summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Next pass of bn_prime.c cleanuptb2022-11-091-39/+29
| | | | | | | Garbage collect a few pointless variables and remove a loop that wasn't really a loop. Simplify BN_CTX handling and drop some stupid comments. ok jsing miod
* Drop some dead codetb2022-11-091-136/+1
| | | | ok jsing
* Fix possible memory leak in BN_mpi2bn() if BN_bin2bn() fails.tobhe2022-11-091-3/+7
| | | | | | found with CodeChecker feedback from millert@ ok tb@
* In case lh_OBJ_NAME_insert returns NULL due to a failed malloc, onpmbuhl2022-11-081-1/+2
| | | | | | is leaked in OBJ_NAME_add. ok tb Found by CodeChecker.
* Rename out to err to conform with standard naming scheme.tobhe2022-11-081-4/+4
|
* Fix leak of pk if EVP_PKEY_set1_DSA() fails.tobhe2022-11-081-5/+9
| | | | | Found with CodeChecker ok jsing@
* Refactor/split ED25519_keypair.jsing2022-11-082-16/+24
| | | | | | This brings in ED25519_keypair_from_seed() from BoringSSL commit c034e2d3ce16, which ED25519_keypair then wraps. This reduces differences between us and BoringSSL.
* Change function argument to reduce differences with BoringSSL.jsing2022-11-081-2/+2
|
* Remove pointless loops.jsing2022-11-081-13/+1
| | | | From BoringSSL 997c706d43504.
* Avoid signed integer overflow in i2c_ASN1_BIT_STRING()tb2022-11-081-5/+9
| | | | | | | | | If the length of the bitstring is INT_MAX, adding 1 to it is undefined behavior, so error out before doing so. Based on BoringSSL eeb3333f by davidben ok beck joshua
* Add missing $OpenBSD$beck2022-11-081-0/+1
|
* Fix leak of pk if EVP_PKEY_set1_RSA() fails.tobhe2022-11-081-5/+9
| | | | | Found with CodeChecker feedback and ok tb@
* Replace the old OpenSSL julian date stuff with BoringSSL'sbeck2022-11-087-326/+289
| | | | | | | | | | | | OpenSSL dealt with time conversion using a classical julian day scheme. BoringSSL got rid of it and uses only a julian style calculation for seconds since the POSIX time epoch. This changes libressl to use the seconds calculation exculusively instead of a mix of the julian day based conversions and the system time conversions to and from time_t to tm. ok tb@ jsing@
* White space KNF, no code change:schwarze2022-11-071-15/+12
| | | | | | | - line breaking and indentation in three struct declarations - removal of trailing whitespace Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl . OK tb@
* Rewrite TLSv1.2 key exporter.jsing2022-11-075-96/+163
| | | | | | | Replace the grotty TLSv1.2 key exporter with a cleaner version that uses CBB and CBS. ok tb@
* Move tls13_exporter() code.jsing2022-11-072-72/+73
| | | | | | | It makes more sense to have tls13_exporter() in tls13_key_schedule.c, rather than tls13_lib.c ok tb@
* Document that OPENSSL_free() is required in some circumstancestb2022-11-061-2/+6
| | | | | | | | | | BoringSSL uses the common trick of storing malloc metadata in a prefix and then returning a pointer with an offset. Therefore callers must not call free() but OPENSSL_free(). Reported by dropk1ck via tobhe ok beck jsing
* Enable Ed25519 internal to libcrypto.jsing2022-11-062-15/+44
| | | | Based on a diff from tb@
* Remove useless ancient files.jsing2022-11-064-74/+0
| | | | ok beck@ tb@
* In __cxa_atexit(), there is no need to initialize local pointer beforederaadt2022-10-221-2/+2
| | | | | the lock, when it is correctly initialized after the lock ok otto millert
* Add extra NULL check after ssl3_setup_read_buffer()tb2022-10-211-2/+5
| | | | | | | | | | While ssl3_setup_read_buffer() success alone is enough to imply that the read bufer is non-NULL, several static analyzers fail to recognize that and throw fits about possible NULL accesses. CID 331010 Fix from and ok jsing
* Add EVP_chacha20_poly1305()tb2022-10-211-1/+4
| | | | | | Omission reported by jca. ok jca jsing
* Initial parsing of the NewSessionTicket messagetb2022-10-201-2/+103
| | | | | | | | | | | | | | | | | | | | TLSv1.3 introduces a New Session Ticket post-handshake handshake message that allows a unique association between a ticket value and a pre-shared key derived from the resumption master secret. Servers may send this message arbitrarily often at any time after receiving the client's Finished message. Implement tls13_new_session_ticket_recv() which parses the contents of the NewSessionTicket message into a fresh session derived from the current session so as to avoid modifying sessions that are already in the session cache. This uses tls13_new_session_ticket_recv() in tls13_phh_received_cb(). We currently rely on the general rate limiting of 100 PHH messages per connection and hour to avoid problems from connecting to a misbehaving or malicious server. ok jsing
* Provide TLS13_MAX_TICKET_LIFETIME #definetb2022-10-201-1/+8
| | | | | | | | TLSv1.3 servers must not indicate a lifetime longer than 7 days and clients must not cache sessions for longer than 7 days. Encode this in a macro internal to tls13_lib.c for now. ok jsing
* Provide ssl_session_dup()tb2022-10-202-2/+108
| | | | | | | | SSL_SESSION_dup() is a currently essentially unused public OpenSSL 1.1.1 API. Add a version that does not duplicate the secrets for internal use. If the public API should be needed, we can easily make it a wrapper. ok jsing
* Clean up resumption master secret in SSL_SESSION_free()tb2022-10-201-1/+3
| | | | ok jsing
* Extend SSL_SESSION struct for TLSv1.3 PSKtb2022-10-201-2/+4
| | | | | | | | Add members necessary to store the "ticket_age_add" value and the resumption master secret needed in the TLSv1.3 version of session resumption. ok jsing
* Annotate misuse of EVP_Digest()tb2022-10-201-1/+2
| | | | | | | | | | The session_id member of SSL_SESSION has 32 bytes for historical reasons. This precisely accommodates a SHA-256 and is currently computed using this hash. If the hash function is ever changed, this will likely overflow. This should be fixed in code. Leave it at an XXX comment for now. Pointed out by jsing
* Store errors that result from leaf certificate verification.jsing2022-10-171-8/+12
| | | | | | | | | | | | | | | In the case that a verification callback is installed that tells the verifier to continue when a certificate is invalid (e.g. expired), any error resulting from the leaf certificate verification is not stored and made available post verification, resulting in an incorrect error being returned. Also perform leaf certificate verification prior to adding the chain, which avoids a potential memory leak (as noted by tb@). Issue reported by Ilya Shipitsin, who encountered haproxy regress failures. ok tb@
* Avoid potential divide by zero in BIO_dump_indent_cb()jsing2022-10-171-8/+7
| | | | | | | | | | | | | Passing an indent value of 67 results in DUMP_WIDTH_LESS_IDENT returning a value of zero, which is promptly used for division. Likewise, passing a value larger than 67 results in a negative value being returned. Prevent this by limiting indent to 64 (which matches OpenSSL's current behaviour), as well as ensuring that dump_width is > 0. Should fix oss-fuzz #52464 and #52467. ok miod@ tb@
* Unbreak ASN.1 indefinite length encoding.jsing2022-10-171-4/+4
| | | | | | | | | | | In r1.25 of tasn_enc.c a check was added to ensure that asn1_ex_i2c() returned the same value on both calls, however in the ndef case the len variable gets changed between calls. Keep a copy of the original value to test against. Issue reported by niklas, who encountered a test failure in rust-openssl. ok miod@ tb@
* Error out if the out secret wasn't properly initializedtb2022-10-141-2/+6
| | | | | | | | Calling HKDF_expand() with a length of 0 happens to succeed due to a quirk in the API inherited from BoringSSL. This hides caller-side errors during development. Error out to catch such mistakes early on. ok jsing
* put the malloc_readonly struct into the "openbsd.mutable" section, soderaadt2022-10-141-2/+3
| | | | | that the kernel and ld.so will know not to mark it immutable. malloc handles the read/write transitions by itself.
* Fix path of mentioned regress testtb2022-10-111-2/+2
|
* unwrap two lines for readabilitytb2022-10-051-5/+3
|
* Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.jsing2022-10-0226-1237/+1220
| | | | | | | | These are no longer necessary due to SSL_CTX and SSL now being fully opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back into SSL. Prompted by tb@
* Move handshake message handling functions from ssl_both.c to client/server.jsing2022-10-014-225/+342
| | | | | | | | | | | | | | | Currently, ssl_both.c contains several functions that are used by both the legacy client and legacy server. This interwines the client and server, making it harder to make progressive changes. While it does deduplicate some code, it also ends up with code that is conditioned on s->server and forces the caller to pass in SSL3_ST_* values. Move these functions from ssl_both.c into ssl_clnt.c and ssl_srvr.c, renaming as appropriate and removing the s->server conditionals. Also move the client and server function prototypes from ssl_locl.h into the .c files, making them static in the process. ok tb@
* use Fn rather than Nm for swab(); from josiah frentsosjmc2022-09-281-6/+6
|
* Remove PKCS12_MAKE_{,SH}KEYBAG from Symbols.listtb2022-09-191-2/+0
| | | | | | | | | | | | | | These functions were renamed in the last bump #define PKCS12_MAKE_KEYBAG PKCS12_SAFEBAG_create0_p8inf #define PKCS12_MAKE_SHKEYBAG PKCS12_SAFEBAG_create_pkcs8_encrypt They don't appear in the compiled library itself, so no further bump required. Fixes libressl-portable/portable#791 Found the hard way by vollkommenheit ok deraadt jsing
* Allow TLSv1.3 clients to send CCS without middlebox compatibility mode.jsing2022-09-171-4/+2
| | | | | | | | | | | | | | | | | While RFC 8446 is clear about what legacy session identifiers can be sent by a TLSv1.3 client and how middlebox compatibility mode is requested, it is delightfully vague about the circumstances under which a client is permitted to send CCS messages. While it does not make sense for a client to send CCS messages when they are not requesting middlebox compatibility mode, it is not strictly forbidden by the RFC and at least one (unknown) TLSv1.3 stack has been observed to do this in the wild. Revert part of the previous change and allow clients to send CCS messages, even if they are not requesting middlebox compatibility mode. Found the hard way by florian@ ok tb@
* Link to SSL_read_early_data(3)kn2022-09-171-3/+3
| | | | OK tb
* Add OID for RPKI signedTAL objectsjob2022-09-152-0/+2
| | | | | | | | | IANA made a permanent registration in the SMI Security for S/MIME CMS Content Type registry at https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1 for signed objects conforming to draft-ietf-sidrops-signed-tal. OK tb@
* Use LONG_MAX as the limit for ciphers with long based APIs.jsing2022-09-156-169/+120
| | | | | | | | | | | These ciphers have long based APIs, while EVP has a size_t based API. The intent of these loops is to handle sizes that are bigger than LONG_MAX. Rather than using the rather crazy EVP_MAXCHUNK construct, use LONG_MAX rounded down to a large block size, ensuring that it is a block size multiple. Revert the recently added overflow checks now that this is handled more appropriately. ok tb@
* Stop pretending that EVP_CIPHER cleanup can fail.jsing2022-09-134-14/+15
| | | | | | | Now that EVP_CIPHER is opaque, stop pretending that EVP_CIPHER cleanup can fail. ok tb@
* zap extra .Pptb2022-09-121-2/+1
|
* Stop documenting i2c_ASN1_INTEGER.tb2022-09-122-48/+4
| | | | | This is no longer public API. Also remove some comments about i2c and c2i functions being intentionally undocumented since they are no longer public.
* Enforce the minimum TLS version requirement for QUIC.jsing2022-09-111-1/+9
| | | | ok tb@
* bump major after libcrypto and libssl major bumptb2022-09-111-2/+2
|
* Crank major after symbol addition and libcrypto major bumptb2022-09-111-2/+2
|
* Update Symbols.listtb2022-09-111-0/+11
| | | | ok jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-03 10:46:49 +0000