| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There are numerous functions in ec/ that exist with _GF2m and _GFp
variants for no good reason. The code of both variants is the same.
The EC_METHODs contain a pointer to the appropriate version. This
commit hides the _GF2m and _GFp variants from internal use and
provides versions that work for both curve types. These will be made
public in an upcoming library bump.
Similar to part of OpenSSL commit 8e3cced75fb5fee5da59ebef9605d403a999391b
ok jsing
|
| |
|
|
|
|
|
| |
These can be replaced with accessors that allow this information to be
retrieved from the new record layer.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In hybrid and compressed point encodings, the form octet contains a bit
of information allowing to calculate y from x. For a point on a binary
curve, this bit is zero if x is zero, otherwise it must match the
rightmost bit of of the field element y / x. The existing code only
considers the second possibility. It could thus fail with a division by
zero error as found by Guido Vranken's cryptofuzz.
This commit adds a few explanatory comments to oct2point and fixes some
KNF issues. The only actual code change is in the last hunk which adds a
BN_is_zero(x) check to avoid the division by zero.
ok jsing
|
| |
|
|
|
|
| |
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
TLSv1.2 handshake struct.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This is not strictly necessary since we proceed to zero the entire struct,
however it keeps the code consistent and easily auditable.
ok tb@
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
This is disappointing as a lot of work was put into the new verifier
during this cycle. However, there are still too many known bugs and
incompatibilities. It is better to be faced with known broken behavior
than with new broken behavior and to switch now rather than via errata.
This way we have another cycle to iron out the kinks and to fix some of
the remaining bugs.
ok jsing
|
| | |
|
| | |
|
| |
|
|
| |
of pages anymore, but also cache larger regions; ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In order to fail gracefully on encountering a self-signed cert, curl looks
at the top-most error on the stack and needs specific SSL_R_ error codes.
This mechanism was broken when the tls13_alert_sent_cb() was added after
people complained about unhelpful unknown errors. Fix this by only setting
the error code from a fatal alert if no error has been set previously.
Issue reported by Christopher Reid
ok jsing
|
| |
|
|
|
|
|
|
|
| |
For dynamically allocated verify parameters, param->name is only ever set
in X509_VERIFY_set1_name() where the old one is freed and the new one is
assigned via strdup(). Setting it to NULL without freeing it beforehand is
a leak.
looks correct to millert, ok inoguchi
|
| | |
|
| | |
|
| |
|
|
| |
ok bcook inoguchi jsing
|
| |
|
|
| |
ok bcook inoguchi jsing
|
| |
|
|
| |
ok bcook inoguchi jsing
|
| |
|
|
| |
ok bcook inoguchi jsing
|
| |
|
|
| |
ok bcook inoguchi jsing
|
| |
|
|
| |
ok bcook inoguchi jsing
|
| |
|
|
| |
ok bcook inoguchi jsing
|
| |
|
|
| |
ok bcook inoguchi jsing
|
| | |
|
| |
|
|
| |
Based on some text in OpenSSL 1.1.1's EVP_PKEY_new.pod.
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
When server side renegotiation is triggered, the TLSv1.2 state machine
sends a HelloRequest before going to ST_SW_FLUSH and ST_OK. In this case
we do not need the transcript and currently hit the sanity check in ST_OK
that ensures the transcript has been freed, breaking server initiated
renegotiation. We do however need the transcript in the DTLS case.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
This moves the finish_md and peer_finish_md from the 'tmp' struct to the
handshake struct, renaming to finished and peer_finished in the process.
This also allows the remaining S3I(s) references to be removed from the
TLSv1.3 client and server.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This adds checks (based on the TLSv1.3 implementation) to ensure that the
TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
sebastia ran into this when attempting to update security/hcxtools.
This will be tested via wycheproof.go once the symbol is public.
ok jsing, tested by sebastia
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This variable is used in the legacy stack to decide whether we are
a server or a client. That's what s->server is for...
The new TLSv1.3 stack failed to set s->internal->type, which resulted
in hilarious mishandling of previous_{client,server}_finished. Indeed,
both client and server would first store the client's verify_data in
previous_server_finished and later overwrite it with the server's
verify_data. Consequently, renegotiation has been completely broken
for more than a year. In fact, server side renegotiation was broken
during the 6.5 release cycle. Clearly, no-one uses this.
This commit fixes client side renegotiation and restores the previous
behavior of SSL_get_client_CA_list(). Server side renegotiation will
be fixed in a later commit.
ok jsing
|
| |
|
|
|
|
|
| |
Instead of blindly skipping 14 characters, we can use the return
value of snprintf() to determine how much we should skip.
From Martin Vahlensieck with minor tweaks by me
|
| |
|
|
|
|
|
|
| |
This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi
|
| |
|
|
|
|
|
|
|
|
| |
The CBC code path initializes rrec.padding_length in an indirect fashion
and later makes use of it for copying the MAC. This is confusing some
static analyzers as well as people investigating the whining. Avoid this
confusion and add a bit of robustness by clearing the stack variable up
front.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are currently three different handshake structs that are in use -
the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct
(as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous
'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)).
This is the first step towards cleaning up the handshake structs so that
shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2
and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside
SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct
instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code
to access the shared handshake data without needing the SSL struct.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while
it is not currently necessary from a functionality perspective, it makes
for more readable and simpler code.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
A parent CBB retains a reference to a child CBB until CBB_flush() or
CBB_cleanup() is called. As such, the cert_exts CBB must be at function
scope.
Reported by Ilya Shipitsin.
ok tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This is the same as SSL_CTX_use_certificate_chain_file() but for an
SSL object instead of an SSL_CTX object. remi found this in a recent
librelp update, so we need to provide it. The function will be exposed
in an upcoming library bump.
ok inoguchi on an earlier version, input/ok jsing
|
| |
|
|
|
|
|
| |
Found the hard way by lists y42 org via an OCSP validation failure that
in turn caused pkg_add over TLS to fail. Detailed report by sthen.
ok sthen
|
| |
|
|
|
|
|
| |
getpagesize() will only return positive numbers (there is no negative
page size system) and it can not fail.
Should fix some compiler warnings seen in -portable projects.
OK otto@
|
| | |
|
