summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Avoid undefined behavior due to memcpy(NULL, NULL, 0)tb2020-11-251-4/+6
| | | | | | | | | This happens if name->der_len == 0. Since we already have a length check, we can malloc and memcpy inside the conditional. This also makes the code easier to read. agreement from millert ok jsing
* mapalign() only handles allocations >= a page; problem found by and ok semarie@otto2020-11-231-1/+3
|
* fix another misleading line break and indentlibressl-v3.3.0tb2020-11-201-3/+4
|
* fix confusing line break and indenttb2020-11-201-3/+4
|
* Plug leak in x509_verify_chain_dup()tb2020-11-181-2/+2
| | | | | | | | | | | | | | | x509_verify_chain_new() allocates a few members of a certificate chain: an empty stack of certificates, a list of errors encountered while validating the chain, and a list of name constraints. The function to copy a chain would allocate a new chain using x509_verify_chain_new() and then clobber its members by copies of the old chain. Fix this by replacing x509_verify_chain_new() with calloc(). Found by review while investigating the report by Hanno Zysik who found the same leak using valgrind. This is a cleaner version of my initial fix from jsing. ok jsing
* Plug a big memory leak in the new validatortb2020-11-181-1/+6
| | | | | | | | | | | | | | | | | | The legacy validator would only call x509_vfy_check_policy() once at the very end after cobbling together a chain. Therefore it didn't matter that X509_policy_check() always allocates a new tree on top of the one that might have been passed in. This is in stark contrast to other, similar APIs in this code base. The new validator calls this function several times over while building its chains. This adds up to a sizable leak in the new validator. Reported with a reproducer by Hanno Zysik on github, who also bisected this to the commit enabling the new validator. Narrowed down to x509_vfy_check_policy() by jsing. We simultaenously came up with a functionally identical fix. ok jsing
* zap ugly empty line before closing bracetb2020-11-181-2/+1
|
* Move freeing of the verify context to its natural place instead oftb2020-11-181-2/+2
| | | | | | a few lines after. stylistic nit from jsing
* KNF (whitespace)tb2020-11-184-13/+13
|
* bump to 3.3.0bcook2020-11-181-3/+3
|
* typo & punctuation in commenttb2020-11-171-3/+3
|
* Implement exporter for TLSv1.3.jsing2020-11-164-8/+121
| | | | | | | | | This implements the key material exporter for TLSv1.3, as defined in RFC8446 section 7.5. Issue reported by nmathewson on github. ok inoguchi@ tb@
* Use X509_V_OK instead of 0.jsing2020-11-161-4/+3
| | | | ok beck@ tb@
* Add back an X509_STORE_CTX error code assignment.jsing2020-11-161-2/+3
| | | | | | | | This was inadvertently removed in r1.19. Spotted by tb@ ok beck@ tb@
* Return the specific failure for a "self signed certificate" in the chainbeck2020-11-151-1/+14
| | | | | | | | | in order to be compatible with the openssl error craziness in the legacy verifier case. This will fix a regress problem noticed by znc ok tb@
* Handle additional certificate error cases in new X.509 verifier.jsing2020-11-112-12/+79
| | | | | | | | | | | | | | | | | | | | | | | With the old verifier, the verify callback can always return 1 instructing the verifier to simply continue regardless of a certificate verification failure (e.g. the certificate is expired or revoked). This would result in a chain being built, however the first error encountered would be persisted, which allows the caller to build the chain, have the verification process succeed, yet upon inspecting the error code note that the chain is not valid for some reason. Mimic this behaviour by keeping track of certificate errors while building chains - when we finish verification, find the certificate error closest to the leaf certificate and expose that via the X509_STORE_CTX. There are various corner cases that we also have to handle, like the fact that we keep an certificate error until we find the issuer, at which point we have to clear it. Issue reported by Ilya Shipitcin due to failing haproxy regression tests. With much discussion and input from beck@ and tb@! ok beck@ tb@
* Implement auto chain for the TLSv1.3 server.jsing2020-11-111-1/+23
| | | | | | | | | Apparently OpenLDAP relies on this craziness to provide intermediates, rather than specifying the chain directly like a normal TLS server would. Issue noted by sthen@ and Bernard Spil, who both also tested this diff. ok tb@
* Use size_t for key_block_len.jsing2020-11-112-9/+7
| | | | | | | This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here. ok inoguchi@ tb@
* Update getentropy on Windows to use Cryptography Next Generation (CNG).bcook2020-11-111-18/+9
| | | | | wincrypt is deprecated and no longer works with newer Windows environments, such as in Windows Store apps.
* Fix bad indent.jsing2020-11-031-7/+6
|
* Only check BIO_should_read() on read and BIO_should_write() on write.jsing2020-11-031-5/+1
| | | | | | | | | | | | | | | | | | The TLSv1.3 code that drives a BIO currently checks BIO_should_read() after BIO_write() and BIO_should_write() after BIO_read(), which was modelled on SSL_get_error(). However, there are certain cases where this can confuse the caller - primarily where the same BIO is being used for both read and write and the caller is manipulating the retry flags. SSL_get_error() tends avoids this issue by relying on another layer of state tracking. Unfortunately haproxy hits this situation - it has its own BIO_METHOD, the same BIO is used for both read and write and it manipulates the retry flags - resulting in it stalling. Issued noted by Thorsten Lockert <tholo@tzecmaun.org> ok beck@ tb@
* Hook X509_STORE_CTX get_issuer() callback from new X509 verifier.jsing2020-11-031-3/+17
| | | | | | | | | | | If we fail to find a parent certificate from either the supplied roots or intermediates and we have a X509_STORE_CTX, call its get_issuer() callback to see if it can supply a suitable certificate. This makes things like certificates by directory (aka by_dir) work correctly. Issue noted by Uwe Werler <uwe@werler.is> ok beck@ tb@
* typo: ASN1_parse_time -> ASN1_time_parsetb2020-11-021-3/+3
|
* Add a safety net to ensure that we set an error on the store context.tb2020-10-261-1/+3
| | | | Suggested by and discussed with beck
* If x509_verify() fails, ensure that the error is also set on the storetb2020-10-261-10/+15
| | | | | | | context. This is what is returned in SSL_get_verify_result(). Spotted and initial diff from jeremy; discussed with jsing ok beck
* Make sure that x509_vfy_check_id() failure also sets ctx->error, not onlytb2020-10-261-3/+8
| | | | | | ctx->xsc->error. Will be needed in an upcoming diff. from beck
* Stop documenting some functions as macros.tb2020-10-213-19/+7
| | | | | | | In x509.h r1.70 (2018/08/24) I turned some macros into actual functions to follow what OpenSSL is doing since 1.1.0. The documentation still claims that they are implemented as macros. Update a doc sync commit hash while there.
* Unbreak DTLS retransmissions for flights that include a CCS.jsing2020-10-151-7/+8
| | | | | | | | | | When retransmitting a flight that includes a CCS, the record protection from the previous epoch has to be used to send the messages up to and including the CCS, with messages after the CCS using record protection from the current epoch. The code that restores the record protection state failed to work correctly with the new TLSv1.2 record layer. ok tb@
* zap annoying stray spacestb2020-10-151-4/+4
|
* Replace SSL_IS_DTLS with SSL_is_dtls().jsing2020-10-1411-96/+92
| | | | | | Garbage collect the now unused SSL_IS_DTLS macro. ok tb@
* Provide SSL_is_dtls().jsing2020-10-142-2/+11
| | | | | | | For now this is #ifdef LIBRESSL_INTERNAL and will be exposed during the next library bump. ok tb@
* Mark DTLS methods as DTLS.jsing2020-10-142-3/+10
| | | | | | | | Rather than inferring DTLS from the method version, add a field that marks a method as specifically being DTLS. Have SSL_IS_DTLS condition on this rather than on version. ok tb@
* make fixed-sized fixed-value mib[] arrays be constderaadt2020-10-123-12/+7
| | | | ok guenther tb millert
* drop references to the SSL protocol because support was removed long ago;schwarze2020-10-121-6/+6
| | | | suggested by tb@
* List and describe the recommended methods first and relegate theschwarze2020-10-121-27/+26
| | | | | | deprecated methods to a separate table. Simplify and shorten the surrounding verbiage. Joint work with tb@.
* In ssl_methods.c rev. 1.18, jsing@ deprecated *_server_method(3)schwarze2020-10-111-11/+18
| | | | | | | and *_client_method(3). Adjust the documentation. While here, delete most of the verbiage regarding the deprecated functions SSLv23_*(3) and add the missing entry to RETURN VALUES. OK tb@
* SSL3_ENC_METHOD is just a flag word; merge it into SSL_METHOD_INTERNALguenther2020-10-115-42/+28
| | | | | | | with #defines for the per-version initializers instead of extern globals. Add SSL_USE_SHA256_PRF() to complete the abstraction. ok tb@ jsing@
* Fix an assert conditioned on DTLS1_VERSION.jsing2020-10-111-9/+4
| | | | | | | | This condition previously existed for DTLS BAD_VER, which has long been removed. Furthermore, conditioning on DTLS1_VERSION means this is broken for any newer DTLS version. While here roll up two assertions into one. ok tb@
* Grow init_buf before stashing a handshake message for the legacy stack.jsing2020-10-111-1/+3
| | | | | | | | | | | | | When transitioning from the TLSv1.3 stack to the legacy stack, grow init_buf before stashing the handshake message. The TLSv1.3 stack has already received the handshake message (potentially from multiple TLS records) and validated its size, however the default allocation is only for a single plaintext record, which can result in the handshake message failing to fit in certain cases. Issue noted by tb@ via tlsfuzzer. ok tb@
* Make profile_name const in srtp_find_profile_by_name()tb2020-10-112-7/+5
| | | | | | | | There is no reason (and there never was any) for profile_name to be non-const, it was always just passed to strncmp(). Changing this allows removing an ugly instance of casting away const. ok guenther jsing
* Condense and simplify TLS methods.jsing2020-10-117-442/+73
| | | | | | | | | | | | | | | Historically, OpenSSL has had client and server specific methods - the only difference between these is that the .ssl_connect or .ssl_accept function pointer is set to ssl_undefined_function, with the intention of reducing code size for a statically linked binary that was only a client or server. These days the difference is minimal or non-existant in many cases and we can reduce the amount of code and complexity by having single method. Internally remove all of the client and server specific methods, simplifying code in the process. The external client/server specific API remain, however these now return the same thing as TLS_method() does. ok tb@
* Constipate srtp_known_profiles, pushing it into .data.rel.roguenther2020-10-113-17/+18
| | | | ok tb@ jsing@
* Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them intoguenther2020-10-116-32/+32
| | | | | | .data.rel.ro and .rodata respectively. ok tb@ jsing@
* Fix leak or double free with OCSP_request_add0_id()tb2020-10-091-8/+9
| | | | | | | | | | | | | | | | | On success, OCSP_request_add0_id() transfers ownership of cid to either 'one' or 'req' depending on whether the latter is NULL or not. On failure, the caller can't tell whether OCSP_ONEREQ_new() failed (in which case cid needs to be freed) or whether it was a failure to allocate memory in sk_insert() (in which case cid must not be freed). The caller is thus faced with the choice of leaving either a leak or a potential double free. Fix this by transferring ownership only at the end of the function. Found while reviewing an upcoming diff by beck. ok jsing
* As noted by tb@ previous commit only removed an unused fucntion.otto2020-10-091-4/+9
| | | | | So redo previous commit properly: Use random value for canary bytes; ok tb@.
* A void function has no return value, so zap RETURN VALUES sectiontb2020-10-081-5/+2
| | | | | documenting that SSL_set_bio(3) cannot fail. A similar commit was made by schwarze a while ago for a few functions in libcrypto.
* grammar fix: if/when a renegotiation takeS placetb2020-10-082-6/+6
|
* fix line wrappingtb2020-10-071-3/+2
|
* Mop up various things that are now unused with the new record layer.jsing2020-10-073-32/+6
| | | | ok inoguchi@ tb@
* Include a TLS record header when switching to the legacy stack.jsing2020-10-071-9/+27
| | | | | | | | | | | | | | | | | | | | | | | | | When switching to the legacy TLS stack we previously copied any remaining handshake messages into the receive buffer, but do not include any TLS record header (largely due to the fact that we've already processed part of the TLS record that we actually received - that part is placed into the init_buf). This worked fine with the old record layer implementation, however the new record layer expects to find the TLS record header. This means that if we switch from the new stack to the legacy stack (i.e. the remote side does not support TLSv1.3) and there is more than one handshake message in the TLS plaintext record (which Microsoft's TLS stack is known to do), we now read a TLS record of zero bytes instead of getting the correct length. Fix this by generating a pseudo-TLS record header when switching from the new TLS stack to the legacy stack. Found the hard way by guenther@. Thanks to tb@ for coming up with a reproducible test case and doing much of the debugging. ok inoguchi@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-18 10:08:16 +0000