|  | Commit message (Collapse) | Author | Files | Lines | 
|---|
|  | This variable is used in the legacy stack to decide whether we are
a server or a client. That's what s->server is for...
The new TLSv1.3 stack failed to set s->internal->type, which resulted
in hilarious mishandling of previous_{client,server}_finished. Indeed,
both client and server would first store the client's verify_data in
previous_server_finished and later overwrite it with the server's
verify_data. Consequently, renegotiation has been completely broken
for more than a year. In fact, server side renegotiation was broken
during the 6.5 release cycle. Clearly, no-one uses this.
This commit fixes client side renegotiation and restores the previous
behavior of SSL_get_client_CA_list(). Server side renegotiation will
be fixed in a later commit.
ok jsing | 
|  | ok bluhm@, inoguchi@, tb@, deraadt@ | 
|  | This test currently fails but may soon be fixed. | 
|  |  | 
|  | Instead of blindly skipping 14 characters, we can use the return
value of snprintf() to determine how much we should skip.
From Martin Vahlensieck with minor tweaks by me | 
|  |  | 
|  |  | 
|  | This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@ | 
|  | Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@ | 
|  | Apply new option handling to openssl(1) x509.
To handle incremental order value, using newly added OPTION_ORDER.
I left the descriptions for -CAform, -inform, and -outform as it was,
for now. These description would be fixed.
And digest option handler could be consolidated to one between
some subcommands in the future.
ok and comments from tb@,
and "I'd move forward with your current plan." from jsing@ | 
|  | To handle incremental order value, added new option type OPTION_ORDER.
openssl(1) x509 requires this option handling, since,
- -CA and -signkey require to set both filename and incremental 'num'.
- -dates requires to set two variables in a row, startdate and enddate.
and this couldn't be solved by OPTION_FLAG_ORD.
ok tb@ and "I'd move forward with your current plan." from jsing@ | 
|  | ok inoguchi | 
|  | Reported by Ilya Shipitsin | 
|  |  | 
|  | The CBC code path initializes rrec.padding_length in an indirect fashion
and later makes use of it for copying the MAC. This is confusing some
static analyzers as well as people investigating the whining. Avoid this
confusion and add a bit of robustness by clearing the stack variable up
front.
ok jsing | 
|  |  | 
|  | There are currently three different handshake structs that are in use -
the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct
(as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous
'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)).
This is the first step towards cleaning up the handshake structs so that
shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2
and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside
SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct
instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code
to access the shared handshake data without needing the SSL struct.
ok inoguchi@ tb@ | 
|  | This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while
it is not currently necessary from a functionality perspective, it makes
for more readable and simpler code.
ok inoguchi@ tb@ | 
|  | This is currently needed for DTLS1_2_VERSION, however it should be used
here regardless. | 
|  | A parent CBB retains a reference to a child CBB until CBB_flush() or
CBB_cleanup() is called. As such, the cert_exts CBB must be at function
scope.
Reported by Ilya Shipitsin.
ok tb@ | 
|  | Since r1.7, input in base64_decoding_test() is allocated unconditionally,
so free it unconditionally. | 
|  |  | 
|  | This is a test that checks for NSS's CCS flood DoS CVE-2020-25648.
The test script currently fails on LibreSSL and OpenSSL 1.1.1j because
it sends invalid records with version 0x0300 instead of 0x0303.
We have the ccs_seen logic corresponding to NSS's fix:
https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361
but we do allow up to two CCS due to an interop issue with Fizz, so
at least one of the tests will likey be broken once the record version
is fixed. | 
|  |  | 
|  |  | 
|  | This is the same as SSL_CTX_use_certificate_chain_file() but for an
SSL object instead of an SSL_CTX object. remi found this in a recent
librelp update, so we need to provide it. The function will be exposed
in an upcoming library bump.
ok inoguchi on an earlier version, input/ok jsing | 
|  | Found the hard way by lists y42 org via an OCSP validation failure that
in turn caused pkg_add over TLS to fail. Detailed report by sthen.
ok sthen | 
|  | getpagesize() will only return positive numbers (there is no negative
page size system) and it can not fail.
Should fix some compiler warnings seen in -portable projects.
OK otto@ | 
|  | ok inoguchi@ tb@ | 
|  |  | 
|  | ok inoguchi@ tb@ | 
|  |  | 
|  |  | 
|  | This means that the DTLS_method() will now use DTLSv1.2 rather than DTLSv1.
Additional DTLSv1.2 related symbols and defines will be made publicly
visible in the near future.
ok inoguchi@ tb@ | 
|  |  | 
|  | This teaches the version functions that handle protocol versions about
DTLSv1.2 and the SSL_OP_NO_DTLS* options. We effectively convert between
TLS and TLS protocol versions where necessary.
ok inoguchi@ tb@ | 
|  | x509v3_cache_extensions().
ok tb@ | 
|  | suggested by jsing | 
|  | ok jsing | 
|  | x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late.  In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version | 
|  |  | 
|  |  | 
|  | Now that we store our maximum TLS version at the start of the handshake,
we can check against that directly.
ok inoguchi@ tb@ | 
|  | instead of running pkg_add which may block due to its locking mechanism.
Precise file to check for suggested by sthen
ok kn deraadt on previous version | 
|  | These are no longer used (and should not be used) internally. | 
|  |  | 
|  | Add handshake fields for our minimum TLS version, our maximum TLS version
and the TLS version negotiated during the handshake. Initialise our min/max
versions at the start of the handshake and leave these unchanged. The
negotiated TLS version is set in the client once we receive the ServerHello
and in the server at the point we select the highest shared version.
Provide an ssl_effective_version() function that returns the negotiated TLS
version if known, otherwise our maximum TLS version - this is effectively
what is stored in s->version currently.
Convert most of the internal code to use one of these three version fields,
which greatly simplifies code (especially in the TLS extension handling
code).
ok tb@ | 
|  | regions of a given size.  In snaps for a while, committing since
no issues were reported and a wider audience is good.  ok deraadt@ | 
|  |  | 
|  | Requested by tb@ |