| Commit message (Collapse) | Author | Files | Lines |
|---|
|
Otherwise each run of the s_client leaks 16k of memory. This hurts
in interactive mode.
ok inoguchi jsing
|
|
While OCSP uses HTTP/1.0 where a host header is optional, some widely
used OCSP responders will return 400 bad request if it is missing. Add
such a header unless it's already provided in the user's custom headers.
OpenSSL did something similar in ff4a9394a23 and 76e0cd12f68
(both commits are under the old license)
ok inoguchi
|
|
ok guenther tb millert
|
|
|
|
suggested by tb@
|
|
deprecated methods to a separate table. Simplify and shorten the
surrounding verbiage.
Joint work with tb@.
|
|
and *_client_method(3). Adjust the documentation.
While here, delete most of the verbiage regarding the deprecated
functions SSLv23_*(3) and add the missing entry to RETURN VALUES.
OK tb@
|
|
with #defines for the per-version initializers instead of extern
globals. Add SSL_USE_SHA256_PRF() to complete the abstraction.
ok tb@ jsing@
|
|
This condition previously existed for DTLS BAD_VER, which has long been
removed. Furthermore, conditioning on DTLS1_VERSION means this is broken
for any newer DTLS version. While here roll up two assertions into one.
ok tb@
|
|
When transitioning from the TLSv1.3 stack to the legacy stack, grow
init_buf before stashing the handshake message. The TLSv1.3 stack has
already received the handshake message (potentially from multiple TLS
records) and validated its size, however the default allocation is only
for a single plaintext record, which can result in the handshake message
failing to fit in certain cases.
Issue noted by tb@ via tlsfuzzer.
ok tb@
|
|
|
|
There is no reason (and there never was any) for profile_name to be
non-const, it was always just passed to strncmp(). Changing this
allows removing an ugly instance of casting away const.
ok guenther jsing
|
|
|
|
Historically, OpenSSL has had client and server specific methods - the only
difference between these is that the .ssl_connect or .ssl_accept function
pointer is set to ssl_undefined_function, with the intention of reducing
code size for a statically linked binary that was only a client or server.
These days the difference is minimal or non-existant in many cases and
we can reduce the amount of code and complexity by having single method.
Internally remove all of the client and server specific methods,
simplifying code in the process. The external client/server specific API
remain, however these now return the same thing as TLS_method() does.
ok tb@
|
|
|
|
ok tb@ jsing@
|
|
.data.rel.ro and .rodata respectively.
ok tb@ jsing@
|
|
|
|
On success, OCSP_request_add0_id() transfers ownership of cid to
either 'one' or 'req' depending on whether the latter is NULL or
not. On failure, the caller can't tell whether OCSP_ONEREQ_new()
failed (in which case cid needs to be freed) or whether it was a
failure to allocate memory in sk_insert() (in which case cid must
not be freed).
The caller is thus faced with the choice of leaving either a leak
or a potential double free. Fix this by transferring ownership
only at the end of the function.
Found while reviewing an upcoming diff by beck.
ok jsing
|
|
So redo previous commit properly:
Use random value for canary bytes; ok tb@.
|
|
ok inoguchi@ tb@ deraadt@
|
|
documenting that SSL_set_bio(3) cannot fail. A similar commit was
made by schwarze a while ago for a few functions in libcrypto.
|
|
|
|
chain. It only takes a few dozens of ms to read it, but doing this 7290
times adds up to a few minutes run time. This way, the test completes in
a handful of seconds.
Diagnosed by jsing, ok beck
|
|
|
|
|
|
|
|
|
|
ok inoguchi@ tb@
|
|
This includes a test where the server response includes multiple handhshake
messages in the single TLS plaintext record (which would have caught the
bug just fixed in tls13_legacy.c).
|
|
When switching to the legacy TLS stack we previously copied any remaining
handshake messages into the receive buffer, but do not include any TLS
record header (largely due to the fact that we've already processed part
of the TLS record that we actually received - that part is placed into the
init_buf). This worked fine with the old record layer implementation,
however the new record layer expects to find the TLS record header.
This means that if we switch from the new stack to the legacy stack (i.e.
the remote side does not support TLSv1.3) and there is more than one
handshake message in the TLS plaintext record (which Microsoft's TLS
stack is known to do), we now read a TLS record of zero bytes instead of
getting the correct length.
Fix this by generating a pseudo-TLS record header when switching from the
new TLS stack to the legacy stack.
Found the hard way by guenther@.
Thanks to tb@ for coming up with a reproducible test case and doing much
of the debugging.
ok inoguchi@ tb@
|
|
|
|
|
|
The d1_{clnt,srvr}.c contain a single function each - merge these into the
ssl_{clnt,srvr}.c, renaming them with an ssl3_ prefix for consistency.
ok beck@ tb@
|
|
DTLSv1 is TLSv1.1 over datagrams - there is no need for a separate
SSL3_ENC_METHOD struct, just use TLSv1_1_enc_data and remove
DTLSv1_enc_data entirely.
ok tb@
|
|
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in
place, which is not ideal for various reasons, however it is retained
for now as other code depends on this behaviour. Additionally, CBC
requires special handling to avoid timing oracles - for now the
existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
|
This avoids naming confusion with an upcoming TLSv1.2 record layer change
and is more descriptive of this function.
Requested by tb@
|
|
This removes the need for extra variables and casts.
ok inoguchi@ tb@
|
|
This improves readability - while here also add a missing return value
check (although it cannot currently fail).
ok inoguchi@ tb@
|
|
|
|
|
|
|
|
On OpenBSD it's necessary to use the eopenssl11 s_server with either -4
or -6 to choose an address family. I often want to try something with an
OpenSSL server and then test the same thing with LibreSSL or vice versa.
Adding and removing -4s on top of editing the command is annoying and
distracting.
This commits teaches our s_server to ignore -4 and -6 and thus makes
commands that work with eopenssl11 more likely to work with openssl(1).
These options are deliberately undocumented and don't show up in help
listings.
ok bcook inoguchi jsing
|
|
using the make variable EOPENSSL11.
Suggested by jsing
|
|
|
|
to look at its private headers either.
|
|
The X509_STORE_CTX struct is opaque in OpenSSL 1.1. To avoid reaching
inside it, reuse the trusted certificate store that was just assigned
to it and use X509_STORE_CTX_get0_param(3) to access the verification
parameters.
|
|
Previously the leaf certificate was only being set up on the X509_STORE_CTX
after two verification steps were performed, however at least one of those
steps could result in the verification callback being triggered and
existing code breaking.
Issue noticed by Raf Czlonka when attempting to connect to talk.google.com
using profanity (which does not set SNI and ends up receiving an invalid
certificate).
ok beck@ deraadt@ tb@
|
|
Currently dtls1_drain_fragments() has a incomplete handrolled version of
dtls1_hm_fragment_free(), which has the potential to leak memory. Replace
the handrolled free with a call to dtls1_hm_fragment_free().
ok inoguchi@ tb@
|
|
Allocate into the appropriate structures and call dtls1_free() on failure,
rather than allocating into local variables and then remembering to free
various things on failure.
ok tb@
|
