| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
three tests that fail due to a BIO_gets() bug.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
shares. Previously we would fail and just close the pipe.
Fixes the remaining failing test-dhe-rsa-key-exchange-with-bad-messages.py
tests of tlsfuzzer.
ok beck (earlier version) jsing
|
| |
|
|
|
|
|
|
|
|
| |
the record layer that don't do I/O themselves. Use this mechanism
to send a record overflow alert for messages that have overlong
plaintext or inner plaintext.
Fixes most of the remaining record-layer-limits failures of tlsfuzzer.
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
Replace the only occurrence of ssl_max_server_version() with a call
to ssl_downgrade_max_version() and remove ssl_max_server_version().
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, when building a certificate chain we look up an issuer and if
it is the only issuer certificate available we still use it even if it has
expired. When X509_V_FLAG_TRUSTED_FIRST is not in use, untrusted
certificates are processed first and if one of these happens to be expired
it will be used to build the chain, even if there is another non-expired
option in the trusted store.
Rework this code so that we first look for a non-expired untrusted
certificate. If one does not exist then we take a look in the trusted
store to see if we would be able to build the chain and only if there is
not, do we then look for an expired untrusted certificate.
This makes certificate validation possible for various sites that are
serving expired AddTrust certificates.
Issue reported by Christian Heimes via GitHub.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
Previously only the enabled protocol versions were considered, however we
also have to consider the method in use which may be version pinned.
Found the hard way by danj@ with haproxy and force-tlsv12.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
| |
Issue reported with initial patch by enh@google.com.
ok deraadt@
|
| |
|
|
|
|
|
|
|
| |
This allows an EC certificate to be selected and used, if the client
sigalgs would allow it.
With feedback from tb@
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
In this situation we cannot return zero bytes, as that signals EOF. Rather
we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again,
at which point we'll pull up the next record.
ok tb@
|
| |
|
|
|
|
|
|
| |
This makes SNI work correctly with TLSv1.3.
Found the hard way by danj@, gonzalo@ and others.
ok beck@ inoguchi@ tb@
|
| |
|
|
| |
ok beck@ inoguchi@ tb@
|
| | |
|
| |
|
|
| |
OK martijn@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The bug, present since 4.4BSD, was that a trailing dash in an option
group, when the dash is not permitted as an option letter, resulted
in the whole option group being returned as an argument, even though
the previous option in the group was already parsed as an option:
OPTS=abc ./getopt-test -a- -c arg ===>> OPT(a)ARG(-a-)ARG(-c)ARG(arg).
Instead, treat the dash as an invalid option and continue parsing
options: ===>> OPT(a)ERR(?-)OPT(c)ARG(arg).
The undesirable behaviour was that allowing the dash as an option
letter only allowed isolated dashes ("-") and trailing dashes in
groups ("-a-"), but neither middle dashes in groups ("-a-b"), even
though that already partially worked in 4.4BSD, nor leading dashes
in groups ("--a"), even though that works on all other BSDs and on
glibc. Also, while POSIX does not require that the dash can be
used as an option letter at all, arguably, it encourages that letters
either be fully supported or not supported at all. It is dubious
whether supporting an option letter in some positions but not in
others can be considered conforming.
This patch makes OpenBSD behaviour identical to FreeBSD and NetBSD,
improves compatibility with glibc (except that glibc does not support
isolated "-"), improves compatibility with DragonFly (except that
DragonFly is buggy when the dash option letter can take an optional
argument but that argument is not present), improves compatibility
with Illumos and Solaris 11 (except those do not support "-" and
mishandle "--a"), and restores 4.4BSD behaviour for "-a-b". In no
respect i'm aware of is compatibility with any other systems reduced.
For the full rationale, see my mail to tech@
on 30 Mar 2020 14:26:41 +0200.
Part of the problem was originally reported by an anonymous coward
on tech@ on 12 Mar 2020 03:40:24 +0200, additional analysis was
contributed by martijn@, and then the OP sent the final version of
the patch i'm now committing on 17 Mar 2020 19:17:56 +0200.
No licensing problem here because after the commit, the file does
not contain a single word written by the OP. Also, the OP told me
in private mail that he intends to publish the patch under the ISC
license already contained in the file and that he wishes to be known
by the pseudonym "0xef967c36".
OK martijn@, and no objection when shown on tech@,
but commit delayed to stay clear of the release.
|
| |
|
|
| |
tweak and OK tb@
|
| |
|
|
|
| |
remove references to the SSL protocol which is no longer supported
and use .Xr rather than .Fn for functions documented elsewhere
|
| |
|
|
| |
Reminded by and ok beck@
|
| | |
|
| |
|
|
| |
ok jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
No comment when shown around among LibreSSL devs
except "very very strange function" from beck@
and "cannot say much about it" from tb@.
If needed, this can be further polished in the tree,
review is still welcome.
|
| |
|
|
| |
Suggested by bluhm@, OK beck@ tb@.
|
| |
|
|
|
|
|
| |
the test to fail. Neuter it for now and just assume we do TLSv1.3.
I have been intending to purge this version detection hack once I'm
sure we can leave the 1.3 server enabled but I'll leave it here for
now.
|
| | |
|
| |
|
|
|
|
|
| |
Correct SNI alerts to differentiate between illegal parameter
and an unknown name.
ok tb@`
|
| |
|
|
|
|
|
|
| |
callback, so its mode is not used to update the ssl's mode, it
seems more appropriate to clear the SSL_MODE_AUTO_RETRY flag on
it as well.
ok jsing
|
| |
|
|
|
|
|
| |
default. To avoid hanging on a blocking read, we need to clear the
SSL_MODE_AUTO_RETRY flag in the s_client and the s_server.
ok beck inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In TLSv1.2 and earlier, when an application goes to read application data,
handshake messages may be received instead, when the peer has triggered
renegotation. A similar thing occurs in TLSv1.3 when key updates are
triggered or the server sends new session tickets. Due to the SSL_read()
API there is no way to indicate that we got no application data, instead
after processing the in-band handshake messages it would be normal to
return SSL_ERROR_WANT_READ and have the caller call SSL_read() again.
However, various applications expect SSL_read() to return with either
application data or a fatal error, when used on a blocking socket. These
applications do not play well with TLSv1.3 post-handshake handshake
messages (PHH), as they fail to handle SSL_ERROR_WANT_READ. The same code
is also broken in the case of a TLSv1.2 or older renegotiation, however
these are less likely to be encountered. Such code should set
SSL_MODE_AUTO_RETRY in order to avoid these issues.
Contrary to the naming, SSL_MODE_AUTO_RETRY does not actually retry in
every case - it retries following handshake messages in the application
data stream (i.e. renegotiation and PHH messages). This works around the
unretried SSL_read() on a blocking socket case, however in the case where
poll/select is used with blocking sockets, the retry will likely result
in the read blocking after the handshake messages are processed.
Rather than pushing for broken code to be fixed, OpenSSL decided to enable
SSL_MODE_AUTO_RETRY by default, instead breaking code that does poll or
select on blocking sockets (like s_client and s_server). Unfortunately we
get to follow suit.
ok beck@ inoguchi@ tb@
|
| |
|
|
| |
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
In TLSv1.3 post-handshake handshake messages are used for key updates and
session tickets. These are in-band and mean that when the upper layer goes
to read application data, we can end up reading and having to process
handshake messages - this option changes whether we retry and read the
next TLS record, or if we return, signalling that we want more data to
be available.
ok beck@ inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
It can be triggered by sending a line to stdin while no connection
is open and then connecting a client. The first SSL_write() fails,
sends SSL_ERROR_WANT_* and then causes a segfault deep down in the
tls stack when accessing &(buf[-1]).
ok beck inoguchi
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
implies that we're dealing with a HRR in the extension handling code.
Explicitly check that we're in this situation by inspecting the flag in
the handshake context. Add missing error checks and send the appropriate
alerts. The hrr flag needs to be unset after parsing the client hello
retry to avoid breaking the server hello handling. All this is far from
ideal, but better than nothing.
The correct fix would likely be to make the message type available
but that would need to be part of a more extensive rearchitecture of
the extension handling.
Discussed at length with jsing
|
| |
|
|
|
|
| |
(gurn) copies getsockname() retrieves a truncated result and 14 bytes of
stack garbage get copied onwards.
ok tb
|
| |
|
|
|
|
|
|
|
|
|
|
| |
for the moment that is all we support. fixes an issue where gnuTLS
cares that mistmatching staples come back on the certs in the chain.
This should be fixed correctly later by associating the staple
to the individual certs rather than the ssl, so this is temporary.
running on www@.
ok tb@, "got that's oopy but an interim ok" jsing@
|
| |
|
|
|
|
| |
unindent a bunch of code.
Suggested by jsing
|
| |
|
|
|
|
| |
Prompted by tb@
ok tb@
|
| |
|
|
|
|
| |
respectively.
Discussed with jsing
|
| |
|
|
|
|
|
|
|
| |
in the following tls13_handshake_msg_start() call. Add a check.
Stop clobbering the ctx's hs_msg variable, use a local variable
instead.
ok beck jsing
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Without this, when SNI is in use the second ClientHello will result in an
error.
Found the hard way by sthen@.
ok sthen@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This currently runs 54 tests from the tlsfuzzer suite against
the TLSv1.3 server which exercise a large portion of the code.
They already found a number of bugs and misbehaviors and also
inspired a few diffs currently in the pipeline.
This regress requires the py3-tlsfuzzer package to be installed,
otherwise the tests are skipped. Many thanks to kmos for helping
with the ports side and to beck for his positive feedback.
ok beck
|
| |
|
|
|
|
|
|
|
|
|
| |
SSL_connect in blocking mode.
While this will probably need a rethink, until we land on a solution
for PHH in blocking mode, the breakage this causes is visible in
real things, and we've only managed to hit the PHH breakage in
a test case.
ok tb@
|
| |
|
|
| |
OK beck@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some time prior to SSLeay 0.8.1b, SSL_PKEY_RSA_SIGN got added with the
intention of handling RSA sign only certificates... this incomplete code
had the following comment:
/* check to see if this is a signing only certificate */
/* EAY EAY EAY EAY */
And while the comment was removed in 2005, the incomplete RSA sign-only
handling has remained ever since.
Remove SSL_PKEY_RSA_SIGN and rename SSL_PKEY_RSA_ENC to SSL_PKEY_RSA. While
here also remove the unused SSL_PKEY_DH_RSA.
ok tb@
|
