| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator
This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When BIO returns a failure, it does not always add an error to the error
stack. In the case of the legacy stack, this was generally handled by the
guesswork performed by SSL_get_error(). However, in the case of the new
stack we push an 'unknown' error onto the stack.
Improve this situation by specifically checking errno in the case of a
BIO_read() or BIO_write() failure. If the error stack is empty then push
a SYSerror() with the errno which is preferable to the 'unknown' error
later.
Noted by bluhm@ via syslogd regress.
ok beck@ tb@
|
| |
|
|
|
|
| |
The curve_id is a uint16, not an int.
ok beck jsing
|
| |
|
|
|
|
|
| |
Use more descriptive variable names, explain why NID_undef is fine
and simplify the logic.
ok beck jsing
|
| |
|
|
| |
figure out whether top > 0 or top == 0.
|
| |
|
|
|
|
|
|
|
|
| |
If BN_rand() is called with top > 0 and bits == 1, it would allocate
a buf[] of size 1 and set the top bit of buf[1].
Found in OpenSSL commit efee575ad464bfb60bf72dcb73f9b51768f4b1a1 while
looking for something else.
ok beck djm inoguchi
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
| |
To pick up __STRICT_ALIGNMENT define, include machine/endian.h.
No kidding... deraadt@
ok bcook@ jsing@
|
| |
|
|
|
|
|
| |
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When parsing a cipher string, a cipher list is created, before being
duplicated and sorted - the second copy being stored as cipher_list_by_id.
This is done only so that a client can ensure that the cipher selected by
a server is in the cipher list. This is pretty pointless given that most
clients are short-lived and that we already had to iterate over the cipher
list in order to build the client hello. Additionally, any update to the
cipher list requires that cipher_list_by_id also be updated and kept in
sync.
Remove all of this and replace it with a simple linear scan - the overhead
of duplicating and sorting the cipher list likely exceeds that of a simple
linear scan over the cipher list (64 maximum, more typically ~9 or so).
ok beck@ tb@
|
| |
|
|
| |
ok beck@, tb@
|
| |
|
|
|
|
|
|
|
|
| |
The name ssl_cipher_is_permitted() is not entirely specific - what it
really means is "can this cipher be used with a given version range".
Use ssl_cipher_allowed_in_version_range() to more clearly indicate this.
Bikeshedded with tb@
ok tb@
|
| |
|
|
|
|
| |
TLS13_ALERT_* defines.
ok beck@ tb@
|
| |
|
|
| |
ok tb@ jsing@
|
| |
|
|
|
|
|
| |
Consistently use the names 'ciphers' and 'cipher' instead of 'sk' and 'c'.
Remove some redundant code, unnecessary parentheses and fix some style(9).
ok inoguchi@ tb@
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
wording from jmc
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is only set in one place and read in one place to set the badly
named tlsext_ticket_expected flag. It seems preferable to set this
flag directly, thus simplifying the logic. This slightly changes the
behavior in that this flag is now set earlier, but this seems preferable
anyway. Any error between the old and the new position where the flag
is set is either fatal (so the connection will be closed) or a decrypt
error (so the flag will be set).
discussed with jsing
|
| |
|
|
|
|
|
| |
shaving off into the cache but unamp them. Pages in the cache get
re-used and then a future grow of the first allocation will be
hampered. Also make realloc a no-op for small shrinkage.
ok deraadt@
|
| |
|
|
|
|
|
|
|
|
| |
Instead of using malloc(3) and manually setting part of the structure to
zero, part to something else and leaving the rest uninitialized, we can
benefit from the fact that there's this thing called calloc(3).
Moreover, all variants of free(3) in libcrypto are NULL safe.
ok beck inoguchi
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Zap a memset that was redundant since OpenSSL 0.97b was merged by
markus in 2003. Nowadays it's otto's recallocarray(3) that does the
zeroing.
ok beck inoguchi otto
PS: ASN1_BIT_STRING_set_bit(3) was committed on Dec 21 1998 by Ralf S.
Engelschnall and used this bizarre allocation idiom:
if (a->data == NULL)
c=(unsigned char *)Malloc(w+1);
else
c=(unsigned char *)Realloc(a->data,w+1);
People complained about Malloc, Realloc and Free being used elsewhere, so
on Jun 1 2000, Richarde Levitte swept the OpenSSL tree and it became this.
if (a->data == NULL)
c=(unsigned char *)OPENSSL_malloc(w+1);
else
c=(unsigned char *)OPENSSL_realloc(a->data,w+1);
Then it was found that existing data should be cleaned, and on Nov 13 2002
Ben Laurie changed the last line to
c=(unsigned char *)OPENSSL_realloc_clean(a->data,
a->length,
w+1);
|
| | |
|
| |
|
|
|
|
|
| |
the session id in case the copied session id is shorter than
SSL_MAX_SESSION_ID_LENGTH.
long standing bug pointed out by jsing
|
| |
|
|
| |
get_session_cb is completed.
|
| |
|
|
| |
the function name, document alert and make it fit into 80 columns.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case the session ticket was empty or missing, an attempt is made to
retrieve the session from the internal cache or via a callback. This
code can easily be flattened a bit and factored into two functions. I
decided to wrap those into a third function to make the call from the
switch easier on the eye.
I could have kept the try_session_cache flag, but it now seems rather
pointless and awkwardly named anyway, so I took its negation and named
it ticket_decrypted.
To top things off, a little bit of polish in the exit path.
ok beck inoguchi jsing (with the usual healthy dose of nits)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ssl_get_prev_session() hands the session id down to tls_decrypt_ticket()
which then copies it into the session pointer that it is about to return.
It's a lot simpler to retrieve the session pointer and copy the session id
inside ssl_get_prev_session().
Also, 'goto err' directly in TLS1_TICKET_NOT_DECRYPTED instead of skipping
a couple of long if clauses before doing so.
ok inoguchi jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
ret is a confusing name for a pointer in a function that returns int.
ret is only returned in the sense that it ultimately replaces the current
s->session on success.
|
| |
|
|
|
|
|
|
|
| |
The only path that sets TLS1_TICKET_NOT_DECRPYTED is through this label
and the ERR_clear_error() is called conditionally on this. We clear the
errors to make decrypt errors non-fatal. The free functions should not
set the errors and if they do, we don't want to hide that.
discussed with jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tls1_process_ticket() - the only caller of tls_decrypt_ticket() - ends
in a switch over the return value of tls_decrypt_ticket() to decide
whether or not to set s->internal->tlsext_ticket_expected = 1.
Since tls_decrypt_ticket() already knows what it will return and
partly bases its decision on what to return on whether or not the
ticket needs to be renewed, it can also take care of setting this flag.
This way we don't need to have a confusing switch that conflates some
return values and sets this flag. Moreover, we can get rid of the ugly
TLS1_TICKET_DECRYPTED_RENEW whose only purpose is to signal that the
flag should be set.
ok jsing
|
| |
|
|
|
|
|
|
| |
In tls1_process_ticket() and tls_decrypt_ticket() use #defines with
descriptive names instead of hardcoding -1 1 2 3 4 and occasionally
explaining the magic numbers with comments.
ok beck inoguchi
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ssl_get_prev_session() can fail for various reasons some of which
may be internal_error others decode_error alerts. Propagate the
appropriate alert up to the caller so we can abort the handshake
by sending a fatal alert instead of rudely closing the pipe.
Currently only 28 of 292 test cases of tlsfuzzer's test-extension.py pass.
With this diff, 272 pass. The rest will require fixes elsewhere.
ok beck inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
| |
This takes the same design/approach used in TLSv1.3 and provides an
opaque struct that is self contained and cannot reach back into other
layers. For now this just implements/replaces the writing of records
for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the
plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
| |
When record protection is engaged, the plaintext must be followed by a
non-zero content type and optional zero padding. If the plaintext is zero
length or only consists of zero bytes then it is not a valid message,
since the content type is unspecified.
ok tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
The error path does the same as the currently duplicated code.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
If a peer sends a bogus record consisting of all-zero plaintext,
the content_len would be decremented to -1 and cause a crash in
freezero.
ok inoguchi jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A certain VPN provider appears to have configured their servers to only
accept P-521 for TLSv1.3 key exchange. The particular VPN software in use
also does not currently allow for the TLSv1.3 key share groups to be
configured, which means that there is no way to easily use LibreSSL in
this situation.
Include P-521 in the list of curves that are supported by default in the
client, in order to increase interoperability.
Discussed at length with beck@, inoguchi@ and tb@.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously we used CBB to build the record headers, but not the entire
record. Use CBB_init_fixed() upfront, then build the record header and
add space for the record content. However, in order to do this we need
to determine the length of the record upfront.
This simplifies the code, removes a number of manual bounds checks and
makes way for further improvements.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
Triggered by jmc@ apparently misunderstanding the intention of the
text and fixing a grammatical error in a way that wasn't ideal,
so i guess he wouldn't have been the only one to find the previous
version hard to understand.
OK jmc@
|
