| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
As abieber@ found the hard way, some python frameworks (twisted, synapse)
thought it a great idea to use the info callback mechanism (designed to
get state information about SSL objects) to modify state information such
as setting and verifying the SNI. The switch of TLS_method() to default
to TLSv1.3 broke these contraptions. Further bits of the info callback
mechanism will likely metastasize throughout the TLSv1.3 stack if we
need them, so we only do what's really necessary now.
Lots of debugging, crucial hint and testing by abieber
input & ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both Perl's HTTP::Tiny and IO::Socket::SSL know about SSL_MODE_AUTO_RETRY
and try to work around the fact that OpenSSL enabled it by default.
However, this can lead to the mode being disabled prior to the TLSv1.3
handshake and then enabled after the handshake has completed.
In order to handle this correctly we have to check the mode and inform the
record layer prior to every read.
Issue reported and test case provided by Nathanael Rensen
<nathanael@polymorpheus.com>.
ok inoguchi@ tb@
|
| |
|
|
|
| |
that change nothing whatsoever, except making the code harder to read;
OK tb@
|
| | |
|
| |
|
|
| |
OK tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
use-after-free and double-free issues in calling programs.
The bug was introduced in SSLeay-0.6.0 released on June 21, 1996
and has been present since OpenBSD 2.4.
I found the bug while documenting the function.
The bug could bite in two ways that looked quite different from the
perspective of the calling code:
* If a stack was passed in that already contained some X509_INFO
objects and an error occurred, all the objects passed in would be
freed, but without removing the freed pointers from the stack,
so the calling code would probable continue to access the freed
pointers and eventually free them a second time.
* If the input BIO contained at least two valid PEM objects followed by
at least one PEM object causing an error, at least one freed pointer
would be put onto the stack, even though the function would return NULL
rather than the stack. But the calling code would still have a pointer
to the stack, so it would be likely to access the new bogus pointers
sooner or later.
Fix all this by remembering the size of the input stack on entry
and cutting it back to exactly that size when exiting due to an
error, but no further.
While here, do some related cleanup:
* Garbage collect the automatic variables "error" and "i"
which were only used at one single place each.
* Use NULL rather than 0 for pointers.
I like bugfixes that make the code four lines shorter, reduce the
number of variables by one, reduce the number of brace-blocks by
one, reduce the number if if-statements by one, and reduce the
number of else-clauses by one.
Tweaks and OK tb@.
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
This is no longer necessary since the TLS_method() now supports TLSv1.3.
Reverts r1.211 of ssl_lib.c.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
| |
ssl_version is completely unused and get_timeout is the same everywhere.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
| |
This can be done now that we have both TLSv1.3 client and server.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This diff exposes parts of clock_gettime(2) and gettimeofday(2) to
userland via libc eliberating processes from the need for a context
switch everytime they want to count the passage of time.
If a timecounter clock can be exposed to userland than it needs to set
its tc_user member to a non-zero value. Tested with one or multiple
counters per architecture.
The timing data is shared through a pointer found in the new ELF
auxiliary vector AUX_openbsd_timekeep containing timehands information
that is frequently updated by the kernel.
Timing differences between the last kernel update and the current time
are adjusted in userland by the tc_get_timecount() function inside the
MD usertc.c file.
This permits a much more responsive environment, quite visible in
browsers, office programs and gaming (apparently one is are able to fly
in Minecraft now).
Tested by robert@, sthen@, naddy@, kmos@, phessler@, and many others!
OK from at least kettenis@, cheloha@, naddy@, sthen@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some TLS extensions need to be treated differently depending on the
handshake message they appear in. Over time, various workarounds and
hacks were used to deal with the unavailability of the message type
in these functions, but this is getting fragile and unwieldy. Having
the message type available will enable us to clean this code up and
will allow simple fixes for a number of bugs in our handling of the
status_request extension reported by Michael Forney.
This approach was suggested a while ago by jsing.
ok beck jsing
|
| |
|
|
|
|
|
|
| |
Move is_server and msg_type right after the SSL object so that CBS
and CBB and alert come last. This brings these functions more in
line with other internal functions and separates state from data.
requested by jsing
|
| | |
|
| |
|
|
|
| |
hooked up and the lack of a bn_mul_mont_int implementation results in
undefined references.
|
| | |
|
| |
|
|
| |
to match the order they are listed in the RFC. No functional change.
|
| |
|
|
| |
just commit this kettenis@
|
| |
|
|
|
|
|
|
| |
and EVP_PKEY_id(3), then describe the "type" parameters of
various functions more precisely referencing that information.
In particular, document X509_get_signature_type(3) which was
so far missing.
OK tb@
|
| |
|
|
| |
and for flagging which pages to check;
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When first called, queue and send a close notify, before returning 0 or 1
to indicate if a close notify has already been received from the peer. If
called again only attempt to read a close notify if there is no pending
application data and only read one record from the wire. In particular,
this avoids continuing to read application data where the peer continues
to send application data.
Issue noted by naddy@ with ftp(1).
ok jca@ tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
|
|
|
|
|
|
| |
still widely used according to code searches on the web, so people
reading existing code will occasionally want to look them up.
While here, correct the return type of X509_CRL_get0_lastUpdate(3)
and X509_CRL_get0_nextUpdate(3), which return const pointers.
Also, add some precision regarding RETURN VALUES.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 8446 section 9.2 imposes some requirements on the extensions sent
in the ClientHello: key_share and supported_groups must either both be
present or both be absent. If no pre_shared_key was sent, the CH must
contain both signature_algorithms and supported_groups. If either of
these conditions is violated, servers must abort the handshake with a
missing_extensions alert. Add a function that enforces this. If we are
going to enforce that clients send an SNI, we can also do this in this
function.
Fixes failing test case in tlsfuzzer's test-tls13-keyshare-omitted.py
ok beck inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
missed a subsequent fix for an off-by-one in that code. If the first
byte of a CBC padding of length 255 is mangled, we don't detect that.
Adam Langley's BoringSSL commit 80842bdb44855dd7f1dde64a3fa9f4e782310fc7
Fixes the failing tlsfuzzer lucky 13 test case.
ok beck inoguchi
|
| |
|
|
|
| |
and point to UI_UTIL_read_pw(3) instead;
tb@ agrees with the general direction
|
| |
|
|
|
|
| |
correct the description of X509_get_X509_PUBKEY(3),
document error handling of the read accessors,
and mention the relevant STANDARDS
|
| | |
|
| |
|
|
| |
which is still under a free license. Wording tweaked by me.
|
| |
|
|
|
|
|
| |
Add detailed information on the return values of all the functions
in this page and remove the previous incorrect information.
tweaks & ok schwarze
|
| |
|
|
|
|
|
| |
Move pem_password_cb(3) to the file PEM_read(3) and rewrite
its description from scratch for precision and conciseness.
Plus some minor improvements in the vicinity.
Tweaks and OK tb@.
|
| |
|
|
| |
amount of text, the ERRORS section, in the previous commit
|
| |
|
|
| |
tb@ agrees that it should not be part of the public API
|
| |
|
|
| |
tweaks and OK tb@
|
| |
|
|
| |
ok tb
|
| | |
|
| | |
|
| |
|
|
|
|
| |
how our tree gets built. If this was done in all the libraries (imagine
sys/dev), it would disrupt the development process hugely. So it should
not be done here either. use 'make includes' by hand instead.
|
| |
|
|
|
|
|
|
| |
section 4.1.2 to ensure subsequent ClientHello messages after a
HelloRetryRequest messages must be unchanged from the initial
ClientHello.
ok tb@ jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is necessary because ctx->cipher_data is an EVP_AES_WRAP_CTX
containing a pointer to ctx->iv. EVP_CIPHER_CTX_copy() uses memcpy
to copy cipher_data to the target struct. The result is that the
copy contains a pointer to the wrong struct, which then leads to a
use-after-free. The custom copy handler fixes things up to avoid
that.
Issue reported by Guido Vranken
ok beck inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
IANA has allocated numbers for GOST ClientCertificateType. Use them in
addition to private values (left in place for compatibility).
Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>
Sponsored by ROSA Linux
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
GOST R 34.10-94 is an obsolete certificate type, unsupported by
LibreSSL and by the rest of current software, so there is no point in
sending in the CertificateTypes.
Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>
Sponsored by ROSA Linux
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Add missing case entry for SSL_PKEY_GOST01.
Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>
Sponsored by ROSA Linux
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
GOST cipher suites requires that CertVerify signatures be generated in a
special way (see ssl3_send_client_kex_gost(), ssl3_get_cert_verify()).
However, the GOST_SIG_FORMAT_RS_LE flag was not passed in case of TLS 1.2
connections (because they use different code path). Set this flag on
GOST PKEYs.
Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>
Sponsored by ROSA Linux
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>
Sponsored by ROSA Linux
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>
Sponsored by ROSA Linux
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>
Sponsored by ROSA Linux.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
These GOST curves are defined in RFC 7836 and draft-deremin-rfc4491-bis.
Add aliases for 256-bit GOST curves (see
draft-smyshlyaev-tls12-gost-suites) and rename the 512-bit curve ids to
follow names defined in tc26 OID registry.
Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>
Sponsored by ROSA Linux.
ok inoguchi@
|
