summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Transform two || chains into individually checked functionstb2022-07-301-8/+13
| | | | Requested by and ok jsing
* Having a perfect square at this point is not an error. Rather it istb2022-07-291-2/+2
| | | | | a shortcut bypassing expensive computation, so change goto err to goto done. Bug introduced in last refactoring before commit.
* Tweak some comments and whitespace around commentstb2022-07-291-9/+32
|
* Do not pass input length <= 0 to the cipher handlerstb2022-07-261-11/+17
| | | | | | | | | | Input length < 0 is an error and input length == 0 can result in strange effects in some ciphers, except in CCM mode, which is extra special. Based on OpenSSL 420cb707 by Matt Caswell and Richard Levitte found by & ok jsing
* fix indenttb2022-07-251-2/+2
|
* If a command or interface first appeared in PWB/UNIX, UNIX System III orjsg2022-07-252-6/+10
| | | | | | | | | | | | UNIX System V mention it. Only do so in manual pages with a pre-existing HISTORY section. Prompted by the comparison of System V and BSD commands and interfaces in Sun's "System V Enhancements Overview" document. checked against manuals on bitsavers, TUHS archive and CSRG archive CDs ok jmc@ schwarze@
* Plug leak in X509V3_add1_i2d()tb2022-07-241-2/+3
| | | | | | | | Do not leak the extension that was deleted from the stack. via OpenSSL c3efe5c9. ok jsing
* Prepare to resurrect TS_RESP_CTX_set_time_cb()tb2022-07-242-2/+14
| | | | | | | | | This was removed shortly after the fork since TS is not 2038-ready and since there were no consumers of this API. Now there are consumers and they add it themselves if it's missing from libcrypto. This will no longer be possible with opaque TS structs, so begrudgingly add it back. ok jsing kn
* Prepare to provide TS_VERIFY_CTX accessorstb2022-07-242-2/+79
| | | | | | | | | | | | | | | | | | | | | | | | The setters make no sense since they do not free the old members and return what was passed in instead of returning the old struct member so that the caller has a chance of freeing them. This has the side effect that calling a setter a second time will likely result in a leak. TS_VERIFY_CTX_set_imprint() was "fixed" upstream by adding a free() but the other three setters were missed since discussing the contributor's CLA was more important. Also missed was that adding frees will result in double frees: careful consumers like openssl/ruby have workarounds for the strange existing semantics. Add a compat #define for TS_VERIF_CTS_set_certs() that made it into the public API with a typo. A good illustration of the amount of thought and care that went into the OpenSSL 1.1 API by both the implementers and the reviewers. Amazing job overall. We will be stuck with this nonsense for a long time. ok jsing kn
* Prepare to provide various TS_STATUS_INFO accessorstb2022-07-242-2/+34
| | | | | | | | This adds TS_STATUS_get0_{failure_info,text,status}() as well as TS_STATUS_INFO_set_status(). These will be needed by Ruby and openssl(1) when we make the structs in ts.h opaque. ok kn jsing
* Align PKCS12_key_gen_uni() with OpenSSLtb2022-07-241-58/+50
| | | | | | | | This is Dr Stephen Henson's rewrite avoiding BIGNUM (OpenSSL 54c68d35). Additionally this pulls in a < vs <= fix by Pauli Dale (OpenSSL 9d868840). There is also some minor cleanup by myself. ok jsing
* Minor fixes in PKCS12_parse()tb2022-07-241-24/+23
| | | | | | | | Pull up clearing of output parameters before first return (OpenSSL 524fdd51 by Bernd Edlinger), explicit comparisons against NULL, '\0', etc. ok jsing
* Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OFtb2022-07-241-2/+2
| | | | | | OpenSSL b709babb by Richard Levitte ok jsing
* Clear key on exit in PKCS12_gen_mac()tb2022-07-241-25/+38
| | | | | | | | | Also switch to heap-allocated HMAC_CTX and clean a few things up stylistically. loosely based on OpenSSL f5cee414 by Shane Lontis ok jsing
* Plug a leak in PKCS12_setup_mac()tb2022-07-241-2/+3
| | | | | | based on OpenSSL 1b8f1937 by Dmitry Belyavskiy ok jsing
* Move cipher_id bsearch functions back to the bottom of the file.jsing2022-07-241-16/+16
|
* Set NULL BIOs for QUIC.jsing2022-07-241-1/+14
| | | | | | | | When used with QUIC, the SSL BIOs are effectively unused, however we still currently expect them to exist for status (such as SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE). Set up NULL BIOs if QUIC is in use. ok tb@
* Provide record layer callbacks for QUIC.jsing2022-07-247-16/+217
| | | | | | | | | | | | QUIC uses TLS to complete the handshake, however unlike normal TLS it does not use the TLS record layer, rather it provides its own transport. This means that we need to intercept all communication between the TLS handshake and the record layer. This allows TLS handshake message writes to be directed to QUIC, likewise for TLS handshake message reads. Alerts also need to be sent via QUIC, plus it needs to be provided with the traffic keys that are derived by TLS. ok tb@
* Move tls13_phh_done_cb() after tl13_phh_received_cb().jsing2022-07-241-12/+12
| | | | This is the order that they're called/run in.
* Provide QUIC encryption levels.jsing2022-07-246-20/+33
| | | | | | | | | | | | QUIC wants to know what "encryption level" handshake messages should be sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that defines these (of course quictls decided to make this an OSSL_ENCRYPTION_LEVEL typedef, so provide that as well). Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so that they can be used in upcoming commits. ok tb@
* Rely on tlsext_parse() to set a decode_error alerttb2022-07-241-79/+47
| | | | | | | | Instead of setting the alert manually in various parse handlers, we can make use of the fact that tlsext_parse() sets the alert to decode_error by default. This simplifies the code quite a bit. ok jsing
* Start making ts opaquetb2022-07-2410-50/+134
| | | | | | | | | Move the not yet exposed EssCertIDv2 struct internals to ts_local.h and move the ASN.1 function prototypes that we don't want to expose with them. Include ts_local.h where necessary or where it will be needed soon. ok jsing
* Fix file names in comments.tb2022-07-231-7/+7
|
* Convert TLS transcript from BUF_MEM to tls_buffer.jsing2022-07-222-29/+16
| | | | ok beck@ tb@
* Add read and write support to tls_buffer.jsing2022-07-224-13/+139
| | | | | | | | tls_buffer was original created for a specific use case, namely reading in length prefixed messages. This adds read and write support, along with a capacity limit, allowing it to be used in additional use cases. ok beck@ tb@
* Simplify tls13_server_encrypted_extensions_recvtb2022-07-221-8/+2
| | | | | | | We can rely on tlsext_client_parse() to set the alert, so no need to do this in the error path. ok jsing
* Remove redundant length checks in parse functionstb2022-07-221-21/+1
| | | | | | | | | | | The main parsing function already checks that the entire extension data was consumed, so the length checks inside some of the parse handlers are redundant. They were also not done everywhere, so this makes the parse handlers more consistent. Similar diff was sent by jsing a long while back ok jsing
* Simplify tlsext_supported_groups_server_parsetb2022-07-201-45/+31
| | | | | | | | | Add an early return in the s->internal->hit case so that we can unindent a lot of this code. In the HRR case, we do not need to check that the list of supported groups is unmodified from the first CH. The CH extension hashing already does that for us. ok jsing
* Drop some unnecessary parentheses.tb2022-07-201-3/+2
| | | | ok jsing
* Copy alpn_selected using CBStb2022-07-201-6/+7
| | | | ok jsing
* Copy alpn_client_proto_list using CBS in SSL_new()tb2022-07-201-12/+7
| | | | | | | This makes the code both shorter and safer since freeing, allocation, and copying are handled by CBS_stow() internally. ok jsing
* Validate protocols in SSL{_CTX,}_set_alpn_protos()tb2022-07-201-1/+12
| | | | | | | | | | | This wonderful API requires users to pass the protocol list in wire format. This list is then sent as part of the ClientHello. Validate it to be of the correct form. This reuses tlsext_alpn_check_format() that was split out of tlsext_alpn_server_parse(). Similar checks were introduced in OpenSSL 86a90dc7 ok jsing
* Rewrite SSL{_CTX,}_set_alpn_protos() using CBStb2022-07-201-23/+15
| | | | | | | | | This simplifies the freeing, assigning and copying of the passed protocols by replacing all that code with a pair of CBS_init() and CBS_stow(). In addition, this aligns the behavior with OpenSSL, which no longer errors on NULL proto or 0 proto_len since 86a90dc7. ok jsing
* Change various ALPN related internal struct memberstb2022-07-201-6/+6
| | | | | | | | Change alpn_client_proto_list and alpn_selected from unsigned char * to uint8_t and change alpn_client_proto_list_len to be a size_t instead of an unsigned int. ok jsing
* Factor out ALPN extension format checktb2022-07-202-14/+27
| | | | | | | | The ALPN extension must contain a non-empty list of protocol names. Split a check of this out of tlsext_alpn_server_parse() so that it can be reused elsewhere in the library. ok jsing
* Remove tls_buffer_set_data() and remove/revise callers.jsing2022-07-206-34/+14
| | | | | | | | | | | | | There is no way that tls_buffer_set_data() can currently work in conjunction with tls_buffer_expand(). This fact is currently hidden by the way that PHH works, which reads the same data from the record layer (which it needs to do anyway, since we may not have all of the handshake message in a single record). Since this is broken, mop it up and change the PHH callback to not provide the record data. ok beck@ tb@
* Correct server-side handling of TLSv1.3 key updates.jsing2022-07-201-20/+30
| | | | | | | | The existing code updates the correct secret, however then sets it for the wrong direction. Fix this, while untangling the code and consistenly using 'read' and 'write' rather than 'local' and 'peer'. ok beck@ tb@
* Disallow MD5 and SHA-1 HMACs depending on the security leveltb2022-07-191-2/+11
| | | | | | | | Ciphers using an MD5 HMAC are not allowed on security levels >= 1 and using a SHA-1 HMAC is disallowed on security levels >= 4. This disables RC4-MD5 by default. ok jsing
* Avoid unnecessary loops in BN_generate_prime_ex()tb2022-07-191-4/+6
| | | | | | | | | Since there is nothing randomized in bn_is_prime_bpsw(), the concept of rounds makes no sense. Apply a minimal change for now that avoids expensive loops that won't change the outcome in case we found a probable prime. ok jsing
* Handle X509_check_purpose(3) and EVP_get_digestbyobj(3)kn2022-07-171-2/+5
| | | | OK tb
* Add initial support for ESSCertIDv2 verificationkn2022-07-171-19/+99
| | | | | | | | | Based on OpenSSL commit f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2 "Added support for ESSCertIDv2". This makes TS validation work in the new security/libdigidocpp port. Input OK tb
* Disable TLSv1.3 middlebox compatibility mode for QUIC connections.jsing2022-07-171-2/+3
| | | | | | This is required by RFC 9001. ok tb@
* Pass SSL pointer to tls13_ctx_new().jsing2022-07-173-15/+11
| | | | | | | | struct tls13_ctx already knows about SSL's and this way tls13_ctx_new() can set up various pointers, rather than duplicating this in tls13_legacy_accept() and tls13_legacy_connect(). ok tb@
* Correct handling of QUIC transport parameters extension.jsing2022-07-171-48/+16
| | | | | | | | | | | Remove duplicate U16 length prefix, since tlsext_build() already adds this for us. Condition on SSL_is_quic() rather than TLS version - RFC 9001 is clear that this extension is only permitted on QUIC transport and an fatal unsupported extension alert is required if used elsewhere. Additionally, at the point where extensions are parsed, we do not necessarily know what TLS version has been negotiated. ok beck@ tb@
* Provide SSL_is_quic()jsing2022-07-173-5/+14
| | | | | | | | This function will allow code to know if the SSL connection is configured for use with QUIC or not. Also move existing SSL_.*quic.* functions under LIBRESSL_HAS_QUIC to prevent exposing them prematurely. ok beck@ tb@
* Correct TLSEXT_TYPE_quic_transport_parameters message types.jsing2022-07-171-2/+2
| | | | | | | Per RFC 9001, TLSEXT_TYPE_quic_transport_parameters may only appear in ClientHello and EncryptedExtensions (not ServerHello). ok beck@ tb@
* Correct value for TLSEXT_TYPE_quic_transport_parametersjsing2022-07-171-4/+6
| | | | | | | | Use the correct value for TLSEXT_TYPE_quic_transport_parameters according to RFC 9001 section 8.2. Also move the define under LIBRESSL_HAS_QUIC to avoid things finding it prematurely. ok beck@ tb@
* AESCGM -> AESGCMjsg2022-07-171-4/+4
|
* Add ESSCertIDv2 stack macroskn2022-07-161-1/+25
| | | | | | | | Copy existing ESSCertID macros and s/_ID/&_V2/g. Guard the new code under LIBRESSL_INTERNAL to defer visibility. OK tb
* Add ESSCertIDv2 ASN.1 boilerplatekn2022-07-162-2/+170
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Guard the new code under LIBRESSL_INTERNAL to defer symbol addition and minor library bump (thanks tb). ts/ts.h bits from RFC 5035 Enhanced Security Services (ESS) Update: Adding CertID Algorithm Agility ts/ts_asn1.c bits expanded from ASN1_SEQUENCE(ESS_CERT_ID_V2) = { ASN1_OPT(ESS_CERT_ID_V2, hash_alg, X509_ALGOR), ASN1_SIMPLE(ESS_CERT_ID_V2, hash, ASN1_OCTET_STRING), ASN1_OPT(ESS_CERT_ID_V2, issuer_serial, ESS_ISSUER_SERIAL) } static_ASN1_SEQUENCE_END(ESS_CERT_ID_V2) IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID_V2) IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2) ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = { ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2), ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO) } static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2) IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT_V2) IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2) Feedback OK tb