| Commit message (Collapse) | Author | Files | Lines |
|---|
|
After jsing's recent commits, SSL3_CC_{READ,WRITE,CLIENT,SERVER}
and the derived SSL3_CHANGE_CIPHER_{CLIENT,SERVER}_{READ,WRITE}
are no longer used by LibreSSL and should never be used again.
discussed with jsing
|
|
Replace flag gymnastics at call sites with separate read and write,
functions which call the common code. Condition on s->server instead of
using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
|
This avoids calling into the key block setup code multiple times and makes
the server code consistent with the client.
ok inoguchi@ tb@
|
|
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into
separate read and write functions. Move the calls of these functions into
tls1_change_cipher_state() so they directly follow the change of cipher
state in the record layer, which avoids having to duplicate the calls in
the client and server.
ok inoguchi@ tb@
|
|
There are several paths where a subtle bug could result in
tls1_transcript_hash_value() being called with a NULL handshake hash - add
an explicit check for this case. As noted by tb@, due to the wonders of
the libcrypto EVP APIs, combined with integer promotion, we already have
a NULL check - this one is just more obvious.
ok tb@
|
|
Require master key length to be greater than zero if we're asked to derive
verify data for a finished or peer finished message.
ok tb@
|
|
We already derive the peer finished in ssl3_do_change_cipher_spec(), which
DTLS relies on. In the case of TLS we've been doing it twice - once in
ssl3_get_message() and once in ssl3_do_change_cipher_spec().
ok tb@
|
|
Instead of using the output parameters directly, null them out at the
beginning and work with local variables which are only assigned to the
output parameters on success. This way we avoid leaking stale pointers
back to the caller.
requested/ok jsing
|
|
OK deraadt@
|
|
|
|
When using the object reuse facility of c2i_ASN1_OBJECT, the dynamically
allocated strings a may contain are set to NULL, so we must free them
beforehand. Also clear the flag, because that's what OpenSSL chose to do.
From Richard Levitte OpenSSL 1.1.1 65b88a75921533ada8b465bc8d5c0817ad927947
ok inoguchi
|
|
If TS_compute_imprint fails after md_alg was allocated, there will be a
double free in its caller. Obvious fix is to null out the output
parameter md_alg just like it's already done for imprint and imprint_len.
From Pauli Dale, OpenSSL 1.1.1, a3dea76f742896b7d75a0c0529c0af1e628bd853
ok inoguchi jsing
|
|
The master key and its length are only stored in one location, so it makes
no sense to handle these outside of the derivation function (the current
'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on
and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
|
verifier." (r1.27). While this may have "fixed" one corner case, it
broke expectations of Perl Net::SSLeay and Ruby OpenSSL regression
tests.
ok bcook
|
|
|
|
lib/libcrypto/x509/x509_constraints.c r1.16
|
|
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
|
|
Make this process more readable by having specific client/server functions,
calling the correct one based on s->server. This allows to remove various
SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
|
Fix is the same as OpenSSL commit ffbf304d4832bd51bb0618f8ca5b7c26647ee664
Found by Alex Gaynor with a new pyca cryptography regress test.
ok inoguchi
|
|
out in this release cycles.
discussed with deraadt and jsing
|
|
|
|
"drop extended_master_secret in renegotiation" since we don't
support this extension.
|
|
|
|
RFC 4.1.2 specifies the ways in which the extensions in the first and
the second ClientHello may differ. It basically says that extensions
not known to a server must not change. This in turn makes it impossible
to introduce new extensions that do change. It makes little sense to
enforce that extensions we don't know and care about aren't modified,
so make the hashing more lenient and restrict it to the extensions we
do care about. Arguably, enforcing no change in an unknown extension
is incompatible with the requirement that it be ignored.
ok bcook jsing
|
|
via point2oct and oct2point and that checks the corner case in hybrid
encoding that was fixed in ec2_oct.c r1.13.
|
|
Currently cert_req is used by clients and cert_request is used by servers.
Replace this by a single cert_request used by either client or server.
Remove the certificate types as they are currently unused. This also fixes
a bug whereby if the number of certificate types exceeds SSL3_CT_NUMBER
the number of bytes read in is insufficient, which will break decoding.
ok inoguchi@ tb@
|
|
|
|
While there zap trailing whitespace from a KNF approximation gone wrong.
|
|
|
|
ok jsing
|
|
ok jsing
|
|
|
|
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
|
|
|
|
ok jsing
|
|
Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b
ok jsing
|
|
ok jsing
|
|
|
|
These will be removed once EC_GROUP_get_curve() is public.
|
|
ok jsing
|
|
There are numerous functions in ec/ that exist with _GF2m and _GFp
variants for no good reason. The code of both variants is the same.
The EC_METHODs contain a pointer to the appropriate version. This
commit hides the _GF2m and _GFp variants from internal use and
provides versions that work for both curve types. These will be made
public in an upcoming library bump.
Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b
ok jsing
|
|
These can be replaced with accessors that allow this information to be
retrieved from the new record layer.
ok inoguchi@ tb@
|
|
In hybrid and compressed point encodings, the form octet contains a bit
of information allowing to calculate y from x. For a point on a binary
curve, this bit is zero if x is zero, otherwise it must match the
rightmost bit of of the field element y / x. The existing code only
considers the second possibility. It could thus fail with a division by
zero error as found by Guido Vranken's cryptofuzz.
This commit adds a few explanatory comments to oct2point and fixes some
KNF issues. The only actual code change is in the last hunk which adds a
BN_is_zero(x) check to avoid the division by zero.
ok jsing
|
|
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
|
TLSv1.2 handshake struct.
ok inoguchi@ tb@
|
|
This is not strictly necessary since we proceed to zero the entire struct,
however it keeps the code consistent and easily auditable.
ok tb@
|
|
and rounding control bits are not restored by longjmp(3). So expect
the some failures on that platform.
ok bluhm@
|
