| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
This makes the code both shorter and safer since freeing, allocation,
and copying are handled by CBS_stow() internally.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
This wonderful API requires users to pass the protocol list in wire
format. This list is then sent as part of the ClientHello. Validate
it to be of the correct form. This reuses tlsext_alpn_check_format()
that was split out of tlsext_alpn_server_parse().
Similar checks were introduced in OpenSSL 86a90dc7
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This simplifies the freeing, assigning and copying of the passed
protocols by replacing all that code with a pair of CBS_init() and
CBS_stow(). In addition, this aligns the behavior with OpenSSL,
which no longer errors on NULL proto or 0 proto_len since 86a90dc7.
ok jsing
|
| |
|
|
|
|
|
|
| |
Change alpn_client_proto_list and alpn_selected from unsigned char *
to uint8_t and change alpn_client_proto_list_len to be a size_t instead
of an unsigned int.
ok jsing
|
| |
|
|
|
|
|
|
| |
The ALPN extension must contain a non-empty list of protocol names.
Split a check of this out of tlsext_alpn_server_parse() so that it
can be reused elsewhere in the library.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There is no way that tls_buffer_set_data() can currently work in
conjunction with tls_buffer_expand(). This fact is currently hidden by the
way that PHH works, which reads the same data from the record layer (which
it needs to do anyway, since we may not have all of the handshake message
in a single record).
Since this is broken, mop it up and change the PHH callback to not provide
the record data.
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
The existing code updates the correct secret, however then sets it for the
wrong direction. Fix this, while untangling the code and consistenly using
'read' and 'write' rather than 'local' and 'peer'.
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
Ciphers using an MD5 HMAC are not allowed on security levels >= 1 and
using a SHA-1 HMAC is disallowed on security levels >= 4. This disables
RC4-MD5 by default.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Since there is nothing randomized in bn_is_prime_bpsw(), the concept
of rounds makes no sense. Apply a minimal change for now that avoids
expensive loops that won't change the outcome in case we found a
probable prime.
ok jsing
|
| |
|
|
| |
OK tb
|
| |
|
|
|
|
|
|
|
| |
Based on OpenSSL commit f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2
"Added support for ESSCertIDv2".
This makes TS validation work in the new security/libdigidocpp port.
Input OK tb
|
| |
|
|
|
|
| |
This is required by RFC 9001.
ok tb@
|
| |
|
|
|
|
|
|
| |
struct tls13_ctx already knows about SSL's and this way tls13_ctx_new() can
set up various pointers, rather than duplicating this in
tls13_legacy_accept() and tls13_legacy_connect().
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove duplicate U16 length prefix, since tlsext_build() already adds this
for us. Condition on SSL_is_quic() rather than TLS version - RFC 9001 is
clear that this extension is only permitted on QUIC transport and an
fatal unsupported extension alert is required if used elsewhere.
Additionally, at the point where extensions are parsed, we do not
necessarily know what TLS version has been negotiated.
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
This function will allow code to know if the SSL connection is configured
for use with QUIC or not. Also move existing SSL_.*quic.* functions under
LIBRESSL_HAS_QUIC to prevent exposing them prematurely.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
Per RFC 9001, TLSEXT_TYPE_quic_transport_parameters may only appear in
ClientHello and EncryptedExtensions (not ServerHello).
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
Use the correct value for TLSEXT_TYPE_quic_transport_parameters according
to RFC 9001 section 8.2. Also move the define under LIBRESSL_HAS_QUIC to
avoid things finding it prematurely.
ok beck@ tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
Copy existing ESSCertID macros and s/_ID/&_V2/g.
Guard the new code under LIBRESSL_INTERNAL to defer visibility.
OK tb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Guard the new code under LIBRESSL_INTERNAL to defer symbol addition and
minor library bump (thanks tb).
ts/ts.h bits from
RFC 5035 Enhanced Security Services (ESS) Update:
Adding CertID Algorithm Agility
ts/ts_asn1.c bits expanded from
ASN1_SEQUENCE(ESS_CERT_ID_V2) = {
ASN1_OPT(ESS_CERT_ID_V2, hash_alg, X509_ALGOR),
ASN1_SIMPLE(ESS_CERT_ID_V2, hash, ASN1_OCTET_STRING),
ASN1_OPT(ESS_CERT_ID_V2, issuer_serial, ESS_ISSUER_SERIAL)
} static_ASN1_SEQUENCE_END(ESS_CERT_ID_V2)
IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID_V2)
IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2)
ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = {
ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2),
ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO)
} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2)
IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT_V2)
IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
Feedback OK tb
|
| |
|
|
|
|
| |
https://oidref.com/1.2.840.113549.1.9.16.2.47
OK tb
|
| |
|
|
|
|
|
| |
Cherry-picked from OpenSSL commit a8d8e06b0ac06c421fd11cc1772126dcb98f79ae.
This reduces upcoming TS changes.
OK jsing tb
|
| |
|
|
|
|
| |
It's defined again (more appropiately) further down above the error codes.
OK jsing tb
|
| | |
|
| | |
|
| |
|
|
| |
the code in bn_isqrt.c.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Document it from scratch.
While here, merge a few details from the OpenSSL 1.1.1 branch, which
is still under a free license, into the documentation of DSA_size(3).
|
| |
|
|
|
|
| |
and X509_VERIFY_PARAM_set_auth_level(3). Document them.
For the latter, i included a few sentences from the OpenSSL 1.1.1
branch, which is still under a free license.
|
| | |
|
| |
|
|
|
|
|
| |
Or should we call it a centipede?
Feedback and OK on a previous version from jsing@
and from our chief myriapodologist, tb@.
|
| |
|
|
|
|
|
|
|
| |
Avoid undefined behaviour/integer overflow by casting an int64_t to
uint64_t before negating.
Fixes oss-fuzz #49043
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
EVP_PKEY_param_check(3), and EVP_PKEY_security_bits(3) from scratch.
Move the documentation of EVP_PKEY_size(3) and EVP_PKEY_bits(3)
to the new manual page EVP_PKEY_size(3).
Merge the documentation of the related function pointers
from the OpenSSL 1.1.1 branch, which is still under a free license.
OK tb@ on the new page EVP_PKEY_size(3).
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
| |
tb@ recently added these functions to libcrypto
and also provided feedback on my first draft of this page.
|
| |
|
|
|
|
|
|
| |
We do not intend to make this a compile-time option.
Reminded by schwarze who asked about it
ok jsing
|
| |
|
|
|
|
|
|
|
| |
provided the new public function DH_check_pub_key(3) in <openssl/dh.h>.
Sorry for being a bit tardy in documenting the new function.
Then again, OpenSSL doesn't document it either, yet.
While here, drop a HISTORY entry about a constant that
was renamed in OpenSSL 0.9.5. That's no longer relevant.
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has long been known that pure Miller-Rabin primality tests are
insufficient. "Prime and Prejudice: Primality Testing Under Adversarial
Conditions" https://eprint.iacr.org/2018/749 points out severe flaws
in many widely used libraries. In particular, they exhibited a method to
generate 2048-bit composites that bypass the default OpenSSL (and hence
LibreSSL) primality test with a probability of 1/16 (!).
As a remedy, the authors recommend switching to using BPSW wherever
possible. This possibility has always been there, but someone had to
sit down and actually implement a properly licensed piece of code.
Fortunately, espie suggested to Martin Grenouilloux to do precisely this
after asking us whether we would be interested. Of course we were!
After a good first implementation from Martin and a lot of back and
forth, we came up with the present version.
This implementation is ~50% slower than the current default Miller-Rabin
test, but that is a small price to pay given the improvements.
Thanks to Martin Grenouilloux <martin.grenouilloux () lse ! epita ! fr>
for this awesome work, to espie without whom it wouldn't have happened,
and to djm for pointing us at this problem a long time back.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds an implementation of the integer square root using a variant
of Newton's method with adaptive precision. The implementation is based
on a pure Python description of cpython's math.isqrt(). This algorithm
is proven to be correct with a tricky but very neat loop invariant:
https://github.com/mdickinson/snippets/blob/master/proofs/isqrt/src/isqrt.lean
Using this algorithm instead of Newton method, implement Algorithm 1.7.3
(square test) from H. Cohen, "A course in computational algebraic number
theory" to detect perfect squares.
ok jsing
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
