| Commit message (Collapse) | Author | Files | Lines |
|---|
|
TLSv1.3 introduces a New Session Ticket post-handshake handshake message
that allows a unique association between a ticket value and a pre-shared
key derived from the resumption master secret. Servers may send this
message arbitrarily often at any time after receiving the client's
Finished message.
Implement tls13_new_session_ticket_recv() which parses the contents of
the NewSessionTicket message into a fresh session derived from the
current session so as to avoid modifying sessions that are already in
the session cache.
This uses tls13_new_session_ticket_recv() in tls13_phh_received_cb().
We currently rely on the general rate limiting of 100 PHH messages per
connection and hour to avoid problems from connecting to a misbehaving
or malicious server.
ok jsing
|
|
TLSv1.3 servers must not indicate a lifetime longer than 7 days and
clients must not cache sessions for longer than 7 days. Encode this
in a macro internal to tls13_lib.c for now.
ok jsing
|
|
SSL_SESSION_dup() is a currently essentially unused public OpenSSL 1.1.1
API. Add a version that does not duplicate the secrets for internal use.
If the public API should be needed, we can easily make it a wrapper.
ok jsing
|
|
ok jsing
|
|
Add members necessary to store the "ticket_age_add" value and the
resumption master secret needed in the TLSv1.3 version of session
resumption.
ok jsing
|
|
The session_id member of SSL_SESSION has 32 bytes for historical
reasons. This precisely accommodates a SHA-256 and is currently
computed using this hash. If the hash function is ever changed,
this will likely overflow. This should be fixed in code. Leave
it at an XXX comment for now.
Pointed out by jsing
|
|
|
|
rust-openssl is an integral part of the Rust ecosystem and more than a
dozen ports, including lang/rust itself, depend on it. We need to ensure
that it keeps working with LibreSSL.
If the rust and rust-openssl-tests packages are installed, create a cargo
workspace under obj/ that compiles and runs the rust-openssl regress tests
much like what is done for the openssl-ruby tests. This expands our regress
coverage: for instance, this would have caught the broken ASN.1 indefinite
length encoding caused by asn1/tasn_enc.c r1.25.
Positive feedback beck jsing semarie
Testing and ok anton
|
|
on Jan 10, 2022: X509_EX_V_INIT X509_EX_V_NETSCAPE_HACK
X509_EXT_PACK_STRING X509_EXT_PACK_UNKNOWN.
Mark BN_set_params and BN_get_params as deprecated, unused,
and intentionally undocumented.
|
|
In the case that a verification callback is installed that tells the
verifier to continue when a certificate is invalid (e.g. expired),
any error resulting from the leaf certificate verification is not stored
and made available post verification, resulting in an incorrect error being
returned.
Also perform leaf certificate verification prior to adding the chain, which
avoids a potential memory leak (as noted by tb@).
Issue reported by Ilya Shipitsin, who encountered haproxy regress failures.
ok tb@
|
|
Rather than using X509_STORE_CTX_set_time() (which is resulting all
certificates in the chain being treated as expired), use chains that have
an expired leaf or expired intermediate. This triggers a different code
path, which is currently mishandled (and hence failing).
Also ensure that the resulting error and error depth match what we expect
them to be.
|
|
Improve verification regress and ensure that the legacy or modern
verification completes with the expected error and error depth.
|
|
Passing an indent value of 67 results in DUMP_WIDTH_LESS_IDENT returning a
value of zero, which is promptly used for division. Likewise, passing a
value larger than 67 results in a negative value being returned.
Prevent this by limiting indent to 64 (which matches OpenSSL's current
behaviour), as well as ensuring that dump_width is > 0.
Should fix oss-fuzz #52464 and #52467.
ok miod@ tb@
|
|
In r1.25 of tasn_enc.c a check was added to ensure that asn1_ex_i2c()
returned the same value on both calls, however in the ndef case the len
variable gets changed between calls. Keep a copy of the original value to
test against.
Issue reported by niklas, who encountered a test failure in rust-openssl.
ok miod@ tb@
|
|
Calling HKDF_expand() with a length of 0 happens to succeed due to a quirk
in the API inherited from BoringSSL. This hides caller-side errors during
development. Error out to catch such mistakes early on.
ok jsing
|
|
that the kernel and ld.so will know not to mark it immutable. malloc
handles the read/write transitions by itself.
|
|
|
|
|
|
|
|
for rsa and friends.
okay tb@
|
|
Now that the QUIC API is public, we can stop linking this statically.
|
|
|
|
|
|
These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.
Prompted by tb@
|
|
Currently, ssl_both.c contains several functions that are used by both the
legacy client and legacy server. This interwines the client and server,
making it harder to make progressive changes. While it does deduplicate
some code, it also ends up with code that is conditioned on s->server and
forces the caller to pass in SSL3_ST_* values.
Move these functions from ssl_both.c into ssl_clnt.c and ssl_srvr.c,
renaming as appropriate and removing the s->server conditionals. Also move
the client and server function prototypes from ssl_locl.h into the .c
files, making them static in the process.
ok tb@
|
|
|
|
Symbols.list mistake: undefine aliases (except _cfb block ciphers which
are aliases for historical reasons). Use -Wl,--no-allow-shlib-undefined.
|
|
These functions were renamed in the last bump
#define PKCS12_MAKE_KEYBAG PKCS12_SAFEBAG_create0_p8inf #define PKCS12_MAKE_SHKEYBAG PKCS12_SAFEBAG_create_pkcs8_encrypt
They don't appear in the compiled library itself, so no further bump
required.
Fixes libressl-portable/portable#791
Found the hard way by vollkommenheit
ok deraadt jsing
|
|
While RFC 8446 is clear about what legacy session identifiers can be sent
by a TLSv1.3 client and how middlebox compatibility mode is requested, it
is delightfully vague about the circumstances under which a client is
permitted to send CCS messages. While it does not make sense for a client
to send CCS messages when they are not requesting middlebox compatibility
mode, it is not strictly forbidden by the RFC and at least one (unknown)
TLSv1.3 stack has been observed to do this in the wild.
Revert part of the previous change and allow clients to send CCS messages,
even if they are not requesting middlebox compatibility mode.
Found the hard way by florian@
ok tb@
|
|
OK tb
|
|
IANA made a permanent registration in the SMI Security for S/MIME CMS
Content Type registry at
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1
for signed objects conforming to draft-ietf-sidrops-signed-tal.
OK tb@
|
|
These ciphers have long based APIs, while EVP has a size_t based API. The
intent of these loops is to handle sizes that are bigger than LONG_MAX.
Rather than using the rather crazy EVP_MAXCHUNK construct, use LONG_MAX
rounded down to a large block size, ensuring that it is a block size
multiple. Revert the recently added overflow checks now that this is
handled more appropriately.
ok tb@
|
|
|
|
Now that EVP_CIPHER is opaque, stop pretending that EVP_CIPHER cleanup can
fail.
ok tb@
|
|
|
|
This is no longer public API. Also remove some comments about i2c and c2i
functions being intentionally undocumented since they are no longer public.
|
|
From Joshua Sing
|
|
|
|
|
|
CID 356777
|
|
CID 356778
|
|
|
|
ok tb@
|
|
ok jsing
|
|
ok jsing
|
|
|
|
|
|
ok jsing
|
|
ok jsing
|
|
ok jsing
|
