summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/dsa/dsa_lib.c (unfollow)
Commit message (Collapse)AuthorFilesLines
2020-09-12If CPU does not support AES-NI, LibreSSL TLS 1.3 client prefersbluhm1-9/+18
chacha-poly over aes-gcm. Expect both fallbacks for non 1.3 ciphers.
2020-09-12Avoid an out-of-bounds access in BN_rand()tb1-3/+8
If BN_rand() is called with top > 0 and bits == 1, it would allocate a buf[] of size 1 and set the top bit of buf[1]. Found in OpenSSL commit efee575ad464bfb60bf72dcb73f9b51768f4b1a1 while looking for something else. ok beck djm inoguchi
2020-09-12Change over to use the new x509 name constraints verification.beck1-28/+7
ok jsing@
2020-09-12remove unused include that breaks regressbeck1-1/+0
2020-09-12Include machine/endian.h in gost2814789.cinoguchi1-1/+3
To pick up __STRICT_ALIGNMENT define, include machine/endian.h. No kidding... deraadt@ ok bcook@ jsing@
2020-09-11Enable cert and cipher interop tests. cert just works. cipher hasbluhm3-55/+35
been fixed to work with libressl TLS 1.3. Both libressl and openssl11 replace obsolete TLS 1.2 ciphers with AEAD-AES256-GCM-SHA384 or TLS_AES_256_GCM_SHA384 in TLS 1.3 respectively. The test expects that now. Currently GOST does not work with libressl and TLS 1.3 and is disabled.
2020-09-11Add x509_constraints.c - a new implementation of x509 name constraints, withbeck5-7/+1767
regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit ok jsing@
2020-09-11Remove cipher_list_by_id.jsing7-89/+32
When parsing a cipher string, a cipher list is created, before being duplicated and sorted - the second copy being stored as cipher_list_by_id. This is done only so that a client can ensure that the cipher selected by a server is in the cipher list. This is pretty pointless given that most clients are short-lived and that we already had to iterate over the cipher list in order to build the client hello. Additionally, any update to the cipher list requires that cipher_list_by_id also be updated and kept in sync. Remove all of this and replace it with a simple linear scan - the overhead of duplicating and sorting the cipher list likely exceeds that of a simple linear scan over the cipher list (64 maximum, more typically ~9 or so). ok beck@ tb@
2020-09-11Simplify SSL_get_ciphers().jsing1-13/+7
ok beck@, tb@
2020-09-11Rename ssl_cipher_is_permitted()jsing3-10/+10
The name ssl_cipher_is_permitted() is not entirely specific - what it really means is "can this cipher be used with a given version range". Use ssl_cipher_allowed_in_version_range() to more clearly indicate this. Bikeshedded with tb@ ok tb@
2020-09-11Some SSL_AD_* defines snuck into the TLSv1.3 code - replace them withjsing2-10/+10
TLS13_ALERT_* defines. ok beck@ tb@
2020-09-11Add issuer cache, to be used by upcoming changes to validation code.beck3-1/+216
ok tb@ jsing@
2020-09-11Various ciphers related clean up.jsing1-41/+36
Consistently use the names 'ciphers' and 'cipher' instead of 'sk' and 'c'. Remove some redundant code, unnecessary parentheses and fix some style(9). ok inoguchi@ tb@
2020-09-10Enable test-tls13-large-number-of-extensions.pytb1-2/+7
Skip sending an empty ECPF extension for now: we don't accept it since according to RFC 4492 and 8422 it needs to advertise uncompressed point formats.
2020-09-09Wrap long lines, add space in front of goto label in openssl(1) ocsp.cinoguchi1-93/+118
2020-09-09Change SSLv23_client_method to TLS_client_method openssl(1) ocspinoguchi1-2/+2
2020-09-09Remove space between pointer '*' and variable name in ocsp.cinoguchi1-39/+39
2020-09-09Convert openssl(1) ocsp option handlinginoguchi1-443/+725
input and ok tb@
2020-09-09Add option type OPTION_UL_VALUE_ORinoguchi2-2/+9
ok tb@
2020-09-09Set alpn_selected_len = 0 when alpn_selected is NULLinoguchi1-1/+4
ok jsing@ tb@
2020-09-09Import latest OPENSSL_NO_* flags from OpenSSL 1.1.1ginoguchi1-0/+8
ok tb@
2020-09-08Mention that EC_KEY_get0_public_key returns a public key.tb1-3/+5
wording from jmc
2020-09-07Garbage collect renew_ticket in tls_decrypt_tickettb1-8/+5
This is only set in one place and read in one place to set the badly named tlsext_ticket_expected flag. It seems preferable to set this flag directly, thus simplifying the logic. This slightly changes the behavior in that this flag is now set earlier, but this seems preferable anyway. Any error between the old and the new position where the flag is set is either fatal (so the connection will be closed) or a decrypt error (so the flag will be set). discussed with jsing
2020-09-06For page-sized and larger allocations do not put the pages we'reotto1-21/+18
shaving off into the cache but unamp them. Pages in the cache get re-used and then a future grow of the first allocation will be hampered. Also make realloc a no-op for small shrinkage. ok deraadt@
2020-09-04Ignore ftruncate failure with errno == EAGAINtb1-2/+5
This makes piping the OCSP response to other programs with -o - work. input and r+ guenther
2020-09-03Clean up asn1/x_info.ctb1-22/+9
Instead of using malloc(3) and manually setting part of the structure to zero, part to something else and leaving the rest uninitialized, we can benefit from the fact that there's this thing called calloc(3). Moreover, all variants of free(3) in libcrypto are NULL safe. ok beck inoguchi
2020-09-03Remove unnecessary zeroing after recallocarray(3)tb1-3/+1
Zap a memset that was redundant since OpenSSL 0.97b was merged by markus in 2003. Nowadays it's otto's recallocarray(3) that does the zeroing. ok beck inoguchi otto PS: ASN1_BIT_STRING_set_bit(3) was committed on Dec 21 1998 by Ralf S. Engelschnall and used this bizarre allocation idiom: if (a->data == NULL) c=(unsigned char *)Malloc(w+1); else c=(unsigned char *)Realloc(a->data,w+1); People complained about Malloc, Realloc and Free being used elsewhere, so on Jun 1 2000, Richarde Levitte swept the OpenSSL tree and it became this. if (a->data == NULL) c=(unsigned char *)OPENSSL_malloc(w+1); else c=(unsigned char *)OPENSSL_realloc(a->data,w+1); Then it was found that existing data should be cleaned, and on Nov 13 2002 Ben Laurie changed the last line to c=(unsigned char *)OPENSSL_realloc_clean(a->data, a->length, w+1);
2020-09-02KNF and comment tweakstb1-8/+10
2020-09-01Zero out data to avoid leaving stack garbage in the tail oftb1-1/+3
the session id in case the copied session id is shorter than SSL_MAX_SESSION_ID_LENGTH. long standing bug pointed out by jsing
2020-09-01The bumping of sess_cb_hit stats can wait until handling oftb1-4/+3
get_session_cb is completed.
2020-09-01In the explanatory comment of ssl_get_prev_session fix the spelling oftb1-5/+6
the function name, document alert and make it fit into 80 columns.
2020-09-01Split session retrieval out of ssl_get_prev_session()tb1-78/+92
In case the session ticket was empty or missing, an attempt is made to retrieve the session from the internal cache or via a callback. This code can easily be flattened a bit and factored into two functions. I decided to wrap those into a third function to make the call from the switch easier on the eye. I could have kept the try_session_cache flag, but it now seems rather pointless and awkwardly named anyway, so I took its negation and named it ticket_decrypted. To top things off, a little bit of polish in the exit path. ok beck inoguchi jsing (with the usual healthy dose of nits)
2020-09-01copy session id directly in ssl_get_prev_sessiontb3-27/+23
ssl_get_prev_session() hands the session id down to tls_decrypt_ticket() which then copies it into the session pointer that it is about to return. It's a lot simpler to retrieve the session pointer and copy the session id inside ssl_get_prev_session(). Also, 'goto err' directly in TLS1_TICKET_NOT_DECRYPTED instead of skipping a couple of long if clauses before doing so. ok inoguchi jsing
2020-09-01indent the only other label in this filetb1-2/+2
2020-09-01Indent label and remove dangling elsetb1-4/+4
2020-09-01Zap NULL check before SSL_SESSION_free()tb1-3/+2
2020-09-01Rename the session pointer ret to sesstb1-25/+25
ret is a confusing name for a pointer in a function that returns int. ret is only returned in the sense that it ultimately replaces the current s->session on success.
2020-09-01Hoist ERR_clear_error() call into the derr: labeltb1-4/+2
The only path that sets TLS1_TICKET_NOT_DECRPYTED is through this label and the ERR_clear_error() is called conditionally on this. We clear the errors to make decrypt errors non-fatal. The free functions should not set the errors and if they do, we don't want to hide that. discussed with jsing
2020-09-01simplify tls1_process_ticket() exit pathtb2-19/+7
tls1_process_ticket() - the only caller of tls_decrypt_ticket() - ends in a switch over the return value of tls_decrypt_ticket() to decide whether or not to set s->internal->tlsext_ticket_expected = 1. Since tls_decrypt_ticket() already knows what it will return and partly bases its decision on what to return on whether or not the ticket needs to be renewed, it can also take care of setting this flag. This way we don't need to have a confusing switch that conflates some return values and sets this flag. Moreover, we can get rid of the ugly TLS1_TICKET_DECRYPTED_RENEW whose only purpose is to signal that the flag should be set. ok jsing
2020-08-31Return code tweaks for session ticket handlerstb3-47/+51
In tls1_process_ticket() and tls_decrypt_ticket() use #defines with descriptive names instead of hardcoding -1 1 2 3 4 and occasionally explaining the magic numbers with comments. ok beck inoguchi
2020-08-31Send alert on ssl_get_prev_session failuretb4-20/+32
ssl_get_prev_session() can fail for various reasons some of which may be internal_error others decode_error alerts. Propagate the appropriate alert up to the caller so we can abort the handshake by sending a fatal alert instead of rudely closing the pipe. Currently only 28 of 292 test cases of tlsfuzzer's test-extension.py pass. With this diff, 272 pass. The rest will require fixes elsewhere. ok beck inoguchi jsing
2020-08-30Start replacing the existing TLSv1.2 record layer.jsing7-195/+614
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire. ok inoguchi@ tb@
2020-08-29define OPENSSL_NO_SSL_TRACE in opensslfeatures.hinoguchi1-1/+1
ok jsing@ tb@
2020-08-17Fix append mode so it always writes to the end and expand regress.libressl-v3.2.1millert1-26/+77
OK deraadt@ martijn@
2020-08-17Also print a list of missing scripts in summarytb1-5/+10
2020-08-17Avoid test failures due to outdated packagestb1-1/+6
Indicate missing test scripts prominently in the result but do not count them as an error.
2020-08-15enable jsing's zero content type testtb1-1/+2
2020-08-11Send an unexpected message alert if no valid content type is found.jsing1-2/+5
When record protection is engaged, the plaintext must be followed by a non-zero content type and optional zero padding. If the plaintext is zero length or only consists of zero bytes then it is not a valid message, since the content type is unspecified. ok tb@
2020-08-11Increment the epoch in the same place for both read and write.jsing1-3/+3
ok inoguchi@ tb@
2020-08-11Use 0 instead of 0x00 for memset() calls.jsing2-8/+8
ok inoguchi@ tb@