summaryrefslogtreecommitdiff
path: root/src/lib/libc/stdlib/merge.c (unfollow)
Commit message (Collapse)AuthorFilesLines
2020-04-27Fix a logic error that hid the failing ZeroLengthIv tests.tb1-3/+3
This issue was fixed in lib/libcrypto/evp/e_aes.c r1.40.
2020-04-27Disallow the use of zero length IVs in AES-GCM viatb3-3/+15
EVP_AEAD_CTX_{open,seal}, as this leaks the authentication key. Issue reported and fix tested by Guido Vranken. ok beck, jsing This commit adds a constant to a public header despite library lock, as discussed with deraadt and sthen.
2020-04-26Minimal maintenance to make this mess slightly less confusing:schwarze1-10/+10
queue -> list; mention "intrusive"; element -> member at one place; delete a bogus remark that maybe referred to a long-gone implementation in VAX assembly code. Much more could be improved, but i don't want to waste too much time here.
2020-04-26fix the description; from andras farkasjmc1-5/+4
ok schwarze kill a Tn while here...
2020-04-26Display TLSv1.3 extension type with openssl(1) -tlsextdebuginoguchi1-7/+49
Add TLSv1.3 extension type, and sort by the definition order in tls1.h. This helps that openssl(1) s_server and s_client with -tlsextdebug displays the TLS extension type instead of "unknown". ok beck@ jsing@ tb@
2020-04-26s_client: fix use of possibly uninitialized valuesinoguchi1-2/+2
Set initial value to variable 'p' and 'pending'. Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114 ok bcook@ jsing@ tb@
2020-04-25A comma is not appropriate here, use a semicolonjca1-2/+2
Suggested by Evan Silberman, confirmed by jmc@
2020-04-25In s_server.c rev. 1.33, jsing added support for "openssl s_server -groups";schwarze1-6/+18
document it and deprecate "openssl s_server -named_curve". While here, fix the error in the synopsis for "openssl s_client -groups" and use unified argument naming and similar wording like in SSL_CTX_set1_groups_list(3). OK jsing@
2020-04-25Switch to NEGOTIATED when using WITHOUT_HRR.jsing1-4/+9
This ensures that we remain in a valid handshake state in the TLSv1.3 server. Ideally we would not switch to NEGOTIATED until after record protection has been enabled, but we'll revisit this later. Issue noted by inoguchi@ ok tb@
2020-04-25Discourage use of RES_USE_INET6jca1-1/+5
Suggested by eric@, input from deraadt@, ok deraadt@ eric@
2020-04-25Fix RES_USE_INET6 descriptionjca1-7/+9
The previous wording implied this option does nothing, which is wrong. This option does affect the way gethostbyname(3) works on OpenBSD (return IPv6 addresses if available). On some systems, it also introduces IPv4-mapped IPv6 addresses, a "feature" that we don't support. ok deraadt@ eric@
2020-04-25Move unsupported, obsolete ciphers and deprecated aliases out ofschwarze1-31/+29
the main list of words to make it more readable, even though it remains long. Avoid using deprecated aliases in explanations what other words mean. Stop documenting aDSS because it is *both* a deprecated alias *and* no longer matches anything at all. General direction discussed with jsing@ some time ago.
2020-04-25tweak the wording to make it clearer under which conditions exactlyschwarze1-4/+4
the TLSv1.3 cipher suites are made available, too; related to ssl_ciph.c rev. 1.115
2020-04-22Revise regress to match state transition changes.jsing1-11/+13
2020-04-22Improve TLSv1.3 state machine for HelloRetryRequest handling.jsing5-66/+104
The state machine currently handles the HelloRetryRequest case by using WITH_HRR - in other words, we're explicitly indicating when we transition to the alternate path. The problem here is that we do not know if we're going to receive a ServerHello or a HelloRetryRequest until we process the message. This means that the ServerHello processing code has to handle both types of messages. The state machine and associated processing code becomes cleaner if we flip this around so that we assume we are going to receive a HelloRetryRequest and upon discovering that it is not, trigger WITHOUT_HRR and hand off to the ServerHello processing function. In particular, this makes the logic much more straight forward on the server side, when adding support for HRR. With feedback from tb@ ok tb@
2020-04-21Handle TLSv1.3 key shares other than X25519 on the server side.jsing2-16/+34
Previously we would only select an X25519 key share from the client, ignoring any others. Change this so that we will select the first of the key shares that matches one of our supported groups. ok beck@ inoguchi@ tb@
2020-04-21Consolidate TLSv1.3 constants.jsing3-40/+47
Move all of the TLSv1.3 constants to the top of tls13_lib.c. Also mark these all as const so that they end up in .rodata rather than .data. ok tb@
2020-04-19Add -groups option to openssl(1) s_server.jsing2-35/+31
This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead. ok beck@ inoguchi@
2020-04-19Provide TLSv1.3 cipher suite aliases to match the names used in RFC 8446.jsing1-2/+25
ok beck@ inoguchi@ tb@
2020-04-18Fix wrapping/indentation.jsing1-4/+3
2020-04-18Expose the peer ephemeral public key used for TLSv1.3 key exchange.jsing5-36/+79
SSL_get_server_tmp_key() provides the peer ephemeral public key used for key exchange. In the case of TLSv1.3 this is essentially the peer public key from the key share used for TLSv1.3 key exchange, hence make it availaable via SSL_get_server_tmp_key(). ok inoguchi@ tb@
2020-04-18Tweak previous active cipher suite code.jsing1-6/+5
Use a boolean value rather than using a counter, as suggested by tb@ during the previous review. ok tb@
2020-04-18Allow more key share groups for TLSv1.3.jsing1-21/+12
The key share code previously only allowed for key shares to be generated using one of the groups in our default list (X25519, secp256r1, secp384r1). Relax this and allow key shares using any of the groups in our NID list. ok inoguchi@ tb@
2020-04-17Only include TLSv1.3 cipher suites if there are active cipher suites.jsing1-2/+10
Revise the previous so that we only include TLSv1.3 cipher suites if the cipher rule string resulted in at least one active cipher suite. This more closely matches OpenSSL behaviour. Noted and fix tested by schwarze@ ok beck@ tb@
2020-04-17Update key share regress to match previous change.jsing1-4/+4
2020-04-17Generate client key share using our preferred group.jsing4-25/+37
Generate a client key share using our preferred group, rather than always using X25519. This means that the key share group can be controlled via SSL{_CTX,}_set1_groups() and SSL{_CTX,}_set1_groups_list(). ok beck@
2020-04-16Remove AUTHORS section. This follows what is done in strstr.3claudio1-4/+2
2020-04-16Replace the simple memmem() implementation with a version that is O(n)claudio1-47/+167
based on code from musl and now similar to our strstr(). OK tb@ millert@
2020-04-16Resync our strstr.c with the musl version. Removes some debug code andclaudio1-11/+3
optimizes one statement in two-way string compare. OK tb@ millert@
2020-04-14Update in several respects:schwarze1-13/+11
* mention TLSv1.3 * remove DSS, DES(56), RC4(64), and IDEA(128), which are no longer supported * remove ChaCha20-Poly1305-Old and STREEBOG512 which don't exist in LibreSSL * correct the instruction for printing the complete list OK jsing@
2020-04-14add the missing sentence "LibreSSL no longer provides any suchschwarze1-2/+3
cipher suites" to the DES entry and use the same wording for DSS; OK jsing@
2020-04-14Delete the three sentences listing the ciphers currently includedschwarze1-15/+2
in LOW, MEDIUM, and HIGH. That's going to change repeatedly and the extra maintenance effort for keeping it up to date is a waste because people can trivially run "openssl ciphers -v LOW" to look it up. Besides, updating it will usually be forgotten; the LOW entry was already wrong. Suggested by jsing@.
2020-04-11Document the TLSv1.3 control word, update the description of theschwarze1-4/+30
TLSv1 control word, and explain how TLSv1.3 cipher suites can be configured in LibreSSL and in OpenSSL. While here, also mention how users can inspect the DEFAULT list of cipher suites. Stimulus, feedback and OK from jsing@.
2020-04-10sync cert.pem with Mozilla's root ca list, ok beck@sthen1-276/+343
2020-04-10When printing the serialNumber, fall back to the colon separated hextb1-2/+4
bytes in case ASN1_INTEGER_get() failed. This happens more often since asn1/a_int.c -r1.34. Matches OpenSSL behavior. Issue in openssl x509 -text output reported by sthen ok jsing sthen
2020-04-09Revise test to handle the fact that TLSv1.3 cipher suites are now beingjsing1-2/+4
included in the output from `openssl ciphers`.
2020-04-09Include TLSv1.3 cipher suites unless cipher string references TLSv1.3.jsing1-6/+19
OpenSSL has always taken the approach of enabling almost everything by default. As a result, if you wanted to run a secure TLS client/server you had to specify your own "secure" cipher string, rather than being able to trust the defaults as being sensible and secure. The problem is that with the introduction of TLSv1.3, most of these "secure" cipher strings result in the new TLSv1.3 cipher suites being excluded. The "work around" for this issue in OpenSSL was to add a new TLSv1.3 API (SSL_CTX_set_ciphersuites(), SSL_set_ciphersuites()) and have separate knobs for the pre-TLSv1.3 and TLSv1.3 cipher suites. This of course means that every application now needs to call two APIs, but it does mean that applications that only call SSL_CTX_set_cipher_list()/SSL_set_cipher_list() cannot remove TLSv1.3 cipher suites and prevent TLSv1.3 from working. We've taken a different approach and have allowed TLSv1.3 cipher suites to be manipulated via the existing SSL_set_cipher_list() API. However, in order to avoid problems with hardcoded cipher strings, change this behaviour so that we always include TLSv1.3 cipher suites unless the cipher string has a specific reference to the TLSv1.3 protocol or a TLSv1.3 cipher suite. This means that: $ openssl ciphers -v TLSv1.2:!TLSv1.3 still gives TLSv1.2 only cipher suites and: $ openssl ciphers -v AEAD-CHACHA20-POLY1305-SHA256 only lists a single TLSv1.3 cipher, however: $ openssl ciphers -v ECDHE-RSA-AES256-GCM-SHA384 now includes both TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 and all TLSv1.3 cipher suites (which also matches OpenSSL's openssl(1) behaviour). Issue encountered by kn@ with mumble. ok tb@
2020-04-09Test both SSLv3 (aka pre-TLSv1.2) and TLSv1.2 cipher suites with TLS.jsing1-1/+1
2020-04-09Tidy line wrapping and remove an extra blank line.jsing1-4/+3
2020-04-09ssl_aes_is_accelerated() returns a boolean - treat it as such, rather thanjsing1-2/+2
explicitly comparing against a value.
2020-04-08Ensure legacy session ID is persistent during client TLS session.jsing1-9/+14
Generate an unpredictable 32-byte legacy session ID during client initialisation, rather than when the ClientHello message is being created. Otherwise in the case of a HelloRetryRequest the legacy session ID values will differ between the first and second ClientHello messages, which is not permitted by the RFC. Fixes an issue talking TLSv1.3 to smtp.mail.yahoo.com. ok beck@
2020-04-06Re-enable the client test now that it passes again.jsing1-2/+2
2020-04-06Minor code improvements.jsing1-3/+3
2020-04-06Add tests that cover TLSv1.2 and disable those that trigger TLSv1.3.jsing1-3/+32
This allows the test to pass again.
2020-04-06Zero the client random field in the TLSv1.2 golden value.jsing1-5/+5
2020-04-06Improve comparision with test data.jsing1-7/+9
First check the client random against the zeroed value, then zero the client random in the client hello, before comparing with the golden value. This makes failures more obvious and the test code more readable.
2020-04-06Dump the test data when the lengths differ in order to aid debugging.jsing1-0/+3
2020-04-06Use errx() if we fail to build the client hello.jsing1-1/+1
2020-04-06Send a zero-length session identifier if TLSv1.3 is not enabled.jsing1-4/+7
If the maximum version is less than TLSv1.3, send a zero-length session identifier (matching the behaviour of the legacy TLS stack), rather than a 32 byte random identifier. The 32 byte random identifier is only needed for "compatibility" mode in TLSv1.3. ok beck@
2020-03-30"eventually" came and went back in 2004.libressl-v3.1.0martijn1-3/+1
OK schwarze@