| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When parsing a cipher string, a cipher list is created, before being
duplicated and sorted - the second copy being stored as cipher_list_by_id.
This is done only so that a client can ensure that the cipher selected by
a server is in the cipher list. This is pretty pointless given that most
clients are short-lived and that we already had to iterate over the cipher
list in order to build the client hello. Additionally, any update to the
cipher list requires that cipher_list_by_id also be updated and kept in
sync.
Remove all of this and replace it with a simple linear scan - the overhead
of duplicating and sorting the cipher list likely exceeds that of a simple
linear scan over the cipher list (64 maximum, more typically ~9 or so).
ok beck@ tb@
|
| |
|
|
| |
ok beck@, tb@
|
| |
|
|
|
|
|
|
|
|
| |
The name ssl_cipher_is_permitted() is not entirely specific - what it
really means is "can this cipher be used with a given version range".
Use ssl_cipher_allowed_in_version_range() to more clearly indicate this.
Bikeshedded with tb@
ok tb@
|
| |
|
|
|
|
| |
TLS13_ALERT_* defines.
ok beck@ tb@
|
| |
|
|
| |
ok tb@ jsing@
|
| |
|
|
|
|
|
| |
Consistently use the names 'ciphers' and 'cipher' instead of 'sk' and 'c'.
Remove some redundant code, unnecessary parentheses and fix some style(9).
ok inoguchi@ tb@
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
wording from jmc
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is only set in one place and read in one place to set the badly
named tlsext_ticket_expected flag. It seems preferable to set this
flag directly, thus simplifying the logic. This slightly changes the
behavior in that this flag is now set earlier, but this seems preferable
anyway. Any error between the old and the new position where the flag
is set is either fatal (so the connection will be closed) or a decrypt
error (so the flag will be set).
discussed with jsing
|
| |
|
|
|
|
|
| |
shaving off into the cache but unamp them. Pages in the cache get
re-used and then a future grow of the first allocation will be
hampered. Also make realloc a no-op for small shrinkage.
ok deraadt@
|
| |
|
|
|
|
|
|
|
|
| |
Instead of using malloc(3) and manually setting part of the structure to
zero, part to something else and leaving the rest uninitialized, we can
benefit from the fact that there's this thing called calloc(3).
Moreover, all variants of free(3) in libcrypto are NULL safe.
ok beck inoguchi
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Zap a memset that was redundant since OpenSSL 0.97b was merged by
markus in 2003. Nowadays it's otto's recallocarray(3) that does the
zeroing.
ok beck inoguchi otto
PS: ASN1_BIT_STRING_set_bit(3) was committed on Dec 21 1998 by Ralf S.
Engelschnall and used this bizarre allocation idiom:
if (a->data == NULL)
c=(unsigned char *)Malloc(w+1);
else
c=(unsigned char *)Realloc(a->data,w+1);
People complained about Malloc, Realloc and Free being used elsewhere, so
on Jun 1 2000, Richarde Levitte swept the OpenSSL tree and it became this.
if (a->data == NULL)
c=(unsigned char *)OPENSSL_malloc(w+1);
else
c=(unsigned char *)OPENSSL_realloc(a->data,w+1);
Then it was found that existing data should be cleaned, and on Nov 13 2002
Ben Laurie changed the last line to
c=(unsigned char *)OPENSSL_realloc_clean(a->data,
a->length,
w+1);
|
| | |
|
| |
|
|
|
|
|
| |
the session id in case the copied session id is shorter than
SSL_MAX_SESSION_ID_LENGTH.
long standing bug pointed out by jsing
|
| |
|
|
| |
get_session_cb is completed.
|
| |
|
|
| |
the function name, document alert and make it fit into 80 columns.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case the session ticket was empty or missing, an attempt is made to
retrieve the session from the internal cache or via a callback. This
code can easily be flattened a bit and factored into two functions. I
decided to wrap those into a third function to make the call from the
switch easier on the eye.
I could have kept the try_session_cache flag, but it now seems rather
pointless and awkwardly named anyway, so I took its negation and named
it ticket_decrypted.
To top things off, a little bit of polish in the exit path.
ok beck inoguchi jsing (with the usual healthy dose of nits)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ssl_get_prev_session() hands the session id down to tls_decrypt_ticket()
which then copies it into the session pointer that it is about to return.
It's a lot simpler to retrieve the session pointer and copy the session id
inside ssl_get_prev_session().
Also, 'goto err' directly in TLS1_TICKET_NOT_DECRYPTED instead of skipping
a couple of long if clauses before doing so.
ok inoguchi jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
ret is a confusing name for a pointer in a function that returns int.
ret is only returned in the sense that it ultimately replaces the current
s->session on success.
|
| |
|
|
|
|
|
|
|
| |
The only path that sets TLS1_TICKET_NOT_DECRPYTED is through this label
and the ERR_clear_error() is called conditionally on this. We clear the
errors to make decrypt errors non-fatal. The free functions should not
set the errors and if they do, we don't want to hide that.
discussed with jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tls1_process_ticket() - the only caller of tls_decrypt_ticket() - ends
in a switch over the return value of tls_decrypt_ticket() to decide
whether or not to set s->internal->tlsext_ticket_expected = 1.
Since tls_decrypt_ticket() already knows what it will return and
partly bases its decision on what to return on whether or not the
ticket needs to be renewed, it can also take care of setting this flag.
This way we don't need to have a confusing switch that conflates some
return values and sets this flag. Moreover, we can get rid of the ugly
TLS1_TICKET_DECRYPTED_RENEW whose only purpose is to signal that the
flag should be set.
ok jsing
|
| |
|
|
|
|
|
|
| |
In tls1_process_ticket() and tls_decrypt_ticket() use #defines with
descriptive names instead of hardcoding -1 1 2 3 4 and occasionally
explaining the magic numbers with comments.
ok beck inoguchi
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ssl_get_prev_session() can fail for various reasons some of which
may be internal_error others decode_error alerts. Propagate the
appropriate alert up to the caller so we can abort the handshake
by sending a fatal alert instead of rudely closing the pipe.
Currently only 28 of 292 test cases of tlsfuzzer's test-extension.py pass.
With this diff, 272 pass. The rest will require fixes elsewhere.
ok beck inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
| |
This takes the same design/approach used in TLSv1.3 and provides an
opaque struct that is self contained and cannot reach back into other
layers. For now this just implements/replaces the writing of records
for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the
plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
| |
When record protection is engaged, the plaintext must be followed by a
non-zero content type and optional zero padding. If the plaintext is zero
length or only consists of zero bytes then it is not a valid message,
since the content type is unspecified.
ok tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
The error path does the same as the currently duplicated code.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
If a peer sends a bogus record consisting of all-zero plaintext,
the content_len would be decremented to -1 and cause a crash in
freezero.
ok inoguchi jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A certain VPN provider appears to have configured their servers to only
accept P-521 for TLSv1.3 key exchange. The particular VPN software in use
also does not currently allow for the TLSv1.3 key share groups to be
configured, which means that there is no way to easily use LibreSSL in
this situation.
Include P-521 in the list of curves that are supported by default in the
client, in order to increase interoperability.
Discussed at length with beck@, inoguchi@ and tb@.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously we used CBB to build the record headers, but not the entire
record. Use CBB_init_fixed() upfront, then build the record header and
add space for the record content. However, in order to do this we need
to determine the length of the record upfront.
This simplifies the code, removes a number of manual bounds checks and
makes way for further improvements.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
Triggered by jmc@ apparently misunderstanding the intention of the
text and fixing a grammatical error in a way that wasn't ideal,
so i guess he wouldn't have been the only one to find the previous
version hard to understand.
OK jmc@
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
|
|
|
|
| |
A client should only send a status_request as part of the CH.
Pointed out by Michael Forney
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
| |
The current code might cause a client to send a status_request
containing a CertificateStatusRequest with its certificate. This
makes no sense.
Pointed out by Michael Forney
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to RFC 8446, 4.4.2.1, a server may request that a client
present an OCSP response with its certificate by sending an empty
status_request extension as part of the certificate request. The
current code expects a full CertificateStatus structure, which is
only sent if the server sends an OCSP response with its certificate.
This causes interoperability issues with Go's TLS server and with
newer GnuTLS where we would abort the handshake with a decode_error
alert and length mismatch error.
Issue reported and diagnosed by Michael Forney
Problem also found by Mikolaj Kucharski and inoguchi.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
| |
The write path can return a failure in the AEAD path and there is no reason
not to check a return value.
Spotted by tb@ during another review.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- Make the DTLS code much more consistent with the ssl3 code.
- Avoid assigning wr->input and wr->length just so they can be used as
arguments to memcpy().
- Remove the arc4random_buf() call for the explicit IV, since tls1_enc()
already does this for us.
ok tb@
|
| |
|
|
|
|
| |
ssl3_create_record().
ok tb@
|
| |
|
|
|
|
| |
ourselves.
Spotted by tb@ during a previous review.
|
| |
|
|
|
|
|
|
|
|
|
| |
This will allow for further changes to be made with less complexity and
easier review.
In particular, decide if we need an empty fragment early on and only do
the alignment calculation once (rather than in two separate parts of the
function.
ok tb@ inoguchi@
|
