| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
because it is documented in the separate tls_client(3) manual page
|
| | |
|
| |
|
|
|
|
|
|
| |
With this change any requests from configurations to request
versions of tls before tls 1.2 will use tls 1.2. This prepares
us to deprecate tls 1.0 and tls 1.1 support from libssl.
ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
... because RSA_meth_new() doesn't. So we can fortunately lose a few lines
added in the previous commit. Three cheers for the masters of inconsistency.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, we would set the ECDSA_METHOD on the EC_KEY, which, by way
of lovely indirection in our three crypto/ec* directories ended up having
no effect on the default methods. Now that we set a new EC_KEY_METHOD, we
need to make sure we still have the other handlers that we might need.
Like so many things that were made opaque in the 1.1 re"design", the
accessors were written without actual application code in mind. In
particular, EC_KEY_METHOD lacks a dup(). This means we get to fetch the
default methods with getters and then set them again on the new method.
This is particularly awesome because once someone adds a new method to
the opaque struct, all applications will have to adapt and do a get/set
dance.
So far this is very reminiscent of PostgreSQL with BIO_meth_*
https://github.com/postgres/postgres/blob/a14e75eb0b6a73821e0d66c0d407372ec8376105/src/interfaces/libpq/fe-secure-openssl.c#L1921-L1928
Only it's worse here because someone wanted to be smart and save a few
public functions, so we have to use getters that get several functions
at once. Which in turn means we need to have function pointers with the
precise signatures which are part of the struct that was made opaque.
We will add a EC_KEY_METHOD_dup() in the next bump, but for now this is
the best fix we can have.
Whenever you think you've seen the worst turds in this code base, you find
another one that could serve as an exemplar.
ok jsing op
|
| |
|
|
|
|
|
| |
Since libtls now sets the ex_data with EC_KEY_set_ex_data(), the do_sign()
callback needs to have a matching change.
ok jsing op
|
| |
|
|
|
|
|
|
|
|
|
| |
smtpd and the bits it needs in libtls are the only consumer left of
ECDSA_METHOD, which is long deprecated. This paves the way for the
removal in libcrypto.
The diff is from gilles' work on OpenSMTPD-portable, libretls had a
similar diff.
ok tb@, jsing@
|
| |
|
|
|
|
|
| |
Default to having rv = -1 and explicitly goto done to set rv = 0.
This matches other code better.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
X509_get_ext_d2i() (or rather X509V3_get_d2i()) can return NULL for
various reasons. If it fails because the extension wasn't found, it
sets *crit = -1. In any other case, e.g., the cert is bad or we ran
out of memory in X509V3_EXT_d2i(), crit is set to something else, so
we should actually error.
ok jsing
|
| |
|
|
|
|
| |
And some comment requests, from jsing@
ok jsing@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
X509_NAME_get_text_by_NID is kind of a bad interface that
we wish to make safer, and does not give us the visibility
we really want here to detect hostile things.
Instead call the lower level functions to do some better
checking that should be done by X509_NAME_get_text_by_NID,
but is not in the OpenSSL version. Specifically we will treat
the input as hostile and fail if:
1) The certificate contains more than one CN in the subject.
2) The CN does not decode as UTF-8
3) The CN is of invalid length (must be between 1 and 64 bytes)
4) The CN contains a 0 byte
4) matches the existing logic, 1 and 2, and 3 are new checks.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To aid privilege separation, libtls maintains application-specific data
on the key inside the EVP_PKEY abstraction because the EVP API doesn't
provide a way to do that on the EVP_PKEY itself.
OpenSSL 3 changed behavior of EVP_PKEY_get1_RSA() and related functions.
These now return a struct from some cache. Thus, modifying the RSA will
no longer modify the EVP_PKEY like it did previously, which was clearly
implied to be the case in the older documentation.
This is a subtle breaking change that affects several applications.
While this is documented, no real solution is provided. The transition
plan from one OpenSSL major version to the next one tends to involve
many #ifdef in the ecosystem, and the only suggestion provided by the
new documentation is to switch to a completely unrelated, new API.
Instead, forcibly reset the internal key on EVP_PKEY after modification,
this way the change is picked up also by OpenSSL 3.
Fixes issue 1171 in OpenSMTPD-portable
ok tb@, jsing@
|
| | |
|
| |
|
|
|
|
| |
The previous commit resulted in misalignment, which impacts my OCD worse
than no alignment at all. Alignment wasn't consistently done in this file
anyway. op tells me it won't affect current efforts in reducing the diff.
|
| |
|
|
|
|
|
|
|
| |
and while here mark as const data.
This diff is actually from gilles@, in OpenSMTPD-portable bundled
libtls.
ok tb@, jsing@
|
| |
|
|
| |
ok jsing (a very long time ago)
|
| |
|
|
|
|
|
|
| |
A calloc failure should be a fatal error, so make it return -1.
Also switch the default rv to -1 and distinguish error cases with
acceptable situations with goto err/goto done.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The TLS signer isn't exposed in public API (we should finally fix it...)
and it supports X9.31, a standard that has been retired and deprecated for
a very long time. libcrypto will stop supporting it soon, this step is
needed to prepare userland.
ok jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
should not be used. It will be revisited after release.
ok beck inoguchi jsing
|
| |
|
|
|
|
|
|
|
| |
X509_STORE_add_crl() does not take ownership of the CRL, it bumps its
refcount. So nulling out the CRL from the stack will leak it.
Issue reported by KS Sreeram, thanks!
ok jsing
|
| |
|
|
|
|
|
|
| |
Rather than leaking libcrypto defines through the tls_sign_cb and
tls_signer_sign() interfaces, provide and use our own TLS_PADDING_*
defines.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current design of tls_sign_cb provides a pointer to a buffer where the
signature needs to be copied, however it fails to provide a length which
could result in buffer overwrites. Furthermore, tls_signer_sign() is
designed such that it allocates and returns ownership to the caller.
Revise tls_sign_cb so that the called function is expected to allocate a
buffer, returning ownership of the buffer (along with its length) to the
caller of the callback. This makes it far easier (and safer) to implement
a tls_sign_cb callback, plus tls_signer_sign can be directly plugged in
(with an appropriate cast).
While here, rename and reorder some arguments - while we will normally
sign a digest, there is no requirement for this to be the case hence use
'input' and 'input_len'. Move padding (an input) before the outputs and
add some additional bounds/return value checks.
This is technically an API/ABI break that would need a libtls major bump,
however since nothing is using the signer interface (outside of regress),
we'll ride the original minor bump.
With input from tb@
ok inoguchi@ tb@
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
|
|
|
| |
Add tls_signer_error to Symbols.list - this was missed during the last
libtls minor bump and can ride along.
ok deraadt@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
to implement.
Add a tls_config_set_sign_cb() function that allows to register
a callback for the signing operation on a tls_config. When used,
the context installs fake pivate keys internally, and the callback
receives the hash of the public key.
Add a tls_signer_*() set of functions to manage tls_signer objects.
A tls_signer is an opaque structure on which keys are added.
It is used to compute signatures with private keys identified by
their associated public key hash.
Discussed with and ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
EVP_EncryptInit_ex, EVP_DecryptInit_ex and HMAC_Init_ex are possible to
fail and return error.
Error from these functions will be fatal for the callback, and I choose to
return -1.
SSL_CTX_set_tlsext_ticket_key_cb.3 explains the return value of callback.
This also could fix Coverity CID 345319.
ok jsing@ tb@
|
| |
|
|
| |
and Symbol addition and removal in libcrypto.
|
| |
|
|
| |
joint with jsing
|
| | |
|
| |
|
|
| |
addition.
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
This reduces the number of reacharounds into libcrypto internals.
ok jsing
|
| |
|
|
|
|
| |
reality while there.
ok jsing
|
| |
|
|
|
|
| |
Prompted by a diff by Jonas Termansen, discussed with deraadt, millert
ok jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tls_config_set_*_file(3) do not just set the file paths like
tls_config_set_*_path(3) do, they do load the given file(s) into memory
directly using tls_config_load_file().
This distinction is important because it means a later tls_connect(3)
will not do any file I/O (at least wrt. those files), which is relevant when
for example pleding without "[rwc]path" after loading files into memory and
before doing tls_connect(3).
The manual's current wording made me use the following due to above way of
pledging a program:
tls_load_file()
tls_config_set_ca_mem()
tls_unload_file()
While in fact a single tls_config_set_ca_file() call does the same.
tls_config.c r1.26 (Aug 2016) change the code but forgot to amend the manual
as noted by tb, thanks.
Feedback OK tb
|
