summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* spellingjsg2021-03-1212-37/+37
|
* Remove ssl_downgrade_max_version().jsing2021-03-115-54/+15
| | | | | | | Now that we store our maximum TLS version at the start of the handshake, we can check against that directly. ok inoguchi@ tb@
* Guard TLS1_get_{client_,}version() macros with #ifndef LIBRESSL_INTERNAL.jsing2021-03-101-1/+3
| | | | These are no longer used (and should not be used) internally.
* Improve internal version handling.jsing2021-03-109-108/+145
| | | | | | | | | | | | | | | | | | Add handshake fields for our minimum TLS version, our maximum TLS version and the TLS version negotiated during the handshake. Initialise our min/max versions at the start of the handshake and leave these unchanged. The negotiated TLS version is set in the client once we receive the ServerHello and in the server at the point we select the highest shared version. Provide an ssl_effective_version() function that returns the negotiated TLS version if known, otherwise our maximum TLS version - this is effectively what is stored in s->version currently. Convert most of the internal code to use one of these three version fields, which greatly simplifies code (especially in the TLS extension handling code). ok tb@
* Change the implementation of the malloc cache to keep lists ofotto2021-03-091-152/+118
| | | | | regions of a given size. In snaps for a while, committing since no issues were reported and a wider audience is good. ok deraadt@
* LibreSSL 3.3.2bcook2021-03-071-3/+3
|
* Separate variable declaration and assignment.jsing2021-03-021-2/+4
| | | | Requested by tb@
* Replace two handrolled tls12_record_protection_engaged().jsing2021-03-021-3/+3
| | | | Noted by tb@
* Move key/IV length checks closer to usage sites.jsing2021-03-021-5/+11
| | | | | | | | | Also add explicit checks against EVP_CIPHER_iv_length() and EVP_CIPHER_key_length(). Requested by tb@ during review. ok tb@
* Add tls12_record_protection_unused() and call from CCS functions.jsing2021-03-021-8/+17
| | | | | | | | | This moves the check closer to where a leak could occur and checks all pointers in the struct. Suggested by tb@ during review. ok tb@
* Fix misleading indentation in SSL_get_error()tb2021-03-021-2/+2
|
* Move handling of cipher/hash based cipher suites into the new record layer.jsing2021-02-275-200/+141
| | | | ok tb@
* Identify DTLS based on the version major value.jsing2021-02-271-2/+2
| | | | This avoids the need to match specific DTLS version numbers.
* Set is_trusted in x509_verify_ctx_add_chain()tb2021-02-261-2/+2
| | | | | | | | If we're about to add a chain we have a trust path, so we have at least one trusted certificate. This fixes a thinko from r1.31 and fixes the openssl(1) cms verify test. ok jsing (who had the same diff)
* Fix two bugs in the legacy verifiertb2021-02-251-6/+10
| | | | | | | | | | | | | | | To integrate the new X.509 verifier, X509_verify_cert() was refactored. The code building chains in the legacy verifier was split into a separate function. The first bug is that its return value was treated as a Boolean although it wasn't. Second, the return alone is not enough to decide whether to carry on the validation or not. Slightly rearrange things to restore the behavior of the legacy verifier prior to this refactoring. Issue found and test case provided by Anton Borowka and jan. ok jan jsing
* Only use TLS versions internally (rather than both TLS and DTLS versions).jsing2021-02-259-128/+132
| | | | | | | | | | | | | | DTLS protocol version numbers are the 1's compliment of human readable TLS version numbers, which means that newer versions decrease in value and there is no direct mapping between TLS protocol version numbers and DTLS protocol version numbers. Rather than having to deal with this internally, only use TLS versions internally and map between DTLS and TLS protocol versions when necessary. Rename functions and variables to use 'tls_version' when they contain a TLS version (and never a DTLS version). ok tb@
* Rename depth to num_untrusted so it identifies what it actually represents.jsing2021-02-251-6/+6
| | | | ok tb@
* Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.jsing2021-02-251-3/+2
| | | | | | | | | In x509_verify_ctx_set_xsc_chain(), an ENOMEM case is currently passing the last certificate and depth (which is no longer actually depth) to x509_verify_cert_error(). Given we've hit an ENOMEM situation, neither of these are useful so remove both. ok tb@
* - Make use of the fact that we know how the chunks are aligned, andotto2021-02-252-49/+83
| | | | | | | | | | write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
* Fix comment explaining last_untrusted. This should really be calledtb2021-02-241-2/+2
| | | | | | num_untrusted, but unfortunately it's public... ok jsing tobhe
* Make the new validator check for EXFLAG_CRITICALtb2021-02-241-8/+15
| | | | | | | | | | | | | | | | | | | | | | As should be obvious from the name and the comment in x509_vfy.h int last_untrusted; /* index of last untrusted cert */ last_untrusted actually counts the number of untrusted certs at the bottom of the chain. Unfortunately, an earlier fix introducing x509_verify_set_xsc_chain() assumed that last_untrusted actually meant the index of the last untrusted cert in the chain, resulting in an off-by-one, which in turn led to x509_vfy_check_chain_extension() skipping the check for the EXFLAG_CRITICAL flag. A second bug in x509_verify_set_xsc_chain() assumed that it is always called with a trusted root, which is not necessarily the case anymore. Address this with a temporary fix which will have to be revisited once we will allow chains with more than one trusted cert. Reported with a test case by tobhe. ok jsing tobhe
* Fix bizarre punctuation and capitalization in a comment.tb2021-02-221-2/+2
|
* Simplify version checks in the TLSv1.3 clienttb2021-02-221-22/+10
| | | | | | | | | | | | Ensure that the server announced TLSv1.3 (and nothing higher) in the supported_versions extension. In that case, the legacy_version must be TLSv1.2 according to RFC 8446, 4.1.3 and 4.2.1. This commit also removes some unreachable code which is a remnant of very early TLSv1.3 code from before the legacy fallback was introduced. Simplify a few checks and adjust some comments nearby. ok jsing
* Factor out/change some of the legacy client version handling code.jsing2021-02-223-12/+36
| | | | | | | This consolidates the version handling code and will make upcoming changes easier. ok tb@
* ugly whitespacetb2021-02-202-14/+14
|
* Rename f_err into fatal_err.tb2021-02-207-183/+183
| | | | discussed with jsing
* Rename the truncated label into decode_err. This describes its purposetb2021-02-202-73/+73
| | | | | | | better and doesn't look odd if there's trailing data for exapmle. Indent a few labels in the neighborhood while there. ok jsing
* Return a min/max version of zero if set to zero.jsing2021-02-203-17/+41
| | | | | | | | | | OpenSSL's SSL{_CTX,}_get_{min,max}_proto_version() return a version of zero if the minimum or maximum has been set to zero (which means the minimum or maximum version supported by the method). Previously we returned the minimum or maximum version supported by the method, instead of zero. Match OpenSSL's behaviour by using shadow variables. Discussed with tb@
* Add DTLSv1.2 methods.jsing2021-02-202-3/+159
| | | | | | These are currently guarded by LIBRESSL_HAS_DTLS1_2 and LIBRESSL_INTERNAL. ok tb@
* Handle DTLS1_2_VERSION in various places.jsing2021-02-203-6/+9
| | | | ok tb@
* Revise HelloVerifyRequest handling for DTLSv1.2.jsing2021-02-202-4/+14
| | | | | | | | Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always contain DTLSv1.0 - ensure this is the case on the server side, allow both DTLSv1.0 and DTLSv1.2 on the client. ok tb@
* Group HelloVerifyRequest decoding and add missing check for trailing data.jsing2021-02-201-4/+5
| | | | ok tb@
* Add various public DTLS related defines.jsing2021-02-202-2/+14
| | | | | | These are currently guarded by LIBRESSL_HAS_DTLS1_2 and LIBRESSL_INTERNAL. ok tb@
* Clean up/simplify dtls1_get_cipher().jsing2021-02-201-7/+8
| | | | ok tb@
* Pull in fix for EVP_CipherUpdate() overflow from OpenSSL.tb2021-02-181-1/+23
| | | | | | | | | | | | | | ok inoguchi commit 6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1 Author: Matt Caswell <matt@openssl.org> Date: Tue Feb 2 17:17:23 2021 +0000 Don't overflow the output length in EVP_CipherUpdate calls CVE-2021-23840 Reviewed-by: Paul Dale <pauli@openssl.org>
* Some people still argue that rand(3) and random(3) have suitable deterministicderaadt2021-02-122-4/+10
| | | | | | | | | | | use cases, so explain the situation a bit more. Since the 80's, I estimate around 5 algorithm changes, so any chosen seed is unrepeatable UB. +The deterministic sequence algorithm changed a number of times since +original development, is underspecified, and should not be relied upon to +remain consistent between platforms and over time. ok jmc kettenis
* Sync cert.pem with Mozilla NSS root CAs, except "GeoTrust Global CA", ok tb@sthen2021-02-121-659/+417
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Notably this update removes various old Symantec roots (GeoTrust, thawte, VeriSign) that were set in NSS to be distrusted on 1/1/2021. Nobody should have been using these for years; only certain subCAs signed by these were valid in NSS in that time due to an exemption: https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec Notably Apple's "Apple IST CA 2 - G1" which is still in use for some endpoints (it is cross signed by another CA too but these endpoints are publishing the GeoTrust intermediate cert). So for now I have skipped removal of "GeoTrust Global CA" to avoid affecting these sites. Debian ran into this when they updated their cert database and had to back this part out, affected sites are not reachable on Android Firefox and maybe other newer Firefoxes. Some sites that were affected have moved to a different CA in the last few days but others, notably api.push.apple.com, remain (I can only guess that there is a complicated problem involved, possibly cert pinning on old devices - the clock is ticking though as this expires in May 2022 anyway ;) Additions: /C=RO/O=CERTSIGN SA/OU=certSIGN ROOT CA G2 /C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno Root CA 2017 /C=KR/O=NAVER BUSINESS PLATFORM Corp./CN=NAVER Global Root Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority Removals: /C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA /C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2 /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 /C=TW/O=Government Root Certification Authority /C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2 /C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4 /C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA
* KNFtb2021-02-111-4/+7
|
* Remove bogus DTLS checks to disable ECC and OCSP.jsing2021-02-082-10/+3
| | | | | | | ECC and OCSP can be used with DTLS, so remove bogus checks that currently prevent it. These are long lasting remnants from the original OpenSSL code. ok tb@
* Enforce read ahead with DTLS.jsing2021-02-081-5/+5
| | | | | | | DTLS is largely broken/useless without read ahead being enabled, so enforce it for DTLS. This behaviour matches both our documentation and OpenSSL. ok tb@
* Use dtls1_retrieve_buffered_record() to load buffered application data.jsing2021-02-081-11/+3
| | | | | | | Replace the current copy of dtls1_retrieve_buffered_record() with a call to it instead. ok tb@
* Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().jsing2021-02-074-22/+19
| | | | | | | | The mess that is ssl_get_algorithm2() only exists to upgrade the handshake MAC of a pre-TLSv1.2 cipher suite to SHA256 when used with TLSv1.2. We can readily do this in ssl_get_handshake_evp_md(), which is far more readable. ok tb@
* Correct handshake MAC/PRF for various TLSv1.2 cipher suites.jsing2021-02-071-8/+8
| | | | | | | | For some reason various TLSv1.2 cipher suites were added with the default handshake MAC and PRF, rather than the SHA256 handshake MAC and PRF. This gets patched up in ssl3_get_algorithm2(), hence goes unnoticed. ok tb@
* Factor out the legacy stack version checks.jsing2021-02-074-28/+24
| | | | | | | Also check for explicit version numbers, rather than just the major version value. ok tb@
* Fail early in legacy exporter if master secret is not availabletb2021-02-031-1/+6
| | | | | | | | | | | | The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard. with/ok jsing
* Add OID for draft-ietf-opsawg-finding-geofeedsjob2021-02-032-0/+2
| | | | | | | | | https://tools.ietf.org/html/draft-ietf-opsawg-finding-geofeeds describes a mechanism to authenticate RFC 8805 Geofeed data files through the RPKI. OpenSSL counterpart https://github.com/openssl/openssl/pull/14050 OK tb@ jsing@
* Add a bunch of RPKI OIDsjob2021-02-022-1/+26
| | | | | | | | | | | | | RFC6482 - A Profile for Route Origin Authorizations (ROAs) RFC6484 - Certificate Policy (CP) for the RPKI RFC6493 - The RPKI Ghostbusters Record RFC8182 - The RPKI Repository Delta Protocol (RRDP) RFC8360 - RPKI Validation Reconsidered draft-ietf-sidrops-rpki-rta - A profile for RTAs Also in OpenSSL: https://github.com/openssl/openssl/commit/d3372c2f35495d0c61ab09daf7fba3ecbbb595aa OK sthen@ tb@ jsing@
* Use "EC/RSA key setup failure" to align error with otherstb2021-02-011-3/+3
| | | | ok eric jsing
* missing word in commenttb2021-01-301-3/+3
|
* Remove direct assignment of aead_ctx.jsing2021-01-281-13/+7
| | | | | | Now that AEAD is handled internally, we should no longer be assigning aead_ctx directly, as this will result in a leak. Missed during the previous change.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 13:15:17 +0000