| Commit message (Collapse) | Author | Files | Lines |
|---|
|
Patch from Martin Vahlensieck <academicsolutions dot ch>.
|
|
Patch from Martin Vahlensieck <academicsolutions dot ch>.
|
|
Useless text reported by Martin Vahlensieck (academicsolutions.ch) on tech@.
|
|
Check and print out boolean type properly.
Based on OpenSSL commit ad72d9fdf7709ddb97a58d7d45d755e6e0504b96.
Reduced unneeded parentheses from if condition.
Check return value from i2s_ASN1_INTEGER.
Based on OpenSSL commit 5e3553c2de9a365479324b8ba8b998f0cce3e527.
Added if condition expression and return 0 if NULL is returned.
ok tb@
|
|
and a compact test suite for getopt(3) intended automated regression
testing, both written from scratch.
The suite is intended to provide full coverage, except that it doesn't
test manual changes of optind and optreset and except that it so far
avoids the situation where we have a known bug.
|
|
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.
ok inoguchi jsing
|
|
|
|
We currently throw an error on overflow, but still wrap. Check up front
if we would need to wrap and only increment if that case is excluded.
This simplifies the increment loop and makes the returns in this function
less magic.
ok jsing
|
|
crossing a byte boundary.
|
|
Like much of the original DTLS code, dtls1_enc() is effectively a renamed
copy of tls1_enc(). Since then tls1_enc() has been modified, however the
non-AEAD code remains largely the same. As such, remove dtls1_enc() and
instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS,
however this is a non-issue since we do not support AEAD cipher suites with
DTLS currently.
ok tb@
|
|
|
|
Fix proposed by tb@
|
|
|
|
|
|
ok tb@
|
|
CBB uses recallocarray() to expand buffers, however was still using
malloc() for the initial buffer, which could result in memory being leaked
in incorrect use cases.
While here also use calloc() to allocate internal structs.
ok inoguchi@ tb@
|
|
This reduces the chance of accidently leaking stack memory.
ok inoguchi@ tb@
|
|
Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.
ok inoguchi@ tb@
|
|
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
|
|
Both session tickets and key updates are post-handshake handshake messages,
which were originally included in the handshake code.
ok inoguchi@ tb@
|
|
In the unlikely event that the return value from the read callback is
larger than the number of bytes we asked for, we can end up incrementing
buf->len beyond capacity. Check the return value from the read callback to
prevent this.
ok inoguchi@ tb@
|
|
The enc function pointers do not serve any purpose these days - remove
a layer of indirection and call dtls1_enc()/tls1_enc() directly.
ok inoguchi@ tb@
|
|
ok bcook@ tb@
|
|
- Don't remove multi line CR/LF from bt->out when NL mode
base64_encoding_test removes CR/LF from bt->out to compare with the encoding
result. This is fine with NO NL mode, but it goes wrong with NL mode if
encoding result is larger than 64 and multi line, like below.
"eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4\neHh4eHh4eHh4eHh4\n"
- Use memcpy instead of asprintf to avoid lost '\0' at the end of data
This test data loses trailing '\0' if using asprintf.
"\x61\x47\x56\x73\x62\x47\x38\x3d\x0a\x00"
- Print original data if decoding result comparison fails
This change is not for importing test data, but I just notice.
It prints bt->out if fail to memcmp bt->in with decoding result.
ok bcook@ tb@
|
|
some errx lines in if statements were terminated with commas, which
caused the following statement to be considered part of the error
handling. while it is bad style, ingo points out it was also a bug
which which caused some tests in the code to be skipped.
this reminds me of a haiku that Chris Pascoe (cpascoe@) had behind
his desk:
Also, that comma
Should be a semi-colon.
Cherry blossoms fall.
this was found by Robert Mustacchi when porting the tests to illumos.
ok schwarze@ stsp@
thank you robert.
|
|
TLSv1.1 or below, it should check whether the server's random value
contains the magic downgrade protection cookie and in that case abort
the handshake with an illegal parameter alert.
ok inoguchi, jsing
|
|
eight bytes of the server's random to a magic cookie (RFC 8446, 4.1.3).
The TLSv1.3 spec changes the TLSv1.2 spec in that it recommends that
TLSv1.2 servers that negotiate TLSv1.1 or below do the same. This gives
a limited additional protection against downgrade attacks beyond what is
already present in the Finished exchange.
The TLSv1.3 part was already implemented in Hobart and can be trivially
modified to do the TLSv1.2 bit as well.
ok inoguchi, jsing
|
|
Referred to this OpenSSL commit and adopted to the codebase.
b785504a10310cb2872270eb409b70971be5e76e
suggest and ok tb@
|
|
Fix the problem that long unbroken line of base64 text is not decoded.
Referred to this OpenSSL commit and adapted to the codebase.
3cdd1e94b1d71f2ce3002738f9506da91fe2af45
Reported by john.a.passaro <at> gmail.com to the LibreSSL ML.
ok tb@
|
|
Use a bad_record_mac alert instead.
Found with tlsfuzzer's ChaCha20 test.
ok beck inoguchi jsing
|
|
messages must terminate the connection with a decrypt_error alert, so
replace the use of the deprecated decryption_failed alert accordingly.
ok beck inoguchi jsing
|
|
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
Also consolidate it into the one place, since there is no reason to write
the epoch and sequence out later.
ok inoguchi@ tb@
|
|
comments to their correct places.
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
Allow semantic lookup by manually tagging sections (.Sh) for which no
automatic tagging has been implemented; this thereby also eliminates false
positives such that ":tx509<Enter>" now jumps to the X509 section.
feedback remi inoguchi schwarze
OK tb
|
|
When empty fragments were added as a countermeasure against chosen
plaintext attacks on CBC, it was done by adding a recursive call to
do_ssl3_write(). This makes the code more complex and difficult to change.
Split the record creation code into a separate ssl3_create_record()
function, which do_ssl3_write() calls. In the case where an empty fragment
is needed, ssl3_create_record() is simply called twice, removing the need
for recursion.
ok inoguchi@ tb@
|
|
ok inoguchi jsing
|
|
ok and suggestion jmc@
|
|
There was no limitation for the length of openssl conf value.
This brings possibility of out-of-memory problem as oss-fuzz had detected.
This diff restricts the length of conf value up to 64k.
ok jsing@
|
|
|
|
Also stop using version pinned methods, instead setting the min and max
protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
|
|
It is currently possible for key_share to be NULL when a TLS client
receives a keyshare extension. However, for this to occur the client has
to be doing TLS 1.2 or earlier, which means that it was invalid for the
server to send the extension. As such, check for NULL and treat it as an
invalid extension.
Found by oss-fuzz (#20741 and #20745).
ok inoguchi@ tb@
|
|
Changed to use local variable to hold malloc address rather than directly
set to S3I(s)->tmp.x25519, and set that private_key pointer to
S3I(s)->tmp.x25519 after all the "goto err;".
Also added freezero for S3I(s)->tmp.x25519 to ssl3_free() and ssl3_clear().
ok jsing@ tb@
|
