. discussed with jsing
* Clean up tls1_change_cipher_state().jsing2021-05-025-42/+29
| | | | | | | | Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code. ok inoguchi@ tb@
* In the TLSv1.2 server, set up the key block after sending the CCS.jsing2021-05-021-7/+7
| | | | | | | This avoids calling into the key block setup code multiple times and makes the server code consistent with the client. ok inoguchi@ tb@
* Clean up dtls1_reset_seq_numbers().jsing2021-05-025-26/+22
| | | | | | | | | | Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server. ok inoguchi@ tb@
* Ensure that handshake hash is non-NULL in tls1_transcript_hash_value().jsing2021-05-021-1/+4
| | | | | | | | | | There are several paths where a subtle bug could result in tls1_transcript_hash_value() being called with a NULL handshake hash - add an explicit check for this case. As noted by tb@, due to the wonders of the libcrypto EVP APIs, combined with integer promotion, we already have a NULL check - this one is just more obvious. ok tb@
* Harden tls12_finished_verify_data() by checking master key length.jsing2021-05-021-1/+4
| | | | | | | Require master key length to be greater than zero if we're asked to derive verify data for a finished or peer finished message. ok tb@
* Stop deriving peer finished twice for TLSv1.2.jsing2021-05-021-12/+1
| | | | | | | | We already derive the peer finished in ssl3_do_change_cipher_spec(), which DTLS relies on. In the case of TLS we've been doing it twice - once in ssl3_get_message() and once in ssl3_do_change_cipher_spec(). ok tb@
* Make TS_compute_imprint a bit more robust.tb2021-05-021-20/+28
| | | | | | | | | Instead of using the output parameters directly, null them out at the beginning and work with local variables which are only assigned to the output parameters on success. This way we avoid leaking stale pointers back to the caller. requested/ok jsing
* Retire OpenBSD/sgi.visa2021-05-011-5/+1
| | | | OK deraadt@
* bump to LibreSSL 3.4.0 in -currentbcook2021-05-011-3/+3
|
* Plug leak in c2i_ASN1_OBJECTtb2021-05-011-3/+8
| | | | | | | | | | When using the object reuse facility of c2i_ASN1_OBJECT, the dynamically allocated strings a may contain are set to NULL, so we must free them beforehand. Also clear the flag, because that's what OpenSSL chose to do. From Richard Levitte OpenSSL 1.1.1 65b88a75921533ada8b465bc8d5c0817ad927947 ok inoguchi
* Prevent double free in int_TS_RESP_verify_tokentb2021-05-011-1/+2
| | | | | | | | | | If TS_compute_imprint fails after md_alg was allocated, there will be a double free in its caller. Obvious fix is to null out the output parameter md_alg just like it's already done for imprint and imprint_len. From Pauli Dale, OpenSSL 1.1.1, a3dea76f742896b7d75a0c0529c0af1e628bd853 ok inoguchi jsing
* Clean up and harden TLSv1.2 master key derivation.jsing2021-04-305-54/+51
| | | | | | | | | | | The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites. If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later. ok inoguchi@ tb@
* Revert "Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in newtb2021-04-281-4/+1
| | | | | | | | verifier." (r1.27). While this may have "fixed" one corner case, it broke expectations of Perl Net::SSLeay and Ruby OpenSSL regression tests. ok bcook
* Add DTLS test in appstest.shinoguchi2021-04-271-1/+70
|
* test-verify-unusual-wildcard-cert is no longer expected to fail withtb2021-04-271-2/+1
| | | | lib/libcrypto/x509/x509_constraints.c r1.16
* Relax SAN DNSname validation and constraints to permit non leading *beck2021-04-272-27/+25
| | | | | | | | | | | wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards). ok jsing@, tb@
* Clean up derivation of finished/peer finished.jsing2021-04-258-116/+147
| | | | | | | | Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code. ok inoguchi@ tb@
* Do not leave errors on the error stack on PKCS12_parse() success.tb2021-04-241-1/+3
| | | | | | | | Fix is the same as OpenSSL commit ffbf304d4832bd51bb0618f8ca5b7c26647ee664 Found by Alex Gaynor with a new pyca cryptography regress test. ok inoguchi
* Enable the new verifier again so hopefully the remaining kinks get ironedtb2021-04-241-2/+2
| | | | | | out in this release cycles. discussed with deraadt and jsing
* Remove "-4" option treatment and use it always on s_server test in appstest.shinoguchi2021-04-241-9/+2
|
* Enable test-renegotiation-changed-clienthello.py but skiptb2021-04-231-1/+7
| | | | | "drop extended_master_secret in renegotiation" since we don't support this extension.
* whitespacetb2021-04-231-3/+3
|
* Only hash known CH extensionstb2021-04-221-5/+5
| | | | | | | | | | | | | RFC 4.1.2 specifies the ways in which the extensions in the first and the second ClientHello may differ. It basically says that extensions not known to a server must not change. This in turn makes it impossible to introduce new extensions that do change. It makes little sense to enforce that extensions we don't know and care about aren't modified, so make the hashing more lenient and restrict it to the extensions we do care about. Arguably, enforcing no change in an unknown extension is incompatible with the requirement that it be ignored. ok bcook jsing
* Add a test that roundtrips a bunch of points on all builtin curvestb2021-04-212-6/+268
| | | | | via point2oct and oct2point and that checks the corner case in hybrid encoding that was fixed in ec2_oct.c r1.13.
* Clean up TLSv1.2 certificate request handshake data.jsing2021-04-215-43/+27
| | | | | | | | | | Currently cert_req is used by clients and cert_request is used by servers. Replace this by a single cert_request used by either client or server. Remove the certificate types as they are currently unused. This also fixes a bug whereby if the number of certificate types exceeds SSL3_CT_NUMBER the number of bytes read in is insufficient, which will break decoding. ok inoguchi@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-28 22:17:26 +0000