| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
ok jsing@
|
|
|
|
|
|
| |
It's entirely trivial.
ok beck
|
|
|
|
| |
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
| |
This way we deduplicate two inclusions of the same big table and eliminate
lots of stupid casts.
input and ok many
|
| |
|
|
|
|
|
|
|
| |
CBS_strdup() now internally checks if the data contains NUL, failing if it
does.
Prompted by beck@
|
|
|
|
|
|
|
| |
This is effectively the same as done for EVP_PKEY_ASN1_METHOD, although
this table only has nine entries.
ok tb@
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than messing around with an OBJ_bsearch() for a table that contains
16 entries (and a stack find for any application added methods), simply do
a reverse linear scan. This maintains the application method first
behaviour, while removing a chunk of code.
While here rename some variables and do some style clean up.
ok tb@
|
| |
|
|
|
|
| |
ok tb@
|
|
|
|
|
|
|
|
|
|
|
| |
BoringSSL implemented a compound private key, which includes a copy of the
public key as a performance optimisation for signing. However, this does
not readily match with how EVP works, makes the ED25519 API inconsistent
with the X25519 API, diverges from th RFC and does not align with the
OpenSSL API. Instead, the caller can readily compute the public key and
pass this in to the signing process.
ok tb@
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of using the BN_is_prime_fasttime_ex() API, use a direct call to
bn_is_prime_bpsw(). This increases readability and simplifies error
handling. Also put a division by two to the natural place now that we no
longer need to do Miller-Rabin rounds.
ok beck jsing
|
|
|
|
|
|
|
| |
Garbage collect a few pointless variables and remove a loop that wasn't
really a loop. Simplify BN_CTX handling and drop some stupid comments.
ok jsing miod
|
|
|
|
| |
ok jsing
|
|
|
|
|
|
| |
found with CodeChecker
feedback from millert@
ok tb@
|
|
|
|
|
|
| |
is leaked in OBJ_NAME_add.
ok tb
Found by CodeChecker.
|
| |
|
|
|
|
|
| |
Found with CodeChecker
ok jsing@
|
|
|
|
|
|
| |
This brings in ED25519_keypair_from_seed() from BoringSSL commit
c034e2d3ce16, which ED25519_keypair then wraps. This reduces differences
between us and BoringSSL.
|
| |
|
|
|
|
| |
From BoringSSL 997c706d43504.
|
|
|
|
|
|
|
|
|
| |
If the length of the bitstring is INT_MAX, adding 1 to it is undefined
behavior, so error out before doing so.
Based on BoringSSL eeb3333f by davidben
ok beck joshua
|
| |
|
|
|
|
|
| |
Found with CodeChecker
feedback and ok tb@
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL dealt with time conversion using a classical julian
day scheme. BoringSSL got rid of it and uses only a julian
style calculation for seconds since the POSIX time epoch.
This changes libressl to use the seconds calculation exculusively
instead of a mix of the julian day based conversions and the
system time conversions to and from time_t to tm.
ok tb@ jsing@
|
|
|
|
|
|
|
| |
- line breaking and indentation in three struct declarations
- removal of trailing whitespace
Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl .
OK tb@
|
|
|
|
|
|
|
| |
Replace the grotty TLSv1.2 key exporter with a cleaner version that uses
CBB and CBS.
ok tb@
|
|
|
|
|
|
|
| |
It makes more sense to have tls13_exporter() in tls13_key_schedule.c,
rather than tls13_lib.c
ok tb@
|
|
|
|
|
|
|
|
|
|
| |
BoringSSL uses the common trick of storing malloc metadata in a prefix
and then returning a pointer with an offset. Therefore callers must not
call free() but OPENSSL_free().
Reported by dropk1ck via tobhe
ok beck jsing
|
|
|
|
| |
Based on a diff from tb@
|
|
|
|
| |
ok beck@ tb@
|
|
|
|
|
| |
the lock, when it is correctly initialized after the lock
ok otto millert
|
|
|
|
|
|
|
|
|
|
| |
While ssl3_setup_read_buffer() success alone is enough to imply that
the read bufer is non-NULL, several static analyzers fail to recognize
that and throw fits about possible NULL accesses.
CID 331010
Fix from and ok jsing
|
|
|
|
|
|
| |
Omission reported by jca.
ok jca jsing
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TLSv1.3 introduces a New Session Ticket post-handshake handshake message
that allows a unique association between a ticket value and a pre-shared
key derived from the resumption master secret. Servers may send this
message arbitrarily often at any time after receiving the client's
Finished message.
Implement tls13_new_session_ticket_recv() which parses the contents of
the NewSessionTicket message into a fresh session derived from the
current session so as to avoid modifying sessions that are already in
the session cache.
This uses tls13_new_session_ticket_recv() in tls13_phh_received_cb().
We currently rely on the general rate limiting of 100 PHH messages per
connection and hour to avoid problems from connecting to a misbehaving
or malicious server.
ok jsing
|
|
|
|
|
|
|
|
| |
TLSv1.3 servers must not indicate a lifetime longer than 7 days and
clients must not cache sessions for longer than 7 days. Encode this
in a macro internal to tls13_lib.c for now.
ok jsing
|
|
|
|
|
|
|
|
| |
SSL_SESSION_dup() is a currently essentially unused public OpenSSL 1.1.1
API. Add a version that does not duplicate the secrets for internal use.
If the public API should be needed, we can easily make it a wrapper.
ok jsing
|
|
|
|
| |
ok jsing
|
|
|
|
|
|
|
|
| |
Add members necessary to store the "ticket_age_add" value and the
resumption master secret needed in the TLSv1.3 version of session
resumption.
ok jsing
|
|
|
|
|
|
|
|
|
|
| |
The session_id member of SSL_SESSION has 32 bytes for historical
reasons. This precisely accommodates a SHA-256 and is currently
computed using this hash. If the hash function is ever changed,
this will likely overflow. This should be fixed in code. Leave
it at an XXX comment for now.
Pointed out by jsing
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the case that a verification callback is installed that tells the
verifier to continue when a certificate is invalid (e.g. expired),
any error resulting from the leaf certificate verification is not stored
and made available post verification, resulting in an incorrect error being
returned.
Also perform leaf certificate verification prior to adding the chain, which
avoids a potential memory leak (as noted by tb@).
Issue reported by Ilya Shipitsin, who encountered haproxy regress failures.
ok tb@
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Passing an indent value of 67 results in DUMP_WIDTH_LESS_IDENT returning a
value of zero, which is promptly used for division. Likewise, passing a
value larger than 67 results in a negative value being returned.
Prevent this by limiting indent to 64 (which matches OpenSSL's current
behaviour), as well as ensuring that dump_width is > 0.
Should fix oss-fuzz #52464 and #52467.
ok miod@ tb@
|
|
|
|
|
|
|
|
|
|
|
| |
In r1.25 of tasn_enc.c a check was added to ensure that asn1_ex_i2c()
returned the same value on both calls, however in the ndef case the len
variable gets changed between calls. Keep a copy of the original value to
test against.
Issue reported by niklas, who encountered a test failure in rust-openssl.
ok miod@ tb@
|
|
|
|
|
|
|
|
| |
Calling HKDF_expand() with a length of 0 happens to succeed due to a quirk
in the API inherited from BoringSSL. This hides caller-side errors during
development. Error out to catch such mistakes early on.
ok jsing
|
|
|
|
|
| |
that the kernel and ld.so will know not to mark it immutable. malloc
handles the read/write transitions by itself.
|
| |
|
| |
|